fixes golang/go#67088
Change-Id: I42e7a8d02b161187772f147e3e136ab6e0f71d7f
Reviewed-on: https://go-review.googlesource.com/c/go/+/585059
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
// SysProcIDMap holds Container ID to Host ID mappings used for User Namespaces in Linux.
// See user_namespaces(7).
+//
+// Note that User Namespaces are not available on a number of popular Linux
+// versions (due to security issues), or are available but subject to AppArmor
+// restrictions like in Ubuntu 24.04.
type SysProcIDMap struct {
ContainerID int // Container ID.
HostID int // Host ID.
}
func TestAmbientCapsUserns(t *testing.T) {
+ b, err := os.ReadFile("/proc/sys/kernel/apparmor_restrict_unprivileged_userns")
+ if err == nil && strings.TrimSpace(string(b)) == "1" {
+ t.Skip("AppArmor restriction for unprivileged user namespaces is enabled")
+ }
testAmbientCaps(t, true)
}