From e84c6684bb6ba795daf56c614f148ad460d8ec0f Mon Sep 17 00:00:00 2001
From: Simon Deziel <simon.deziel@canonical.com>
Date: Tue, 13 Feb 2024 14:40:52 -0500
Subject: [PATCH] snapcraft/commands/daemon.start: check
 apparmor_unprivileged_restrictions_disable config before disabling related
 sysctl

Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
---
 snapcraft/commands/daemon.start | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/snapcraft/commands/daemon.start b/snapcraft/commands/daemon.start
index 2389ec810..63ca53752 100755
--- a/snapcraft/commands/daemon.start
+++ b/snapcraft/commands/daemon.start
@@ -420,6 +420,22 @@ if [ "$(stat -c '%u' /proc)" = 0 ]; then
             echo 1 > /proc/sys/kernel/unprivileged_userns_clone || true
         fi
     fi
+
+    if [ "${apparmor_unprivileged_restrictions_disable:-"true"}" = "true" ]; then
+        if [ -e /proc/sys/kernel/apparmor_restrict_unprivileged_userns ]; then
+            if [ "$(cat /proc/sys/kernel/apparmor_restrict_unprivileged_userns)" = "1" ]; then
+                echo "==> Disabling Apparmor unprivileged userns mediation"
+                echo 0 > /proc/sys/kernel/apparmor_restrict_unprivileged_userns || true
+            fi
+        fi
+
+        if [ -e /proc/sys/kernel/apparmor_restrict_unprivileged_unconfined ]; then
+            if [ "$(cat /proc/sys/kernel/apparmor_restrict_unprivileged_unconfined)" = "1" ]; then
+                echo "==> Disabling Apparmor unprivileged unconfined mediation"
+                echo 0 > /proc/sys/kernel/apparmor_restrict_unprivileged_unconfined || true
+            fi
+        fi
+    fi
 fi
 
 # Setup CRIU