Can you mount fs images in userns?

In a user namespace you are supposed to be able to do just about anything that only affects that namespace, including creating a 'root' account that gets used within that namespace

The kernel has been modified (hopefully completely) so that userids in a userns are always converted to their real userid before the kernel does permission checks for things that need root permission.

But the crypto module problem is actually unrelated to namespaces.

What's happening here is that the kernel defaults to trying to be helpful. In many cases, if you try to access some capability that could be a module, and that capability isn't part of the kernel already, it will try to be helpful and automatically load the needed module rather than returning an error.

In some cases, which module gets loaded can be specified by whatever is triggering the load. In the case of mount, it's the filesystem type that is used as the module name. In crypto it's the encryption type that's used as the module name.

When the mount problem was hit, it was something that could only be done by root, and mostly dismissed (because root could already load an arbitrary module, even arbitrary code). Then when it was found that it could be triggered by normal users inside a user namespace, a fix was put in place.

The crypto module loading can be triggered by any normal user just trying to use crypto the way it's supposed to be used. and then shortcuts in the busybox modprobe code made it even harder to patch around.

This sort of thing is why I like to avoid modular kernels on my servers and disable loading modules entirely (even though some top kernel developers have told me that my concerns are silly, and disabling module loading is meaningless because root can work around it)