{ "/proc/sys/kernel/unprivileged_userns_clone", 0, 1, 0 },
/* ALT Linux has an alternate way of doing the same. */
{ "/proc/sys/kernel/userns_restrict", 1, 0, 0 },
+ /* AppArmor can also disable unprivileged user namespaces. */
+ { "/proc/sys/kernel/apparmor_restrict_unprivileged_userns", 1, 0, 0 },
/* Linux kernel >= 4.9 has a configurable limit on the number of
each namespace. Some distros set the limit to zero to disable the
corresponding namespace as a "security policy". */
{
/* Older kernels may not support all the options, or security
policy may block this call. */
- if (errno == EINVAL || errno == EPERM || errno == ENOSPC)
+ if (errno == EINVAL || errno == EPERM
+ || errno == ENOSPC || errno == EACCES)
{
int saved_errno = errno;
- if (errno == EPERM || errno == ENOSPC)
+ if (errno == EPERM || errno == ENOSPC || errno == EACCES)
check_for_unshare_hints (require_pidns);
FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (saved_errno));
}
{
/* Older kernels may not support all the options, or security
policy may block this call. */
- if (errno == EINVAL || errno == EPERM || errno == ENOSPC)
+ if (errno == EINVAL || errno == EPERM
+ || errno == ENOSPC || errno == EACCES)
exit (EXIT_UNSUPPORTED);
FAIL_EXIT1 ("unshare user/fs/pid failed: %m");
}