diff --git a/src/devices/src/virtio/fs/linux/passthrough.rs b/src/devices/src/virtio/fs/linux/passthrough.rs
index 79a2e1285..b6ed2c66d 100644
--- a/src/devices/src/virtio/fs/linux/passthrough.rs
+++ b/src/devices/src/virtio/fs/linux/passthrough.rs
@@ -990,6 +990,18 @@ impl FileSystem for PassthroughFs {
             self.announce_submounts.store(true, Ordering::Relaxed);
         }
 
+        // Enable POSIX ACL support when the kernel is capable and xattrs are enabled.
+        // For a passthrough filesystem, the host kernel handles ACL semantics —
+        // we just forward the system.posix_acl_* xattrs.
+        // ALLOW_IDMAP requires POSIX_ACL on Linux 6.12+ (see containers/libkrun#568).
+        if self.cfg.xattr && capable.contains(FsOptions::POSIX_ACL) {
+            opts |= FsOptions::POSIX_ACL;
+
+            if capable.contains(FsOptions::ALLOW_IDMAP) {
+                opts |= FsOptions::ALLOW_IDMAP;
+            }
+        }
+
         Ok(opts)
     }
 
diff --git a/src/devices/src/virtio/fs/macos/passthrough.rs b/src/devices/src/virtio/fs/macos/passthrough.rs
index f1b712bee..de83fde43 100644
--- a/src/devices/src/virtio/fs/macos/passthrough.rs
+++ b/src/devices/src/virtio/fs/macos/passthrough.rs
@@ -1174,6 +1174,18 @@ impl FileSystem for PassthroughFs {
             self.announce_submounts.store(true, Ordering::Relaxed);
         }
 
+        // Enable POSIX ACL support when the kernel is capable and xattrs are enabled.
+        // For a passthrough filesystem, the host kernel handles ACL semantics —
+        // we just forward the system.posix_acl_* xattrs.
+        // ALLOW_IDMAP requires POSIX_ACL on Linux 6.12+ (see containers/libkrun#568).
+        if self.cfg.xattr && capable.contains(FsOptions::POSIX_ACL) {
+            opts |= FsOptions::POSIX_ACL;
+
+            if capable.contains(FsOptions::ALLOW_IDMAP) {
+                opts |= FsOptions::ALLOW_IDMAP;
+            }
+        }
+
         Ok(opts)
     }
 
diff --git a/src/devices/src/virtio/fs/server.rs b/src/devices/src/virtio/fs/server.rs
index a6b436a35..a98264a62 100644
--- a/src/devices/src/virtio/fs/server.rs
+++ b/src/devices/src/virtio/fs/server.rs
@@ -895,8 +895,7 @@ impl<F: FileSystem + Sync> Server<F> {
             | FsOptions::MAX_PAGES
             | FsOptions::SUBMOUNTS
             | FsOptions::HANDLE_KILLPRIV_V2
-            | FsOptions::INIT_EXT
-            | FsOptions::ALLOW_IDMAP;
+            | FsOptions::INIT_EXT;
 
         if cfg!(target_os = "macos") {
             supported |= FsOptions::SECURITY_CTX;