CC @stapelberg

AppArmor?

I put AppArmor in complain mode and the test is now successful. Note that I did the default install and didn't change anything on the apparmor configuration. It appears that profile unprivileged_userns is causing the issue.

I find the following in syslog in complain mode:

2024-04-28T22:15:25.972777+02:00 dragon kernel: audit: type=1400 audit(1714335325.971:157): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=4779 comm="syscall.test" requested="userns_create" target="unprivileged_userns"
2024-04-28T22:15:25.972779+02:00 dragon kernel: audit: type=1400 audit(1714335325.972:158): apparmor="ALLOWED" operation="capable" class="cap" profile="unprivileged_userns" pid=4786 comm="syscall.test" capability=6  capname="setgid"
2024-04-28T22:15:25.972785+02:00 dragon kernel: audit: type=1400 audit(1714335325.972:159): apparmor="ALLOWED" operation="capable" class="cap" profile="unprivileged_userns" pid=4786 comm="syscall.test" capability=7  capname="setuid"

With app_armor in enforce mode in I find the following:

syslog.1:2024-04-27T22:26:48.453999+02:00 dragon kernel: audit: type=1400 audit(1714249608.452:5838): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=821266 comm="syscall.test" capability=6  capname="setgid"
syslog.1:2024-04-27T22:26:48.454001+02:00 dragon kernel: audit: type=1400 audit(1714249608.452:5839): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=821266 comm="syscall.test" capability=7  capname="setuid"
syslog.1:2024-04-27T22:26:48.889023+02:00 dragon kernel: audit: type=1400 audit(1714249608.887:5842): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=821534 comm="syscall.test" capability=21  capname="sys_admin"

I can confirm

$ sudo aa-disable unprivileged_userns

prevents TestAmbientCapsUserns from failing in a persistent manner.

I have been made aware that there is a section in the Ubuntu release notes that describes the issue.

To me, it sounds like Ubuntu comes with too-locked-down defaults for development of sandboxing features, but as per the release notes you link, that seems intentional and users are expected to follow one of the possibilities mentioned in the release notes.

Other environments (e.g. corporate laptops) also come with similar restrictions (malware scanners that use an allowlist to control which software runs) that need to be turned off for development.

So is there anything left to be done on the Go side here?

Should we maybe skip the test when we detect apparmor being active? Or adjust the error message to point to the Ubuntu release notes?

what about an upstream issue so that Ubuntu fixes this? they broke it, they own it.

Is there any way that the test can detect the problem and simply skip the test in that case?

Our goal here should be for the test to pass or be skipped on all systems. We shouldn't change the behavior of the non-test code, though we may want to document the problem. But the test should not fail.

The test could be skipped if /proc/sys/kernel/apparmor_restrict_unprivileged_userns exists and is set to 1.

Unfortunately the flags that control how apparmor will behave (apparmor_restrict_unprivileged_userns_complain and apparmor_restrict_unprivileged_userns_force) are not readable by an unprivileged user, so the test will be skipped even in cases when it may be successful because the apparmor profile is deactivated.

After reading https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction#checking-the-current-state-of-restricted-unprivileged-user-namespaces and the following sections, I think we should:

• check if /proc/sys/kernel/apparmor_restrict_unprivileged_userns is 1 and skip the test
• document this restriction

The _complain and _force modes seem like rare enough (for machines where you want to develop Go, not for servers on which you would run production programs) that they don’t warrant special handling.

I can send a CL for these updates tomorrow.

Change https://go.dev/cl/585059 mentions this issue: syscall: skip TestAmbientCapsUserns when restricted, document

@gopherbot Please open a backport to 1.22.

Backport issue(s) opened: #69366 (for 1.22).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

@mengzhuo Thanks for requesting this backport. We already reviewed it, but a note for future: https://go.dev/wiki/MinorReleases says "The [backport] issue should include a link to the original issue and a short rationale about why the backport might be needed. [...] The entire message is quoted in the new issue." Please do include a short rationale when asking gopherbot to create a backport in the future, as it that helps when reviewing cherry picks. Thanks.

Change https://go.dev/cl/612475 mentions this issue: [release-branch.go1.22] syscall: skip TestAmbientCapsUserns when restricted, document