#include "signal-util.h"
#include "static-destruct.h"
#include "stat-util.h"
+#include "sysctl-util.h"
#include "tests.h"
#include "tmpfile-util.h"
#include "unit.h"
}
}
+static bool apparmor_restrict_unprivileged_userns(void) {
+ _cleanup_free_ char *v = NULL;
+ int r;
+
+ /* If kernel.apparmor_restrict_unprivileged_userns=1, then we cannot
+ * use unprivileged user namespaces. */
+ r = sysctl_read("kernel/apparmor_restrict_unprivileged_userns", &v);
+ if (r < 0) {
+ if (r != -ENOENT)
+ log_debug_errno(r, "Failed to read kernel.apparmor_restrict_unprivileged_userns sysctl, ignoring: %m");
+
+ return false;
+ }
+
+ return streq(v, "1");
+}
+
static bool have_userns_privileges(void) {
pid_t pid;
int r;
+ if (apparmor_restrict_unprivileged_userns())
+ return false;
+
r = safe_fork("(sd-test-check-userns)",
FORK_RESET_SIGNALS |
FORK_CLOSE_ALL_FDS |