> As I wrote, this is one specific problem that I identified. > If you propose a different behavior base on mount flag you should > be able to argue that is cannot be exploited to circumvent security > access policies, by peaking into cached copies of objects that the user > has no access to, or by any other way. > I have no idea how to implement what you want and prove that > it is safe. > Maybe if you explained the use case in greater details with some > examples someone could help you reach a possible solution. I'm going to wake up this thread one last time to lay it to rest permanently. We have now reimplemented our use of overlayfs to no longer need these patches. We will no longer be attempting to get this patch set accepted. One issue - remount does not update the mounter credentials, either by default or via a flag. I was able to work around this, but it would have been much easier had I simply been able to remount with new credentials. (The specific use case is that we load sepolicy from a potentially overlaid partition, so the original mounter will always have the default kernel domain, which will not be suitable once sepolicy is enforced.) Is this a design decision? Would a patch to set credentials during remount be of interest? Thanks, Paul
