functional-tests: skip tests if the kernel restricts unprivileged user namespaces

Update tests/functional/common/functions.sh

Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>

tests/functional/build-remote-trustless-should-fail-0.sh

@@ -8,6 +8,7 @@ TODO_NixOS
 restartDaemon
 
 requireSandboxSupport
+requiresUnprivilegedUserNamespaces
 [[ $busybox =~ busybox ]] || skipTest "no busybox"
 
 unset NIX_STORE_DIR

tests/functional/build-remote-trustless.sh

@@ -5,6 +5,7 @@
 # shellcheck disable=SC2154
 
 requireSandboxSupport
+requiresUnprivilegedUserNamespaces
 [[ "$busybox" =~ busybox ]] || skipTest "no busybox"
 
 unset NIX_STORE_DIR

tests/functional/build-remote.sh

@@ -3,6 +3,7 @@
 : "${file?must be defined by caller (remote building test case using this)}"
 
 requireSandboxSupport
+requiresUnprivilegedUserNamespaces
 [[ "${busybox-}" =~ busybox ]] || skipTest "no busybox"
 
 # Avoid store dir being inside sandbox build-dir
@@ -27,6 +28,7 @@ builders=(
 chmod -R +w "$TEST_ROOT/machine"* || true
 rm -rf "$TEST_ROOT/machine"* || true
 
+
 # Note: ssh://localhost bypasses ssh, directly invoking nix-store as a
 # child process. This allows us to test LegacySSHStore::buildDerivation().
 # ssh-ng://... likewise allows us to test RemoteStore::buildDerivation().

tests/functional/chroot-store.sh

@@ -40,6 +40,7 @@ EOF
     cp simple.nix shell.nix simple.builder.sh "${config_nix}" "$flakeDir/"
 
     TODO_NixOS
+    requiresUnprivilegedUserNamespaces
 
     outPath=$(nix build --print-out-paths --no-link --sandbox-paths '/nix? /bin? /lib? /lib64? /usr?' --store "$TEST_ROOT/x" path:"$flakeDir")
 

tests/functional/common/functions.sh

@@ -345,4 +345,15 @@ count() {
 
 trap onError ERR
 
+requiresUnprivilegedUserNamespaces() {
+  if [[ -f /proc/sys/kernel/apparmor_restrict_unprivileged_userns ]] && [[ $(< /proc/sys/kernel/apparmor_restrict_unprivileged_userns) -eq 1 ]]; then
+    skipTest "Unprivileged user namespaces are disabled. Run 'sudo sysctl -w /proc/sys/kernel/apparmor_restrict_unprivileged_userns=0' to allow, and run these tests."
+  fi
+}
+
+execUnshare () {
+  requiresUnprivilegedUserNamespaces
+  exec unshare --mount --map-root-user "$SHELL" "$@"
+}
+
 fi # COMMON_FUNCTIONS_SH_SOURCED

tests/functional/linux-sandbox.sh

@@ -9,6 +9,7 @@ TODO_NixOS
 clearStore
 
 requireSandboxSupport
+requiresUnprivilegedUserNamespaces
 
 # Note: we need to bind-mount $SHELL into the chroot. Currently we
 # only support the case where $SHELL is in the Nix store, because

tests/functional/local-overlay-store/bad-uris.sh

@@ -19,7 +19,7 @@ TODO_NixOS
 
 for i in "${storesBad[@]}"; do
     echo $i
-    unshare --mount --map-root-user bash <<EOF
+    execUnshare <<EOF
         source common.sh
         setupStoreDirs
         mountOverlayfs

tests/functional/local-overlay-store/common.sh

@@ -94,10 +94,6 @@ initLowerStore () {
   pathInLowerStore=$(nix-store --store "$storeA" --realise $drvPath)
 }
 
-execUnshare () {
-  exec unshare --mount --map-root-user "$SHELL" "$@"
-}
-
 addTextToStore() {
   storeDir=$1; shift
   filename=$1; shift

tests/functional/nested-sandboxing.sh

@@ -7,6 +7,7 @@ source common.sh
 TODO_NixOS
 
 requireSandboxSupport
+requiresUnprivilegedUserNamespaces
 
 start="$TEST_ROOT/start"
 mkdir -p "$start"

tests/functional/nested-sandboxing/command.sh

@@ -18,6 +18,7 @@ goodStoreUrl () {
 # whether this test is being run in a derivation as part of the nix build or
 # being manually run by a developer outside a derivation
 runNixBuild () {
+
     local storeFun=$1
     local altitude=$2
     nix-build \

tests/functional/shell.sh

@@ -52,6 +52,7 @@ if isDaemonNewer "2.20.0pre20231220"; then
 fi
 
 requireSandboxSupport
+requiresUnprivilegedUserNamespaces
 
 chmod -R u+w "$TEST_ROOT/store0" || true
 rm -rf "$TEST_ROOT/store0"

tests/functional/supplementary-groups.sh

@@ -9,7 +9,7 @@ needLocalStore "The test uses --store always so we would just be bypassing the d
 
 TODO_NixOS
 
-unshare --mount --map-root-user -- bash -e -x <<EOF
+execUnshare <<EOF
   source common.sh
 
   # Avoid store dir being inside sandbox build-dir