tech-security: replace chroot() with a chroot overlay file system?

Subject: replace chroot() with a chroot overlay file system?
To: None <tech-security@netbsd.org>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: tech-security
Date: 11/01/2005 19:49:59

I'm thinking out loud here, so I may easily be confused, but...

What if we replaced the chroot() system call by an overlay file
system, mounted over some subtree?  The advantage is that that file
system could be mounted read-only, nosuid, nodev, even noexec.