UBUNTU: SAUCE: overlayfs: handle idmapped mounts in ovl_do_(set|remov…

…e)xattr

BugLink: http://bugs.launchpad.net/bugs/2009065

We have to use ovl_upper_mnt_userns(ofs) helper to get proper user namespace
for idmapped layer. Otherwise we'll get -EPERM.

Right now, overlayfs on top of idmapped layer always mounted as read-only.
This is serious blocker for LXD/LXC unprivileged containers users who run
Docker containers inside.

Reproducer:
$ cd /idmapped/mount/path
$ mkdir {work,upper,lower,ovl}
$ mount -t overlay overlay -o lowerdir=lower,upperdir=upper,workdir=work ovl
$ touch ovl/test
touch: cannot touch 'ovl/test': Read-only file system

Error from dmesg:
overlayfs: failed to create directory work/work (errno: 1); mounting read-only

Reproducible on all Ubuntu kernels with the base >= 5.19

Fixes: eea996a46f ("UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs")
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Acked-by: Andrea Righi <andrea.righi@canonical.com>
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>

fs/overlayfs/overlayfs.h

@@ -255,7 +255,7 @@ static inline int ovl_do_setxattr(struct ovl_fs *ofs, struct dentry *dentry,
 	int err;
 
 	inode_lock(inode);
-	err = __vfs_setxattr_noperm(&init_user_ns, dentry, name, value, size, flags);
+	err = __vfs_setxattr_noperm(ovl_upper_mnt_userns(ofs), dentry, name, value, size, flags);
 	inode_unlock(inode);
 
 	pr_debug("setxattr(%pd2, \"%s\", \"%*pE\", %zu, %d) = %i\n",
@@ -277,7 +277,7 @@ static inline int ovl_do_removexattr(struct ovl_fs *ofs, struct dentry *dentry,
 	int err;
 
 	inode_lock(inode);
-	err = __vfs_removexattr_noperm(&init_user_ns, dentry, name);
+	err = __vfs_removexattr_noperm(ovl_upper_mnt_userns(ofs), dentry, name);
 	inode_unlock(inode);
 
 	pr_debug("removexattr(%pd2, \"%s\") = %i\n", dentry, name, err);