From d05af626956af449fb13815cef06b606bc7740c6 Mon Sep 17 00:00:00 2001
From: Michael Stapelberg <stapelberg@golang.org>
Date: Tue, 14 May 2024 10:54:40 +0200
Subject: syscall: skip TestAmbientCapsUserns when restricted, document

fixes golang/go#67088

Change-Id: I42e7a8d02b161187772f147e3e136ab6e0f71d7f
Reviewed-on: https://go-review.googlesource.com/c/go/+/585059
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
---
 src/syscall/exec_linux_test.go | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'src/syscall/exec_linux_test.go')

diff --git a/src/syscall/exec_linux_test.go b/src/syscall/exec_linux_test.go
index 5ec1a24ba4..079220eab1 100644
--- a/src/syscall/exec_linux_test.go
+++ b/src/syscall/exec_linux_test.go
@@ -642,6 +642,10 @@ func TestAmbientCaps(t *testing.T) {
 }
 
 func TestAmbientCapsUserns(t *testing.T) {
+	b, err := os.ReadFile("/proc/sys/kernel/apparmor_restrict_unprivileged_userns")
+	if err == nil && strings.TrimSpace(string(b)) == "1" {
+		t.Skip("AppArmor restriction for unprivileged user namespaces is enabled")
+	}
 	testAmbientCaps(t, true)
 }
 
-- 
cgit v1.3