test: skip TEST-43-PRIVATEUSER-UNPRIV if unprivileged userns is restricted

With newer versions of AppArmor, unprivileged user namespace creation
may be restricted by default, in which case user manager instances will
not be able to apply PrivateUsers=yes (or the settings which require it).

This can be tested with the kernel.apparmor_restrict_unprivileged_userns
sysctl.

diff --git a/test/units/testsuite-43.sh b/test/units/testsuite-43.sh
index 07e6fc9b6236a504d6fc5088513c634bc200b90c..4f31a33c343a52ba9c7e24da45b592798b9d0eac 100755 (executable)
--- a/test/units/testsuite-43.sh
+++ b/test/units/testsuite-43.sh
@@ -6,6 +6,11 @@ set -o pipefail
 # shellcheck source=test/units/util.sh
 . "$(dirname "$0")"/util.sh
 
+if [[ "$(sysctl -ne kernel.apparmor_restrict_unprivileged_userns)" -eq 1 ]]; then
+    echo "Cannot create unprivileged user namespaces" >/skipped
+    exit 0
+fi
+
 systemd-analyze log-level debug
 
 runas testuser systemd-run --wait --user --unit=test-private-users \