Giuseppe Scrivano discovered that overlayfs did not properly perform permission checking when copying up files in an overlayfs, and can be exploited from within a user namespace, if, for example, unprivileged user namespaces are allowed. An attacker can abuse this to get read access to files on the system that they would not normally be permitted to access.
Mitigation on systems where unprivileged user namespaces are enabled but not needed is to set the kernel.unprivileged_userns_clone sysctl to 0. e.g.: $ sudo sysctl kernel.unprivileged_userns_clone=0 and across reboots by adding a file in /etc/sysctl.d/ that contains: kernel.unprivileged_userns_clone=0