From 3998e6864452eadfa3f0d6682bac562a72f753b4 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@mozilla.com>
Date: Wed, 11 Dec 2024 14:30:36 +0100
Subject: [PATCH] ubuntu-2404-amd64-{headless,gui}: allow unprivileged user
 namespaces

Firefox sandboxing relies on them, and displays a warning when they're
not available (https://bugzilla.mozilla.org/show_bug.cgi?id=1899516).
---
 gcp.pkr.hcl                    | 2 ++
 scripts/linux/common/userns.sh | 5 +++++
 2 files changed, 7 insertions(+)
 create mode 100644 scripts/linux/common/userns.sh

diff --git a/gcp.pkr.hcl b/gcp.pkr.hcl
index bfed0ed..8086129 100644
--- a/gcp.pkr.hcl
+++ b/gcp.pkr.hcl
@@ -258,6 +258,7 @@ build {
       "${path.cwd}/scripts/linux/ubuntu-2404-amd64-gui/fxci/01-bootstrap.sh",
       "${path.cwd}/scripts/linux/ubuntu-2404-amd64-gui/fxci/02-additional-packages.sh",
       "${path.cwd}/scripts/linux/ubuntu-2404-amd64-gui/fxci/04-wayland.sh",
+      "${path.cwd}/scripts/linux/common/userns.sh",
       "${path.cwd}/scripts/linux/ubuntu-2404-amd64-gui/fxci/99-additional-talos-reqs.sh"
     ]
   }
@@ -485,6 +486,7 @@ build {
       "${path.cwd}/scripts/linux/ubuntu-2404-amd64-headless/fxci/01-bootstrap.sh",
       "${path.cwd}/scripts/linux/ubuntu-2404-amd64-headless/fxci/02-additional-packages.sh",
       "${path.cwd}/scripts/linux/ubuntu-2404-amd64-headless/fxci/03-aslr.sh",
+      "${path.cwd}/scripts/linux/common/userns.sh",
       "${path.cwd}/scripts/linux/common/v4l2loopback.sh"
     ]
   }
diff --git a/scripts/linux/common/userns.sh b/scripts/linux/common/userns.sh
new file mode 100644
index 0000000..4f8cd7d
--- /dev/null
+++ b/scripts/linux/common/userns.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+# https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844
+# The firefox sandbox relies on unprivileged user namespaces
+echo 'kernel.apparmor_restrict_unprivileged_userns = 0' > /etc/sysctl.d/90-userns.conf