[yrro]

Wouldn't you have the option of running the helper process within the mount namespace but not the process namespace of the container?

Regardless, openat2 looks like a much better solution. I hope it's backported to LTS distros so I can start relying on it before 2035...

[uvuv]

That's an option, an actually what LXD does. It's better then just chrooting, though in the case of this vulnerability even if docker-tar entered the mount NS, the exploit will still work.