From e0e9bd9b6364964a5944c3abca564d4155e9cfcc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Sat, 14 Dec 2024 12:55:45 +0100
Subject: [PATCH] functional-tests: skip tests if the kernel restricts
 unprivileged user namespaces

---
 tests/functional/build-remote-trustless.sh       |  1 +
 tests/functional/build-remote.sh                 |  2 ++
 tests/functional/chroot-store.sh                 |  1 +
 tests/functional/common/functions.sh             | 11 +++++++++++
 tests/functional/local-overlay-store/bad-uris.sh |  2 +-
 tests/functional/local-overlay-store/common.sh   |  4 ----
 tests/functional/nested-sandboxing/command.sh    |  2 ++
 tests/functional/shell.sh                        |  1 +
 tests/functional/supplementary-groups.sh         |  2 +-
 9 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/tests/functional/build-remote-trustless.sh b/tests/functional/build-remote-trustless.sh
index c498d46c301..9f91a91a969 100644
--- a/tests/functional/build-remote-trustless.sh
+++ b/tests/functional/build-remote-trustless.sh
@@ -5,6 +5,7 @@
 # shellcheck disable=SC2154
 
 requireSandboxSupport
+requiresUnprivilegedUserNamespaces
 [[ "$busybox" =~ busybox ]] || skipTest "no busybox"
 
 unset NIX_STORE_DIR
diff --git a/tests/functional/build-remote.sh b/tests/functional/build-remote.sh
index 1a53345778d..3231341cbf6 100644
--- a/tests/functional/build-remote.sh
+++ b/tests/functional/build-remote.sh
@@ -3,6 +3,7 @@
 : "${file?must be defined by caller (remote building test case using this)}"
 
 requireSandboxSupport
+requiresUnprivilegedUserNamespaces
 [[ "${busybox-}" =~ busybox ]] || skipTest "no busybox"
 
 # Avoid store dir being inside sandbox build-dir
@@ -27,6 +28,7 @@ builders=(
 chmod -R +w "$TEST_ROOT/machine"* || true
 rm -rf "$TEST_ROOT/machine"* || true
 
+
 # Note: ssh://localhost bypasses ssh, directly invoking nix-store as a
 # child process. This allows us to test LegacySSHStore::buildDerivation().
 # ssh-ng://... likewise allows us to test RemoteStore::buildDerivation().
diff --git a/tests/functional/chroot-store.sh b/tests/functional/chroot-store.sh
index 46e91f0aaea..ccde3e90bb5 100755
--- a/tests/functional/chroot-store.sh
+++ b/tests/functional/chroot-store.sh
@@ -40,6 +40,7 @@ EOF
     cp simple.nix shell.nix simple.builder.sh "${config_nix}" "$flakeDir/"
 
     TODO_NixOS
+    requiresUnprivilegedUserNamespaces
 
     outPath=$(nix build --print-out-paths --no-link --sandbox-paths '/nix? /bin? /lib? /lib64? /usr?' --store "$TEST_ROOT/x" path:"$flakeDir")
 
diff --git a/tests/functional/common/functions.sh b/tests/functional/common/functions.sh
index 7195149cbfc..93303b0ac3f 100644
--- a/tests/functional/common/functions.sh
+++ b/tests/functional/common/functions.sh
@@ -345,4 +345,15 @@ count() {
 
 trap onError ERR
 
+requiresUnprivilegedUserNamespaces() {
+  if [[ -f /proc/sys/kernel/apparmor_restrict_unprivileged_userns ]] && [[ $(< /proc/sys/kernel/apparmor_restrict_unprivileged_userns) -eq 1 ]]; then
+    skipTest "Unprivileged user namespaces are disabled. Run 'sudo sysctl -w /proc/sys/kernel/apparmor_restrict_unprivileged_userns=0' to disable."
+  fi
+}
+
+execUnshare () {
+  requiresUnprivilegedUserNamespaces
+  exec unshare --mount --map-root-user "$SHELL" "$@"
+}
+
 fi # COMMON_FUNCTIONS_SH_SOURCED
diff --git a/tests/functional/local-overlay-store/bad-uris.sh b/tests/functional/local-overlay-store/bad-uris.sh
index b7930e32e24..f0c6a151c35 100644
--- a/tests/functional/local-overlay-store/bad-uris.sh
+++ b/tests/functional/local-overlay-store/bad-uris.sh
@@ -19,7 +19,7 @@ TODO_NixOS
 
 for i in "${storesBad[@]}"; do
     echo $i
-    unshare --mount --map-root-user bash <<EOF
+    execUnshare <<EOF
         source common.sh
         setupStoreDirs
         mountOverlayfs
diff --git a/tests/functional/local-overlay-store/common.sh b/tests/functional/local-overlay-store/common.sh
index cbdb3a1f77c..ba9b2805ba2 100644
--- a/tests/functional/local-overlay-store/common.sh
+++ b/tests/functional/local-overlay-store/common.sh
@@ -94,10 +94,6 @@ initLowerStore () {
   pathInLowerStore=$(nix-store --store "$storeA" --realise $drvPath)
 }
 
-execUnshare () {
-  exec unshare --mount --map-root-user "$SHELL" "$@"
-}
-
 addTextToStore() {
   storeDir=$1; shift
   filename=$1; shift
diff --git a/tests/functional/nested-sandboxing/command.sh b/tests/functional/nested-sandboxing/command.sh
index e9c40a5d9cd..9825291ea71 100644
--- a/tests/functional/nested-sandboxing/command.sh
+++ b/tests/functional/nested-sandboxing/command.sh
@@ -18,6 +18,8 @@ goodStoreUrl () {
 # whether this test is being run in a derivation as part of the nix build or
 # being manually run by a developer outside a derivation
 runNixBuild () {
+    requiresUnprivilegedUserNamespaces
+
     local storeFun=$1
     local altitude=$2
     nix-build \
diff --git a/tests/functional/shell.sh b/tests/functional/shell.sh
index cfc8e410284..51032ff1b75 100755
--- a/tests/functional/shell.sh
+++ b/tests/functional/shell.sh
@@ -52,6 +52,7 @@ if isDaemonNewer "2.20.0pre20231220"; then
 fi
 
 requireSandboxSupport
+requiresUnprivilegedUserNamespaces
 
 chmod -R u+w "$TEST_ROOT/store0" || true
 rm -rf "$TEST_ROOT/store0"
diff --git a/tests/functional/supplementary-groups.sh b/tests/functional/supplementary-groups.sh
index 50259a3e1f9..400333f7d4b 100755
--- a/tests/functional/supplementary-groups.sh
+++ b/tests/functional/supplementary-groups.sh
@@ -9,7 +9,7 @@ needLocalStore "The test uses --store always so we would just be bypassing the d
 
 TODO_NixOS
 
-unshare --mount --map-root-user -- bash -e -x <<EOF
+execUnshare <<EOF
   source common.sh
 
   # Avoid store dir being inside sandbox build-dir