From d75747147cffd04386c13e7dc9e17875242f619c Mon Sep 17 00:00:00 2001
From: Simon Deziel <simon.deziel@canonical.com>
Date: Tue, 3 Oct 2023 08:37:40 -0400
Subject: [PATCH 1/3] daemon.start: disable Apparmor unpriv userns mediation

Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
---
 snapcraft/commands/daemon.start | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/snapcraft/commands/daemon.start b/snapcraft/commands/daemon.start
index 8622927bd..b4d92af07 100755
--- a/snapcraft/commands/daemon.start
+++ b/snapcraft/commands/daemon.start
@@ -418,6 +418,13 @@ if [ "$(stat -c '%u' /proc)" = 0 ]; then
         fi
     fi
 
+    if [ -e /proc/sys/kernel/apparmor_restrict_unprivileged_userns ]; then
+        if [ "$(cat /proc/sys/kernel/apparmor_restrict_unprivileged_userns)" = "1" ]; then
+            echo "==> Disabling Apparmor unprivileged userns mediation"
+            echo 0 > /proc/sys/kernel/apparmor_restrict_unprivileged_userns || true
+        fi
+    fi
+
     if [ -e /proc/sys/kernel/unprivileged_userns_clone ]; then
         if [ "$(cat /proc/sys/kernel/unprivileged_userns_clone)" = "0" ]; then
             echo "==> Enabling unprivileged containers kernel support"

From 76c9e3f2dda14e234d6c58964ae4f3453b3f60df Mon Sep 17 00:00:00 2001
From: Simon Deziel <simon.deziel@canonical.com>
Date: Tue, 3 Oct 2023 08:41:07 -0400
Subject: [PATCH 2/3] wrappers/editor: workaround Apparmor unpriv userns
 mediation

Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
---
 snapcraft/wrappers/editor | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/snapcraft/wrappers/editor b/snapcraft/wrappers/editor
index fde501685..3611cb88d 100755
--- a/snapcraft/wrappers/editor
+++ b/snapcraft/wrappers/editor
@@ -16,7 +16,8 @@ run_cmd() {
 }
 
 USERNS=1
-[ -e /proc/sys/kernel/unprivileged_userns_clone ] && grep -q 0 /proc/sys/kernel/unprivileged_userns_clone && USERNS=0
+[ -e /proc/sys/kernel/unprivileged_userns_clone ] && grep -qxF 0 /proc/sys/kernel/unprivileged_userns_clone && USERNS=0
+[ -e /proc/sys/kernel/apparmor_restrict_unprivileged_userns ] && grep -qxF 1 /proc/sys/kernel/apparmor_restrict_unprivileged_userns && USERNS=0
 
 find_and_spawn() {
     for path in / /usr/ /usr/local/; do

From 9f72ab2126d30a4bf02b622f1553a09342508d27 Mon Sep 17 00:00:00 2001
From: Simon Deziel <simon.deziel@canonical.com>
Date: Tue, 3 Oct 2023 08:41:15 -0400
Subject: [PATCH 3/3] wrappers/remote-viewer: workaround Apparmor unpriv userns
 mediation

Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
---
 snapcraft/wrappers/remote-viewer | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/snapcraft/wrappers/remote-viewer b/snapcraft/wrappers/remote-viewer
index b8f178421..87429d3c7 100755
--- a/snapcraft/wrappers/remote-viewer
+++ b/snapcraft/wrappers/remote-viewer
@@ -15,7 +15,8 @@ run_cmd() {
 }
 
 USERNS=1
-[ -e /proc/sys/kernel/unprivileged_userns_clone ] && grep -q 0 /proc/sys/kernel/unprivileged_userns_clone && USERNS=0
+[ -e /proc/sys/kernel/unprivileged_userns_clone ] && grep -qxF 0 /proc/sys/kernel/unprivileged_userns_clone && USERNS=0
+[ -e /proc/sys/kernel/apparmor_restrict_unprivileged_userns ] && grep -qxF 1 /proc/sys/kernel/apparmor_restrict_unprivileged_userns && USERNS=0
 
 find_and_spawn() {
     for path in / /usr/ /usr/local/; do