I'm using overlayFS to create a sort of simple experimental sandboxing.
I think I understand how it works:
- lower layer should be always mounted R/O
- upper layer is where all changes happen
- work layer is for transactional reasons
- target is where all merged lower + upper go
As example, I have a physical disk mounted on /disk2. Then I want to overlay to preserve the contents, so I can do something like:
mount("overlay", "/disk2", "overlay", MS_MGC_VAL, "lowerdir=/disk2,upperdir=./upper,workdir=./work");
This works just fine: when my new process tries to amend content under /disk2, then it will only amend in reality under upper: this is indeed working as intended. For example, I can also see the 0, 0 files to show that something is deleted in the upper but not in the lower.
Unfortunately looks like I can't somehow overlay on root /: if I execute the following code:
mount("overlay", "/", "overlay", MS_MGC_VAL, "lowerdir=/disk2,upperdir=./upper,workdir=./work")
I can still see the whole real / and when I write files, they get written in their real (i.e. lower) location, not in the upper one.
What am I doing wrong here?
I am on kernel 4.4.0-53.
According to what I've read I don't think it's possible to programmatically do this once the system is started.