Comment # 6 on bug 1089349 from Goldwyn Rodrigues

(In reply to Fabian Vogt from comment #5)
> (In reply to Goldwyn Rodrigues from comment #4)
> > On second thoughts, this is a security risk.
> 
> The handling for security_inode_copy_up_xattr is the same.

Not quite. The security_inode_copy_up_xattr copies the labels which are used by
selinux to impose security restrictions. It just skips selinux (the only user)
specific xattr. 

> 
> > If ACL is not be copied, the access permissions will change over an
> > overlayfs mount.
> 
> ACLs are handled separately AFAICT. The only reason system.nfs4_acl exists
> as xattr is to provide userspace with the extended information NFSv4 ACLs
> provide over POSIX ACLs.
> 
> However, I'd say that this is a configuration issue by the system
> administrator - if the upper layer doesn't support a feature, it must not be
> relied on.
> 
> I don't think there's a better way to handle this, but I'd like to be proven
> otherwise.

There is already a discussion on this.
https://www.spinics.net/lists/linux-nfs/msg61045.html

Workaround is to use the exported FS without ACL.
Adding Neil for inputs on NFS4 client.

Neil: Can/Should empty nfs4_acls be suppressed?