1 files changed, 24 insertions, 0 deletions
diff --git a/meta/classes/sanity.bbclass b/meta/classes/sanity.bbclass
index 293e405f62..3b13ba647e 100644
--- a/meta/classes/sanity.bbclass
+++ b/meta/classes/sanity.bbclass
@@ -469,6 +469,29 @@ def check_wsl(d):
            bb.warn("You are running bitbake under WSLv2, this works properly but you should optimize your VHDX file eventually to avoid running out of storage space")
    return None
+def check_userns():
+    """
+    Check that user namespaces are functional, as they're used for network isolation.
+    """
+    # There is a known failure case with AppAmrmor where the unshare() call
+    # succeeds (at which point the uid is nobody) but writing to the uid_map
+    # fails (so the uid isn't reset back to the user's uid). We can detect this.
+    parentuid = os.getuid()
+    pid = os.fork()
+    if not pid:
+        try:
+            bb.utils.disable_network()
+        except:
+            pass
+        os._exit(parentuid != os.getuid())
+    ret = os.waitpid(pid, 0)[1]
+    if ret:
+        bb.fatal("User namespaces are not usable by BitBake, possibly due to AppArmor.\n"
+                 "See https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions for more information.")
 # Require at least gcc version 7.5.
 #
 # This can be fixed on CentOS-7 with devtoolset-6+
@@ -634,6 +657,7 @@ def check_sanity_version_change(status, d):
    status.addresult(check_git_version(d))
    status.addresult(check_perl_modules(d))
    status.addresult(check_wsl(d))
+    status.addresult(check_userns())
    missing = ""

diff --git a/meta/classes/sanity.bbclass b/meta/classes/sanity.bbclass index 293e405f62..3b13ba647e 100644 --- a/meta/classes/sanity.bbclass +++ b/meta/classes/sanity.bbclass
@@ -469,6 +469,29 @@ def check_wsl(d):
469	bb.warn("You are running bitbake under WSLv2, this works properly but you should optimize your VHDX file eventually to avoid running out of storage space")	469	bb.warn("You are running bitbake under WSLv2, this works properly but you should optimize your VHDX file eventually to avoid running out of storage space")
470	return None	470	return None
471		471
		472	def check_userns():
		473	"""
		474	Check that user namespaces are functional, as they're used for network isolation.
		475	"""
		476
		477	# There is a known failure case with AppAmrmor where the unshare() call
		478	# succeeds (at which point the uid is nobody) but writing to the uid_map
		479	# fails (so the uid isn't reset back to the user's uid). We can detect this.
		480	parentuid = os.getuid()
		481	pid = os.fork()
		482	if not pid:
		483	try:
		484	bb.utils.disable_network()
		485	except:
		486	pass
		487	os._exit(parentuid != os.getuid())
		488
		489	ret = os.waitpid(pid, 0)[1]
		490	if ret:
		491	bb.fatal("User namespaces are not usable by BitBake, possibly due to AppArmor.\n"
		492	"See https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions for more information.")
		493
		494
472	# Require at least gcc version 7.5.	495	# Require at least gcc version 7.5.
473	#	496	#
474	# This can be fixed on CentOS-7 with devtoolset-6+	497	# This can be fixed on CentOS-7 with devtoolset-6+
@@ -634,6 +657,7 @@ def check_sanity_version_change(status, d):
634	status.addresult(check_git_version(d))	657	status.addresult(check_git_version(d))
635	status.addresult(check_perl_modules(d))	658	status.addresult(check_perl_modules(d))
636	status.addresult(check_wsl(d))	659	status.addresult(check_wsl(d))
		660	status.addresult(check_userns())
637		661
638	missing = ""	662	missing = ""
639		663