> > It is something that is not at all easy to fix. > > In the example above, instead of checking permissions against the > > overlay inode (on "incoming" readdir) will need to check permissions of every > > accessing user against all layers, before allowing access to the merged > > directory content (which is cached). > > A lot more work - and this is just for this one example. > > I see your point. If we could implement that, behind a mount flag, would that be > an acceptable solution? > As I wrote, this is one specific problem that I identified. If you propose a different behavior base on mount flag you should be able to argue that is cannot be exploited to circumvent security access policies, by peaking into cached copies of objects that the user has no access to, or by any other way. I have no idea how to implement what you want and prove that it is safe. Maybe if you explained the use case in greater details with some examples someone could help you reach a possible solution. Thanks, Amir.