I saw @jade post here: FOD sandbox bypass - HackMD
I think it did a good job of explaining it but I was wondering if someone had an even more ELI5 lol.
The CVE makes me think it’s even more trivial – just passing the FD to $out and writing it but the example uses inotify and 2 FODs etc…
(or is it on account of the namespacing that it has to be between two FODs to leverage the bind-mount?)