Comment # 9 on bug 1089349 from Fabian Vogt

Created attachment 767216 [details]
0001-ovl-Allow-copying-of-files-to-the-upper-layer-from-c.patch

(In reply to Neil Brown from comment #8)
> It is safe for overlayfs to ignore the system.nfs4_acl attribute (which is
> not empty btw).  It is informational only.
> I would be a bit more comfortable with the patch if it was conditional on
> the attribute name starting "system."

Ok, I added that. Still works fine here.

> and/or if it was upstream.

That's what this bug report is about :-)

> There should be no security risk that - falling back on the mode bits for
> access checks should always be more restrictive (I hope).

Currently overlayfs has the following behaviour on NFSv4:

> listxattr foo
system.nfs4_acl
> touch foo
> listxattr foo
(empty)

That might be unexpected, but is essentially unavoidable. It would be possible
(but the implementation wouldn't be pretty I guess) to never provide the
nfs4_acl attr through overlayfs at all to avoid this inconsistency, at the
expense of losing the information completely instead of making it volatile.