[$] A container-confinement breakout

The recently announcedcontainer-confinement breakout for containers started with runc is interesting froma few different perspectives.For one, it affects more than just runc-based containers as privileged LXC-based containers (and likelyothers) are alsoaffected, though the LXC-based variety are harder to compromise than therunc ones.But it also, once again, shows that privilegedcontainers are difficult-perhaps impossible-to create in a secure manner.Beyond that, itexploits some Linux kernel interfaces in novel ways and the fixes use aperhaps lesser-known system call that was added to Linux less than fiveyears back.