Comment 17 for bug 1531747

Does it require the workdir to be empty?

I.e. is there a way (symlink, bind mount, something else) that a user could use a dir they own which has a child which they don't own?

It looks like no, since

root@w1:/tmp# mount -t overlay -o lowerdir=lower,upperdir=upper,workdir=workdir overlay /mnt
root@w1:/tmp# ls /mnt
cisco
root@w1:/tmp# rmdir /mnt/cisco
rmdir: failed to remove ‘/mnt/cisco’: Read-only file system
root@w1:/tmp# mv /mnt/cisco /mnt/c2
mv: cannot move ‘/mnt/cisco’ to ‘/mnt/c2’: Read-only file system

(here w1 is a unpriv container with /hostopt a bind mount of /opt on the host; cisco a directory both in host's /opt and in /tmp/lowerdir)