On Thu, Jan 26, 2023 at 07:26:49AM +0200, Amir Goldstein wrote: > [spawning overlayfs sub-topic] > > On Wed, Jan 25, 2023 at 10:29 PM Amir Goldstein <amir73il@xxxxxxxxx> wrote: > > > > On Wed, Jan 25, 2023 at 10:23 PM Amir Goldstein <amir73il@xxxxxxxxx> wrote: > > > > > > On Wed, Jan 25, 2023 at 9:45 PM Giuseppe Scrivano <gscrivan@xxxxxxxxxx> wrote: > > > > > > > > Amir Goldstein <amir73il@xxxxxxxxx> writes: > > > > > > > > >> >> I previously mentioned my wish of using it from a user namespace, the > > > > >> >> goal seems more challenging with EROFS or any other block devices. I > > For those who are starting to read here, the context is userns mounting > of overlayfs with a lower EROFS layer containing metacopy references to > lower data blobs in another fs (a.k.a the composefs model). > > IMO, mounting a readonly image of whatever on-disk format > is a very high risk for userns mount. > A privileged mount helper that verifies and mounts the EROFS > layer sounds like a more feasible solution. Very much agreed. This filesystem specific userns mountable stuff where filesystems with any kind of on-disk format guarantees the safety is not something we should support. I'm starting to think about how to make it possible for a privileged process to delegate/allow a filesystem mount to an unprivileged one. The policy belongs in userspace. Something which I've talked about before a few years ago but now I actually have time to work on this.
