From 786df5b09bddab89cfd1d4016c2381b5eeeb0834 Mon Sep 17 00:00:00 2001
From: Sebastian Wick <sebastian.wick@redhat.com>
Date: Tue, 19 Aug 2025 21:45:24 +0200
Subject: [PATCH] ci: Work around AppArmor userns restriction breaking bwrap

CI currently skips a lot of tests. This is due to AppArmor restricting
user namespacing to specific executables with a profile. We however
build bwrap ourselves and that makes it hard to have a profile for it.

Let's just turn the restriction off entirely.
---
 .github/workflows/check.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
index 6c80135c..21f2c89b 100644
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -49,6 +49,10 @@ jobs:
         head -v -n-0 /etc/apt/sources.list.d/* || :
         # Workaround for https://github.com/orgs/community/discussions/120966
         sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list
+        # Workaround for apparmor breaking bwrap by disabling unpriv userns
+        sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
+        sudo systemctl reload apparmor
+        # Dependencies
         sudo apt-get update
         sudo apt-get install -y libglib2.0-dev attr gettext bison  dbus gtk-doc-tools \
         libfuse3-dev ostree libostree-dev libarchive-dev libzstd-dev libcap-dev libattr1-dev libdw-dev libelf-dev python3-pyparsing \