From 6119c40c8ef297349a3bc11e165720f78f32df11 Mon Sep 17 00:00:00 2001
From: Dominik Holland <dominik.holland@qt.io>
Date: Fri, 24 May 2024 11:37:27 +0200
Subject: [PATCH] Provisioning: Fix bwrap with apparmor on Ubuntu 24.04
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Ubuntu 23.10 introduced new apparmor features and those prevent bwrap
to work correctly until a apparmor configuration file is installed.

Change-Id: Ie02bd98adb9e55c930c399e5e209c0c612907233
Reviewed-by: Robert Griebl <robert.griebl@qt.io>
Reviewed-by: Toni Saario <toni.saario@qt.io>
Reviewed-by: Tero Heikkinen <tero.heikkinen@qt.io>
(cherry picked from commit f7a8184c175114e67555c8bdd859e9d52c208ab3)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
Reviewed-by: Aku Pietikäinen <aku.pietikainen@qt.io>
---
 .../common/linux/fix-bwrap-apparmor.sh        | 21 +++++++++++++++++++
 .../03-fix-bwrap-apparmor.sh                  |  6 ++++++
 2 files changed, 27 insertions(+)
 create mode 100644 coin/provisioning/common/linux/fix-bwrap-apparmor.sh
 create mode 100644 coin/provisioning/qtci-linux-Ubuntu-24.04-aarch64/03-fix-bwrap-apparmor.sh

diff --git a/coin/provisioning/common/linux/fix-bwrap-apparmor.sh b/coin/provisioning/common/linux/fix-bwrap-apparmor.sh
new file mode 100644
index 00000000..4c8b68f9
--- /dev/null
+++ b/coin/provisioning/common/linux/fix-bwrap-apparmor.sh
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+#Copyright (C) 2024 The Qt Company Ltd
+#SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+
+# See https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
+# and https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844/comments/89
+sudo bash -c 'cat > /etc/apparmor.d/bwrap' << EOF
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile bwrap /usr/bin/bwrap flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/bwrap>
+}
+EOF
+
diff --git a/coin/provisioning/qtci-linux-Ubuntu-24.04-aarch64/03-fix-bwrap-apparmor.sh b/coin/provisioning/qtci-linux-Ubuntu-24.04-aarch64/03-fix-bwrap-apparmor.sh
new file mode 100644
index 00000000..e155338a
--- /dev/null
+++ b/coin/provisioning/qtci-linux-Ubuntu-24.04-aarch64/03-fix-bwrap-apparmor.sh
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+# Copyright (C) 2024 The Qt Company Ltd.
+# SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+
+# shellcheck source=../common/linux/fix-bwrap-apparmor.sh
+source "${BASH_SOURCE%/*}/../common/linux/fix-bwrap-apparmor.sh"