[SRU][J][PATCH 2/2] UBUNTU: SAUCE: overlayfs: default to userxattr when mounted from non initial user namespace

Massimiliano Pellizzer massimiliano.pellizzer at canonical.com
Tue Mar 31 18:26:02 UTC 2026 

Also add a nouserxattr for the cases where it is desirable to mount without
userxattr under such namespaces.

This allows cases where such xattrs are necessary for certain operations to
work out, instead of failing due to not being able to use the
trusted.overlay.* xattrs.

CVE-2023-2640
CVE-2023-32629
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer at canonical.com>
---
 fs/overlayfs/super.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
index e1c4449e30993..e21574191d8b4 100644
--- a/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@@ -388,6 +388,8 @@ static int ovl_show_options(struct seq_file *m, struct dentry *dentry)
 		seq_puts(m, ",volatile");
 	if (ofs->config.userxattr)
 		seq_puts(m, ",userxattr");
+	else
+		seq_puts(m, ",nouserxattr");
 	return 0;
 }
 
@@ -436,6 +438,7 @@ enum {
 	OPT_UUID_OFF,
 	OPT_NFS_EXPORT_ON,
 	OPT_USERXATTR,
+	OPT_NOUSERXATTR,
 	OPT_NFS_EXPORT_OFF,
 	OPT_XINO_ON,
 	OPT_XINO_OFF,
@@ -455,6 +458,7 @@ static const match_table_t ovl_tokens = {
 	{OPT_INDEX_ON,			"index=on"},
 	{OPT_INDEX_OFF,			"index=off"},
 	{OPT_USERXATTR,			"userxattr"},
+	{OPT_NOUSERXATTR,		"nouserxattr"},
 	{OPT_UUID_ON,			"uuid=on"},
 	{OPT_UUID_OFF,			"uuid=off"},
 	{OPT_NFS_EXPORT_ON,		"nfs_export=on"},
@@ -625,6 +629,10 @@ static int ovl_parse_opt(char *opt, struct ovl_config *config)
 			config->userxattr = true;
 			break;
 
+		case OPT_NOUSERXATTR:
+			config->userxattr = false;
+			break;
+
 		default:
 			pr_err("unrecognized mount option \"%s\" or missing value\n",
 					p);
@@ -2009,6 +2017,8 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
 	ofs->config.nfs_export = ovl_nfs_export_def;
 	ofs->config.xino = ovl_xino_def();
 	ofs->config.metacopy = ovl_metacopy_def;
+	if (sb->s_user_ns != &init_user_ns)
+		ofs->config.userxattr = true;
 	err = ovl_parse_opt((char *) data, &ofs->config);
 	if (err)
 		goto out_err;
-- 
2.51.0

More information about the kernel-team mailing list