From 7e8fc2be984747a44dbf2acb5abd1294251d373d Mon Sep 17 00:00:00 2001
From: Michael Greenberg <michael@greenberg.science>
Date: Thu, 10 Oct 2024 12:15:44 -0400
Subject: [PATCH 1/6] CI fix, attempt 2

---
 .github/workflows/test.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 22122b3..0442025 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -22,7 +22,7 @@ jobs:
       - name: Debug unshare install
         run: |
           echo unshare is at $(which unshare)
-          unshare --mount --map-root-user --user --pid --fork -- ls
+          unshare --mount --user --pid --fork -- ls
 
       - name: Checkout
         uses: actions/checkout@v4

From ae949a1a6e68833009309f1917e44a826d4a5400 Mon Sep 17 00:00:00 2001
From: Michael Greenberg <michael@greenberg.science>
Date: Thu, 10 Oct 2024 12:20:49 -0400
Subject: [PATCH 2/6] mount issues

---
 .github/workflows/test.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 0442025..c9709b5 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -22,7 +22,8 @@ jobs:
       - name: Debug unshare install
         run: |
           echo unshare is at $(which unshare)
-          unshare --mount --user --pid --fork -- ls
+          findmnt
+          unshare --mount --propagation unchanged --user --pid --fork -- ls
 
       - name: Checkout
         uses: actions/checkout@v4

From 3acbbaf4ebaac6f90d0073e9fd69f70f741f5ba3 Mon Sep 17 00:00:00 2001
From: Michael Greenberg <michael@greenberg.science>
Date: Thu, 10 Oct 2024 12:22:34 -0400
Subject: [PATCH 3/6] weaker test for unshare

---
 configure.ac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index 82841b5..bfafd0a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -131,7 +131,7 @@ fi
 
 TRY_REQUIRE_PROG([readlink])
 TRY_REQUIRE_PROG([unshare], [for unshare], [
-res=$(unshare --mount --map-root-user --user --pid --fork -- ls $PWD/try 2>/dev/null)
+res=$(unshare --mount --propagation unchanged --user --pid --fork -- ls $PWD/try 2>/dev/null)
 ], [
 test "$?" != 0 || test "$res" != "$PWD/try"
 ], [], [could not run unshare])

From aae999ad7851cfc0def039028387d1c04a34eaa7 Mon Sep 17 00:00:00 2001
From: Michael Greenberg <michael@greenberg.science>
Date: Thu, 10 Oct 2024 12:30:25 -0400
Subject: [PATCH 4/6] allow unprivileged userns

---
 .github/workflows/test.yaml | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index c9709b5..ccfd81e 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -19,12 +19,6 @@ jobs:
         run: |
           sudo apt-get install util-linux expect mergerfs attr pandoc
 
-      - name: Debug unshare install
-        run: |
-          echo unshare is at $(which unshare)
-          findmnt
-          unshare --mount --propagation unchanged --user --pid --fork -- ls
-
       - name: Checkout
         uses: actions/checkout@v4
         with:
@@ -56,6 +50,10 @@ jobs:
     if: github.event.pull_request.draft == false
 
     steps:
+      - name: Allow unprivileged user namespaces (for Ubuntu 24.04)
+        run: |
+          sudo sysctl kernel.apparmor_restrict_unprivileged_userns=0
+
       - name: Install dependencies
         run: |
           sudo apt-get install expect mergerfs attr pandoc
@@ -98,6 +96,10 @@ jobs:
     if: github.event.pull_request.draft == false
 
     steps:
+      - name: Allow unprivileged user namespaces (for Ubuntu 24.04)
+        run: |
+          sudo sysctl kernel.apparmor_restrict_unprivileged_userns=0
+
       - name: Install dependencies
         run: |
           sudo apt-get install expect mergerfs attr pandoc

From b97a37526cb94adccb8ee979109e04e016cfa89c Mon Sep 17 00:00:00 2001
From: Michael Greenberg <michael@greenberg.science>
Date: Thu, 10 Oct 2024 12:32:10 -0400
Subject: [PATCH 5/6] revert autoconf test

---
 configure.ac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index bfafd0a..82841b5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -131,7 +131,7 @@ fi
 
 TRY_REQUIRE_PROG([readlink])
 TRY_REQUIRE_PROG([unshare], [for unshare], [
-res=$(unshare --mount --propagation unchanged --user --pid --fork -- ls $PWD/try 2>/dev/null)
+res=$(unshare --mount --map-root-user --user --pid --fork -- ls $PWD/try 2>/dev/null)
 ], [
 test "$?" != 0 || test "$res" != "$PWD/try"
 ], [], [could not run unshare])

From 0365f60e8cee43c1ccbea3aa7091da84a10caf33 Mon Sep 17 00:00:00 2001
From: Michael Greenberg <michael@greenberg.science>
Date: Thu, 10 Oct 2024 13:15:14 -0400
Subject: [PATCH 6/6] one more

---
 .github/workflows/test.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index ccfd81e..b74cf0b 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -15,6 +15,10 @@ jobs:
     if: github.event.pull_request.draft == false
 
     steps:
+      - name: Allow unprivileged user namespaces (for Ubuntu 24.04)
+        run: |
+          sudo sysctl kernel.apparmor_restrict_unprivileged_userns=0
+
       - name: Install dependencies
         run: |
           sudo apt-get install util-linux expect mergerfs attr pandoc