this was noted in issue 766275 by the reporter, but it looks like it was lost in the shuffle, so splitting out
to reproduce:
(1) create a symlink as a non-root user in a sticky dir (e.g. /tmp)
# sudo -u chronos ln -s / /tmp/foo
(2) try to deref that symlink as root and fail (good!)
# ls /tmp/foo/
ls: cannot access '/tmp/foo/': Permission denied
(3) try to deref that symlink further and pass (bad!)
# ls /tmp/foo/home/
chronos root user
issue 766275 was able to exploit this because the /tmp usage had two levels of predictable names, so they symlinked the top level name to a non-sticky dir they controlled.