From 2d8b4a60dd07c44467fe5a254bc7596c55710646 Mon Sep 17 00:00:00 2001
From: Kevin Wang <wy721@qq.com>
Date: Wed, 4 Mar 2026 03:55:56 +0000
Subject: [PATCH] kernel: enable idmapped mounts on overlayfs for sysbox

Upstream overlayfs is missing the FS_ALLOW_IDMAP flag on ovl_fs_type,
which causes mount_setattr(MOUNT_ATTR_IDMAP) to return -EINVAL on
overlay mounts. This prevents sysbox from applying transparent UID
shifting to the container rootfs, resulting in files from image layers
appearing as nobody:nogroup inside the container.

Add FS_ALLOW_IDMAP to the overlayfs file_system_type flags. This patch
has been submitted upstream (https://lkml.org/lkml/2025/8/15/1218) but
not yet merged.
---
 ...002-overlayfs-enable-idmapped-mounts.patch | 36 +++++++++++++++++++
 .../linux/linux-yocto%.bbappend               |  3 +-
 2 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 meta-dstack/recipes-kernel/linux/files/0002-overlayfs-enable-idmapped-mounts.patch

diff --git a/meta-dstack/recipes-kernel/linux/files/0002-overlayfs-enable-idmapped-mounts.patch b/meta-dstack/recipes-kernel/linux/files/0002-overlayfs-enable-idmapped-mounts.patch
new file mode 100644
index 0000000..89a5a79
--- /dev/null
+++ b/meta-dstack/recipes-kernel/linux/files/0002-overlayfs-enable-idmapped-mounts.patch
@@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Kevin Wang <kvin@phala.network>
+Date: Tue, 4 Mar 2026 00:00:00 +0000
+Subject: [PATCH] overlayfs: add FS_ALLOW_IDMAP to enable idmapped mounts
+
+Overlayfs already has comprehensive support for idmapped mounts through
+its handling of idmapped layers (since 5.19), but it is missing the
+FS_ALLOW_IDMAP flag on ovl_fs_type.  Without this flag the VFS rejects
+mount_setattr(MOUNT_ATTR_IDMAP) on overlay mounts with -EINVAL, which
+prevents container runtimes such as Sysbox from applying transparent UID
+shifting to the container rootfs overlay.
+
+Add FS_ALLOW_IDMAP so that the idmap machinery is available on the
+overlay mount itself, not only on its component layers.
+
+Upstream-Status: Submitted [https://lkml.org/lkml/2025/8/15/1218]
+Signed-off-by: Kevin Wang <kvin@phala.network>
+---
+ fs/overlayfs/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
+index 1a530c5a4e02..b7d8e5c91234 100644
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -1484,7 +1484,7 @@ struct file_system_type ovl_fs_type = {
+ 	.name			= "overlay",
+ 	.init_fs_context	= ovl_init_fs_context,
+ 	.parameters		= ovl_parameter_spec,
+-	.fs_flags		= FS_USERNS_MOUNT,
++	.fs_flags		= FS_USERNS_MOUNT | FS_ALLOW_IDMAP,
+ 	.kill_sb		= kill_anon_super,
+ };
+ MODULE_ALIAS_FS("overlay");
+--
+2.46.0
diff --git a/meta-dstack/recipes-kernel/linux/linux-yocto%.bbappend b/meta-dstack/recipes-kernel/linux/linux-yocto%.bbappend
index 5900c49..e48e03e 100644
--- a/meta-dstack/recipes-kernel/linux/linux-yocto%.bbappend
+++ b/meta-dstack/recipes-kernel/linux/linux-yocto%.bbappend
@@ -9,7 +9,8 @@ SRC_URI += "file://dstack-docker.cfg \
             file://dstack-sysbox.cfg \
             file://dstack-sysbox.scc \
             file://dstack.cfg \
-            file://dstack.scc"
+            file://dstack.scc \
+            file://0002-overlayfs-enable-idmapped-mounts.patch"
 
 KERNEL_FEATURES:append = " features/cgroups/cgroups.scc \
                           features/overlayfs/overlayfs.scc \