[release-branch.go1.22] syscall: skip TestAmbientCapsUserns when restricted, document

For #67088 Fixes #69366 Change-Id: I42e7a8d02b161187772f147e3e136ab6e0f71d7f Reviewed-on: https://go-review.googlesource.com/c/go/+/585059 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Ian Lance Taylor <iant@google.com> (cherry picked from commit d05af626956af449fb13815cef06b606bc7740c6) Reviewed-on: https://go-review.googlesource.com/c/go/+/612475
2025-05-05 23:53:05 +00:00 · 2024-05-14 10:54:40 +02:00 · 2024-05-14 10:54:40 +02:00 · b4086b7c16
commit b4086b7c16
parent 6fab4b9a9e
2 changed files with 8 additions and 0 deletions
--- a/src/syscall/exec_linux.go
+++ b/src/syscall/exec_linux.go
@ -53,6 +53,10 @@ const (
 // SysProcIDMap holds Container ID to Host ID mappings used for User Namespaces in Linux.
 // See user_namespaces(7).
 //
 // Note that User Namespaces are not available on a number of popular Linux
 // versions (due to security issues), or are available but subject to AppArmor
 // restrictions like in Ubuntu 24.04.
 type SysProcIDMap struct {
 	ContainerID int // Container ID.
 	HostID      int // Host ID.
--- a/src/syscall/exec_linux_test.go
+++ b/src/syscall/exec_linux_test.go
@ -642,6 +642,10 @@ func TestAmbientCaps(t *testing.T) {
 }
 func TestAmbientCapsUserns(t *testing.T) {
 	b, err := os.ReadFile("/proc/sys/kernel/apparmor_restrict_unprivileged_userns")
 	if err == nil && strings.TrimSpace(string(b)) == "1" {
 		t.Skip("AppArmor restriction for unprivileged user namespaces is enabled")
 	}
 	testAmbientCaps(t, true)
 }