User namespaces + overlayfs = root privileges

This actually seems to me like the normal and expected operation of a namespace: processes outside the namespace can see into it, but processes inside the namespace cannot see out. It wouldn't make sense, for example, for a process to be able to create a PID namespace to hide child processes from the original user. Running processes inside a namespace is about limiting those processes, not the ones outside the namespace. Of course, everything needs to be translated properly so that outside processes looking into a namespace see the correct user IDs and so forth.

As for the issue of tricking mount—or probably any number of other programs—into writing to an inherited file descriptor for a SUID file, wouldn't it make more sense to revoke the SUID bit when the file is first opened for write access by a non-root process, rather than waiting until data is actually written? The target program wouldn't even need to be SUID, if it can receive file descriptors from non-root processes some other way. Unix domain sockets (as used in DBUS) come to mind as a possible attack vector.