test: skip a systemd-run test if unprivileged userns is restricted

With newer versions of AppArmor, unprivileged user namespace creation
may be restricted by default, in which case user manager instances will
not be able to apply PrivateUsers=yes, which is implied by
PrivateTmp=yes in this systemd-run invocation.

diff --git a/test/units/testsuite-74.run.sh b/test/units/testsuite-74.run.sh
index 38cbca54ce3447ab486b0a4c2a652caa055a0558..a94776eadd1f6fb9541546b9f07e6f96f04044c4 100755 (executable)
--- a/test/units/testsuite-74.run.sh
+++ b/test/units/testsuite-74.run.sh
@@ -80,11 +80,16 @@ systemd-run --wait --pipe --user --machine=testuser@ \
             bash -xec '[[ "$(id -nu)" == testuser && "$(id -ng)" == testuser ]]'
 systemd-run --wait --pipe --user --machine=testuser@ \
             bash -xec '[[ "$PWD" == /home/testuser && -n "$INVOCATION_ID" ]]'
-systemd-run --wait --pipe --user --machine=testuser@ \
-            --property=LimitCORE=1M:2M \
-            --property=LimitCORE=16M:32M \
-            --property=PrivateTmp=yes \
-            bash -xec '[[ "$(ulimit -c -S)" -eq 16384 && "$(ulimit -c -H)" -eq 32768 && ! -e /tmp/public-marker ]]'
+
+# PrivateTmp=yes implies PrivateUsers=yes for user manager, so skip this if we
+# don't have unprivileged user namespaces.
+if [[ "$(sysctl -ne kernel.apparmor_restrict_unprivileged_userns)" -ne 1 ]]; then
+    systemd-run --wait --pipe --user --machine=testuser@ \
+                --property=LimitCORE=1M:2M \
+                --property=LimitCORE=16M:32M \
+                --property=PrivateTmp=yes \
+                bash -xec '[[ "$(ulimit -c -S)" -eq 16384 && "$(ulimit -c -H)" -eq 32768 && ! -e /tmp/public-marker ]]'
+fi
 
 : "Transient scope (system daemon)"
 systemd-run --scope \