overlay writing user.* xattrs on symlinks

This was reported (and worked around) in https://github.com/project-stacker/stacker/pull/333.

The kernel does not allow user.* xattrs on a symlink. However, on 5.15.0-53-generic and 5.19.0-21-generic, but not on the ubuntu mainline build (6.1.0-060100rc5-generic), an unprivileged program can cause such xattrs to be created. Once they're there, userspace (i.e. setfattr) cannot remove them since the kernel says they can't exist - but listxattr shows them.

I've failed so far in setting up a simpler reproducer, so I'll begin by reporting the full reproducer. Download 'stacker' from https://github.com/project-stacker/stacker/releases/download/v0.22.1/stacker . Create a stacker.yaml config file:

cat > stacker.yaml << EOF
pxe-server-base:
    from:
        type: docker
        url: docker://ubuntu:jammy
    run: |
        apt-get update
        apt-get -y install dnsmasq systemd

sb-pxe-server:
    from:
        type: built
        tag: pxe-server-base
    run: |
      systemctl disable dnsmasq
EOF

and run 'stacker build'. It will end with:

Executing: /lib/systemd/systemd-sysv-install disable dnsmasq
Removed /etc/systemd/system/multi-user.target.wants/dnsmasq.service.
error: /home/ubuntu/build2/roots/sb-pxe-server/overlay/etc/rc2.d/K01dnsmasq: failed to remove attr user.overlay.origin: xattr.LRemove /home/ubuntu/build2/roots/sb-pxe-server/overlay/etc/rc2.d/K01dnsmasq user.overlay.origin: operation not permitted
error: exit status 1

You'll subsequently see that ./roots/sb-pxe-server/overlay/etc/rc2.d/K01dnsmasq is a symbolic link with user.overlay.origin xattr (per llistxatr), though you can't read the contents or delete it.

I had thought I should be able to reproduce it by mounting (in an unprivileged user+mountns) an overlayfs where the underlay has, say, "/etc/rc2.d/K" symlink, then rename K to S (as i assume the 'systemctl disable dnsmasq is doing), but that did not work for me.
---
ProblemType: Bug
ApportVersion: 2.20.11-0ubuntu82.2
Architecture: amd64
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC0: serge 3929 F.... pulseaudio
DistroRelease: Ubuntu 22.04
InstallationDate: Installed on 2022-02-25 (283 days ago)
InstallationMedia: Ubuntu 21.10 "Impish Indri" - Release amd64 (20211012)
MachineType: LENOVO 20XXS3JC01
Package: linux (not installed)
ProcEnviron:
 TERM=st-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcFB: 0 i915drmfb
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.15.0-56-generic root=/dev/mapper/vgubuntu-root ro quiet splash vt.handoff=7
ProcVersionSignature: Ubuntu 5.15.0-56.62-generic 5.15.64
RelatedPackageVersions:
 linux-restricted-modules-5.15.0-56-generic N/A
 linux-backports-modules-5.15.0-56-generic N/A
 linux-firmware 20220329.git681281e4-0ubuntu3.7
Tags: jammy
Uname: Linux 5.15.0-56-generic x86_64
UpgradeStatus: Upgraded to jammy on 2022-03-16 (264 days ago)
UserGroups: adm cdrom dip lpadmin lxd plugdev sambashare sudo
_MarkForUpload: True
dmi.bios.date: 04/08/2022
dmi.bios.release: 1.52
dmi.bios.vendor: LENOVO
dmi.bios.version: N32ET76W (1.52 )
dmi.board.asset.tag: Not Available
dmi.board.name: 20XXS3JC01
dmi.board.vendor: LENOVO
dmi.board.version: SDK0J40697 WIN
dmi.chassis.asset.tag: No Asset Information
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: None
dmi.ec.firmware.release: 1.32
dmi.modalias: dmi:bvnLENOVO:bvrN32ET76W(1.52):bd04/08/2022:br1.52:efr1.32:svnLENOVO:pn20XXS3JC01:pvrThinkPadX1CarbonGen9:rvnLENOVO:rn20XXS3JC01:rvrSDK0J40697WIN:cvnLENOVO:ct10:cvrNone:skuLENOVO_MT_20XX_BU_Think_FM_ThinkPadX1CarbonGen9:
dmi.product.family: ThinkPad X1 Carbon Gen 9
dmi.product.name: 20XXS3JC01
dmi.product.sku: LENOVO_MT_20XX_BU_Think_FM_ThinkPad X1 Carbon Gen 9
dmi.product.version: ThinkPad X1 Carbon Gen 9
dmi.sys.vendor: LENOVO