(In reply to Goldwyn Rodrigues from comment #4) > On second thoughts, this is a security risk. The handling for security_inode_copy_up_xattr is the same. > If ACL is not be copied, the access permissions will change over an > overlayfs mount. ACLs are handled separately AFAICT. The only reason system.nfs4_acl exists as xattr is to provide userspace with the extended information NFSv4 ACLs provide over POSIX ACLs. However, I'd say that this is a configuration issue by the system administrator - if the upper layer doesn't support a feature, it must not be relied on. I don't think there's a better way to handle this, but I'd like to be proven otherwise.