syscall: skip TestAmbientCapsUserns when restricted, document

fixes golang/go#67088 Change-Id: I42e7a8d02b161187772f147e3e136ab6e0f71d7f Reviewed-on: https://go-review.googlesource.com/c/go/+/585059 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Ian Lance Taylor <iant@google.com>
author: Michael Stapelberg <stapelberg@golang.org> 2024-05-14 10:54:40 +0200
committer: Michael Stapelberg <stapelberg@golang.org> 2024-05-15 07:45:37 +0000
commit: d05af626956af449fb13815cef06b606bc7740c6 (patch)
tree: a03b38b2dbedd30f341396f95e97532db7af4ecc /src/syscall/exec_linux_test.go
parent: a524b8725374e4ebbb7fe3da85f407ee24141d51 (diff)
download: go-d05af626956af449fb13815cef06b606bc7740c6.tar.xz
1 files changed, 4 insertions, 0 deletions
diff --git a/src/syscall/exec_linux_test.go b/src/syscall/exec_linux_test.go
index 5ec1a24ba4..079220eab1 100644
--- a/src/syscall/exec_linux_test.go
+++ b/src/syscall/exec_linux_test.go
@@ -642,6 +642,10 @@ func TestAmbientCaps(t *testing.T) {
 }
 
 func TestAmbientCapsUserns(t *testing.T) {
+	b, err := os.ReadFile("/proc/sys/kernel/apparmor_restrict_unprivileged_userns")
+	if err == nil && strings.TrimSpace(string(b)) == "1" {
+		t.Skip("AppArmor restriction for unprivileged user namespaces is enabled")
+	}
 	testAmbientCaps(t, true)
 }
author	Michael Stapelberg <stapelberg@golang.org>	2024-05-14 10:54:40 +0200
committer	Michael Stapelberg <stapelberg@golang.org>	2024-05-15 07:45:37 +0000
commit	d05af626956af449fb13815cef06b606bc7740c6 (patch)
tree	a03b38b2dbedd30f341396f95e97532db7af4ecc /src/syscall/exec_linux_test.go
parent	a524b8725374e4ebbb7fe3da85f407ee24141d51 (diff)
download	go-d05af626956af449fb13815cef06b606bc7740c6.tar.xz