1 files changed, 26 insertions, 0 deletions
diff --git a/meta/classes-global/sanity.bbclass b/meta/classes-global/sanity.bbclass
index 1d242f0f0a..a0b2508e11 100644
--- a/meta/classes-global/sanity.bbclass
+++ b/meta/classes-global/sanity.bbclass
@@ -475,6 +475,31 @@ def check_wsl(d):
            bb.warn("You are running bitbake under WSLv2, this works properly but you should optimize your VHDX file eventually to avoid running out of storage space")
    return None
+def check_userns():
+    """
+    Check that user namespaces are functional, as they're used for network isolation.
+    """
+    # There is a known failure case with AppAmrmor where the unshare() call
+    # succeeds (at which point the uid is nobody) but writing to the uid_map
+    # fails (so the uid isn't reset back to the user's uid). We can detect this.
+    parentuid = os.getuid()
+    if not bb.utils.is_local_uid(parentuid):
+        return None
+    pid = os.fork()
+    if not pid:
+        try:
+            bb.utils.disable_network()
+        except:
+            pass
+        os._exit(parentuid != os.getuid())
+    ret = os.waitpid(pid, 0)[1]
+    if ret:
+        bb.fatal("User namespaces are not usable by BitBake, possibly due to AppArmor.\n"
+                 "See https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions for more information.")
 # Require at least gcc version 8.0
 #
 # This can be fixed on CentOS-7 with devtoolset-6+
@@ -641,6 +666,7 @@ def check_sanity_version_change(status, d):
    status.addresult(check_git_version(d))
    status.addresult(check_perl_modules(d))
    status.addresult(check_wsl(d))
+    status.addresult(check_userns())
    missing = ""

diff --git a/meta/classes-global/sanity.bbclass b/meta/classes-global/sanity.bbclass index 1d242f0f0a..a0b2508e11 100644 --- a/meta/classes-global/sanity.bbclass +++ b/meta/classes-global/sanity.bbclass
@@ -475,6 +475,31 @@ def check_wsl(d):
475	bb.warn("You are running bitbake under WSLv2, this works properly but you should optimize your VHDX file eventually to avoid running out of storage space")	475	bb.warn("You are running bitbake under WSLv2, this works properly but you should optimize your VHDX file eventually to avoid running out of storage space")
476	return None	476	return None
477		477
		478	def check_userns():
		479	"""
		480	Check that user namespaces are functional, as they're used for network isolation.
		481	"""
		482
		483	# There is a known failure case with AppAmrmor where the unshare() call
		484	# succeeds (at which point the uid is nobody) but writing to the uid_map
		485	# fails (so the uid isn't reset back to the user's uid). We can detect this.
		486	parentuid = os.getuid()
		487	if not bb.utils.is_local_uid(parentuid):
		488	return None
		489	pid = os.fork()
		490	if not pid:
		491	try:
		492	bb.utils.disable_network()
		493	except:
		494	pass
		495	os._exit(parentuid != os.getuid())
		496
		497	ret = os.waitpid(pid, 0)[1]
		498	if ret:
		499	bb.fatal("User namespaces are not usable by BitBake, possibly due to AppArmor.\n"
		500	"See https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions for more information.")
		501
		502
478	# Require at least gcc version 8.0	503	# Require at least gcc version 8.0
479	#	504	#
480	# This can be fixed on CentOS-7 with devtoolset-6+	505	# This can be fixed on CentOS-7 with devtoolset-6+
@@ -641,6 +666,7 @@ def check_sanity_version_change(status, d):
641	status.addresult(check_git_version(d))	666	status.addresult(check_git_version(d))
642	status.addresult(check_perl_modules(d))	667	status.addresult(check_perl_modules(d))
643	status.addresult(check_wsl(d))	668	status.addresult(check_wsl(d))
		669	status.addresult(check_userns())
644		670
645	missing = ""	671	missing = ""
646		672