ovl_rename2 seems okay. As before, the vfs does inode permission checks on the overlayfs inodes which results in checks on the upper and/or lower dir inodes as appropriate. These checks appear to be sufficient to imply permission to do everything ovl_rename2 does with elevated credentials. That said, ovl_rename2 does quite a bit of stuff with elevated creds, and that leaves me feeling a bit uncomfortable.
ovl_rename2 seems okay. As before, the vfs does inode permission checks on the overlayfs inodes which results in checks on the upper and/or lower dir inodes as appropriate. These checks appear to be sufficient to imply permission to do everything ovl_rename2 does with elevated credentials. That said, ovl_rename2 does quite a bit of stuff with elevated creds, and that leaves me feeling a bit uncomfortable.