From: Nick Rosbrook <enr0n@ubuntu.com>
Date: Mon, 4 Mar 2024 20:43:57 +0000 (-0500)
Subject: test: check for kernel.apparmor_restrict_unprivileged_userns
X-Git-Tag: v256-rc1~642
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=70aece819311f7ab76abdf473bc8f316c5bc58c6;p=thirdparty%2Fsystemd.git

test: check for kernel.apparmor_restrict_unprivileged_userns

Some tests in test-execute are already skipped if we do not have
unprivileged user namespaces. Extend this check to look for an apparmor
specific sysctl indicating that unprivileged userns creation is
restricted.
---

diff --git a/src/test/test-execute.c b/src/test/test-execute.c
index 148e44b13db..6a574b495f1 100644
--- a/src/test/test-execute.c
+++ b/src/test/test-execute.c
@@ -28,6 +28,7 @@
 #include "signal-util.h"
 #include "static-destruct.h"
 #include "stat-util.h"
+#include "sysctl-util.h"
 #include "tests.h"
 #include "tmpfile-util.h"
 #include "unit.h"
@@ -218,10 +219,30 @@ static void start_parent_slices(Unit *unit) {
         }
 }
 
+static bool apparmor_restrict_unprivileged_userns(void) {
+        _cleanup_free_ char *v = NULL;
+        int r;
+
+        /* If kernel.apparmor_restrict_unprivileged_userns=1, then we cannot
+         * use unprivileged user namespaces. */
+        r = sysctl_read("kernel/apparmor_restrict_unprivileged_userns", &v);
+        if (r < 0) {
+                if (r != -ENOENT)
+                        log_debug_errno(r, "Failed to read kernel.apparmor_restrict_unprivileged_userns sysctl, ignoring: %m");
+
+                return false;
+        }
+
+        return streq(v, "1");
+}
+
 static bool have_userns_privileges(void) {
         pid_t pid;
         int r;
 
+        if (apparmor_restrict_unprivileged_userns())
+                return false;
+
         r = safe_fork("(sd-test-check-userns)",
                       FORK_RESET_SIGNALS |
                       FORK_CLOSE_ALL_FDS |