From f28305297199ef7f25b748e32d72f87b2f010d49 Mon Sep 17 00:00:00 2001
From: Simon Deziel <simon.deziel@canonical.com>
Date: Tue, 3 Oct 2023 08:37:40 -0400
Subject: [PATCH] daemon.start: disable Apparmor unpriv userns mediation

Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
---
 snapcraft/commands/daemon.start | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/snapcraft/commands/daemon.start b/snapcraft/commands/daemon.start
index 19531b15d..d4c70ee72 100755
--- a/snapcraft/commands/daemon.start
+++ b/snapcraft/commands/daemon.start
@@ -416,6 +416,13 @@ if [ "$(stat -c '%u' /proc)" = 0 ]; then
         fi
     fi
 
+    if [ -e /proc/sys/kernel/apparmor_restrict_unprivileged_userns ]; then
+        if [ "$(cat /proc/sys/kernel/apparmor_restrict_unprivileged_userns)" = "1" ]; then
+            echo "==> Disabling Apparmor unprivileged userns mediation"
+            echo 0 > /proc/sys/kernel/apparmor_restrict_unprivileged_userns || true
+        fi
+    fi
+
     if [ -e /proc/sys/kernel/unprivileged_userns_clone ]; then
         if [ "$(cat /proc/sys/kernel/unprivileged_userns_clone)" = "0" ]; then
             echo "==> Enabling unprivileged containers kernel support"