test: skip a systemd-run test if unprivileged userns is restricted

With newer versions of AppArmor, unprivileged user namespace creation may be restricted by default, in which case user manager instances will not be able to apply PrivateUsers=yes, which is implied by PrivateTmp=yes in this systemd-run invocation.
2026-03-06 15:02:31 -08:00 · 2024-01-18 15:29:46 -05:00
parent fe0c684b34
commit 6327d30224
1 changed files with 10 additions and 5 deletions
--- a/test/units/testsuite-74.run.sh
+++ b/test/units/testsuite-74.run.sh
@@ -80,11 +80,16 @@ systemd-run --wait --pipe --user --machine=testuser@ \
            bash -xec '[[ "$(id -nu)" == testuser && "$(id -ng)" == testuser ]]'
 systemd-run --wait --pipe --user --machine=testuser@ \
            bash -xec '[[ "$PWD" == /home/testuser && -n "$INVOCATION_ID" ]]'
-systemd-run --wait --pipe --user --machine=testuser@ \
-            --property=LimitCORE=1M:2M \
-            --property=LimitCORE=16M:32M \
-            --property=PrivateTmp=yes \
-            bash -xec '[[ "$(ulimit -c -S)" -eq 16384 && "$(ulimit -c -H)" -eq 32768 && ! -e /tmp/public-marker ]]'
+
+# PrivateTmp=yes implies PrivateUsers=yes for user manager, so skip this if we
+# don't have unprivileged user namespaces.
+if [[ "$(sysctl -ne kernel.apparmor_restrict_unprivileged_userns)" -ne 1 ]]; then
+    systemd-run --wait --pipe --user --machine=testuser@ \
+                --property=LimitCORE=1M:2M \
+                --property=LimitCORE=16M:32M \
+                --property=PrivateTmp=yes \
+                bash -xec '[[ "$(ulimit -c -S)" -eq 16384 && "$(ulimit -c -H)" -eq 32768 && ! -e /tmp/public-marker ]]'
+fi

 : "Transient scope (system daemon)"
 systemd-run --scope \