Jail/Sandbox process on an overlay root and track changes

## What I am trying to achieve I want to run a process as an unprivileged user, but all files that are changed by this process should be only changed in a shadow folder. Furthermore, I want to disable networking capabilities if needed. ## What I have already tried - mount overlay with lowerdir / and upperdir /temp/fakeroot, unshare -rn, chroot /temp/overlay - Problems: requires root for mount, overlay ignores nested mounts (my home directory) - unshare -rmn, mount overlay with lowerdir / and upperdir /temp/fakeroot - Problems: error while trying to mount because /tmp is a subfolder of / - fuse-overlayfs, unshare -rn, chroot - Problems: works only on kernels > 5.16, nested mounts can be read but writing is not possible - Note: I would be ok with the kernel limitation, but the nested mounts make it not usable ## Alternatives that I know exist, but do not seem promising - Overlayroot: needs to be mounted at startup and does not store change delta - overlayroot-chroot: Based on above. - mergefs for merging all file systems into one: can't see how this would be done - using Docker: requires root, does not store change delta Does anyone have an idea how to do that?