From 4a2f713b7c054d37dcab35f5a59235af29c6b2e4 Mon Sep 17 00:00:00 2001
From: Kevin Wang <wy721@qq.com>
Date: Wed, 4 Mar 2026 03:56:32 +0000
Subject: [PATCH] kernel: enable idmapped mounts on overlayfs for sysbox

Upstream overlayfs is missing the FS_ALLOW_IDMAP flag on ovl_fs_type,
which causes mount_setattr(MOUNT_ATTR_IDMAP) to return -EINVAL on
overlay mounts. This prevents sysbox from applying transparent UID
shifting to the container rootfs, resulting in files from image layers
appearing as nobody:nogroup inside containers.

Add FS_ALLOW_IDMAP to the overlayfs file_system_type flags. Applied to
linux-yocto bbappend and both linux-custom recipes (6.17.6, 6.18.7).

Upstream patch: https://lkml.org/lkml/2025/8/15/1218
---
 ...002-overlayfs-enable-idmapped-mounts.patch | 36 +++++++++++++++++++
 .../linux/linux-custom_6.17.6.bb              |  1 +
 .../linux/linux-custom_6.18.7.bb              |  1 +
 .../linux/linux-yocto%.bbappend               |  3 +-
 4 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 meta-dstack/recipes-kernel/linux/files/0002-overlayfs-enable-idmapped-mounts.patch

diff --git a/meta-dstack/recipes-kernel/linux/files/0002-overlayfs-enable-idmapped-mounts.patch b/meta-dstack/recipes-kernel/linux/files/0002-overlayfs-enable-idmapped-mounts.patch
new file mode 100644
index 0000000..89a5a79
--- /dev/null
+++ b/meta-dstack/recipes-kernel/linux/files/0002-overlayfs-enable-idmapped-mounts.patch
@@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Kevin Wang <kvin@phala.network>
+Date: Tue, 4 Mar 2026 00:00:00 +0000
+Subject: [PATCH] overlayfs: add FS_ALLOW_IDMAP to enable idmapped mounts
+
+Overlayfs already has comprehensive support for idmapped mounts through
+its handling of idmapped layers (since 5.19), but it is missing the
+FS_ALLOW_IDMAP flag on ovl_fs_type.  Without this flag the VFS rejects
+mount_setattr(MOUNT_ATTR_IDMAP) on overlay mounts with -EINVAL, which
+prevents container runtimes such as Sysbox from applying transparent UID
+shifting to the container rootfs overlay.
+
+Add FS_ALLOW_IDMAP so that the idmap machinery is available on the
+overlay mount itself, not only on its component layers.
+
+Upstream-Status: Submitted [https://lkml.org/lkml/2025/8/15/1218]
+Signed-off-by: Kevin Wang <kvin@phala.network>
+---
+ fs/overlayfs/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
+index 1a530c5a4e02..b7d8e5c91234 100644
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -1484,7 +1484,7 @@ struct file_system_type ovl_fs_type = {
+ 	.name			= "overlay",
+ 	.init_fs_context	= ovl_init_fs_context,
+ 	.parameters		= ovl_parameter_spec,
+-	.fs_flags		= FS_USERNS_MOUNT,
++	.fs_flags		= FS_USERNS_MOUNT | FS_ALLOW_IDMAP,
+ 	.kill_sb		= kill_anon_super,
+ };
+ MODULE_ALIAS_FS("overlay");
+--
+2.46.0
diff --git a/meta-dstack/recipes-kernel/linux/linux-custom_6.17.6.bb b/meta-dstack/recipes-kernel/linux/linux-custom_6.17.6.bb
index 200982d..4d5e93c 100644
--- a/meta-dstack/recipes-kernel/linux/linux-custom_6.17.6.bb
+++ b/meta-dstack/recipes-kernel/linux/linux-custom_6.17.6.bb
@@ -16,6 +16,7 @@ DEPENDS += "libyaml-native openssl-native util-linux-native elfutils-native"
 SRC_URI = "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-${PV}.tar.xz;downloadfilename=linux-${PV}.tar.xz \
            file://defconfig \
            file://0001-x86-tdx-select-dma-direct-remap.patch \
+           file://0002-overlayfs-enable-idmapped-mounts.patch \
 "
 
 SRC_URI[sha256sum] = "8ecfbc6b693448abb46144a8d04d1e1631639c7661c1088425a2e5406f13c69c"
diff --git a/meta-dstack/recipes-kernel/linux/linux-custom_6.18.7.bb b/meta-dstack/recipes-kernel/linux/linux-custom_6.18.7.bb
index 96c0f7a..645151f 100644
--- a/meta-dstack/recipes-kernel/linux/linux-custom_6.18.7.bb
+++ b/meta-dstack/recipes-kernel/linux/linux-custom_6.18.7.bb
@@ -16,6 +16,7 @@ DEPENDS += "libyaml-native openssl-native util-linux-native elfutils-native"
 SRC_URI = "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-${PV}.tar.xz;downloadfilename=linux-${PV}.tar.xz \
            file://defconfig \
            file://0001-x86-tdx-select-dma-direct-remap.patch \
+           file://0002-overlayfs-enable-idmapped-mounts.patch \
 "
 
 SRC_URI[sha256sum] = "b726a4d15cf9ae06219b56d87820776e34d89fbc137e55fb54a9b9c3015b8f1e"
diff --git a/meta-dstack/recipes-kernel/linux/linux-yocto%.bbappend b/meta-dstack/recipes-kernel/linux/linux-yocto%.bbappend
index 5900c49..e48e03e 100644
--- a/meta-dstack/recipes-kernel/linux/linux-yocto%.bbappend
+++ b/meta-dstack/recipes-kernel/linux/linux-yocto%.bbappend
@@ -9,7 +9,8 @@ SRC_URI += "file://dstack-docker.cfg \
             file://dstack-sysbox.cfg \
             file://dstack-sysbox.scc \
             file://dstack.cfg \
-            file://dstack.scc"
+            file://dstack.scc \
+            file://0002-overlayfs-enable-idmapped-mounts.patch"
 
 KERNEL_FEATURES:append = " features/cgroups/cgroups.scc \
                           features/overlayfs/overlayfs.scc \