Bug#777649: cgmanager security update for jessie

[Serge Hallyn <serge.hallyn@ubuntu.com>]

Quoting Niels Thykier (niels@thykier.net):
> Ok, are we guaranteed that pcgpath ends with the path separator?  Consider:

No in fact I think we're guaranteed it won't.

>   "/foo/bar"
>   "/foo/bar2/somewhere-else"
> 
> Unless the path separator is included in the end (i.e. it always uses
> "/foo/bar/" instead of "/foo/bar"), then it might still be possible to
> by-pass the prefix test.

Indeed it will, thanks!  I'm going to write a patch which commonizes
the checks and takes care of this case.  I'll get it into the next
release and send a patch for jessie tonight or tomorrow.

Note that ownership checks still apply, so the task in /foo/bar
could only affect /foo/bar2  if it owns /foo/bar2.  Or if it is
root, but root in a privileged container will be locked under
/lxc/$container.  So this should be less urgent than the larger
fix already addressed.