[release/1.6] fix: check for tmpfs when evaluating if userxattr should be used

snapshots/overlay/overlayutils/check.go

@@ -23,6 +23,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"syscall"
 
 	kernel "github.com/containerd/containerd/contrib/seccomp/kernelversion"
 	"github.com/containerd/containerd/log"
@@ -31,6 +32,11 @@ import (
 	"github.com/containerd/continuity/fs"
 )
 
+const (
+	// see https://man7.org/linux/man-pages/man2/statfs.2.html
+	tmpfsMagic = 0x01021994
+)
+
 // SupportsMultipleLowerDir checks if the system supports multiple lowerdirs,
 // which is required for the overlay snapshotter. On 4.x kernels, multiple lowerdirs
 // are always available (so this check isn't needed), and backported to RHEL and
@@ -88,6 +94,21 @@ func Supported(root string) error {
 	return SupportsMultipleLowerDir(root)
 }
 
+// IsPathOnTmpfs returns whether the path is on a tmpfs or not.
+//
+// It uses statfs to check if the fs type is TMPFS_MAGIC (0x01021994)
+// see https://man7.org/linux/man-pages/man2/statfs.2.html
+func IsPathOnTmpfs(d string) bool {
+	stat := syscall.Statfs_t{}
+	err := syscall.Statfs(d, &stat)
+	if err != nil {
+		log.L.WithError(err).Warnf("Could not retrieve statfs for %v", d)
+		return false
+	}
+
+	return stat.Type == tmpfsMagic
+}
+
 // NeedsUserXAttr returns whether overlayfs should be mounted with the "userxattr" mount option.
 //
 // The "userxattr" option is needed for mounting overlayfs inside a user namespace with kernel >= 5.11.
@@ -114,6 +135,11 @@ func NeedsUserXAttr(d string) (bool, error) {
 		return false, nil
 	}
 
+	// userxattr not permitted on tmpfs https://man7.org/linux/man-pages/man5/tmpfs.5.html
+	if IsPathOnTmpfs(d) {
+		return false, nil
+	}
+
 	// Fast path on kernels >= 5.11
 	//
 	// Keep in mind that distro vendors might be going to backport the patch to older kernels