From fec0d508a2f3d6bcf9be16a805dfc8facdfd9bb0 Mon Sep 17 00:00:00 2001 From: Nick Rosbrook Date: Fri, 12 Jan 2024 14:02:17 -0500 Subject: [PATCH] test: skip TEST-43-PRIVATEUSER-UNPRIV if unprivileged userns is restricted With newer versions of AppArmor, unprivileged user namespace creation may be restricted by default, in which case user manager instances will not be able to apply PrivateUsers=yes (or the settings which require it). This can be tested with the kernel.apparmor_restrict_unprivileged_userns sysctl. --- test/units/testsuite-43.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/test/units/testsuite-43.sh b/test/units/testsuite-43.sh index 07e6fc9b623..4f31a33c343 100755 --- a/test/units/testsuite-43.sh +++ b/test/units/testsuite-43.sh @@ -6,6 +6,11 @@ set -o pipefail # shellcheck source=test/units/util.sh . "$(dirname "$0")"/util.sh +if [[ "$(sysctl -ne kernel.apparmor_restrict_unprivileged_userns)" -eq 1 ]]; then + echo "Cannot create unprivileged user namespaces" >/skipped + exit 0 +fi + systemd-analyze log-level debug runas testuser systemd-run --wait --user --unit=test-private-users \