Singluarity ineffectively applies selinux / apparmor LSM process labels
Native Mode (default) Singularity's default native runtime allows users to apply restrictions to container processes using the apparmor or selinux Linux Security Modules (LSMs), via the –security selinux:<label> or –security apparmor:<profile> flags. LSM labels are written to process or thread attrs/exec under /proc. If a user relies on LSM restrictions to prevent malicious operations then, under certain circumstances, an attacker can redirect the LSM label write operation so that it …