From 220ea06f6aa3e14b4f5c1214b0fcc247fa9ed4da Mon Sep 17 00:00:00 2001
From: Connor Clark <cjamcl@google.com>
Date: Mon, 6 Jan 2025 10:55:36 -0800
Subject: [PATCH] ci: workaround new ubuntu 23 security issue for chromium

---
 .github/workflows/ci.yml       | 4 ++++
 .github/workflows/devtools.yml | 4 ++++
 .github/workflows/smoke.yml    | 8 ++++++++
 .github/workflows/unit.yml     | 4 ++++
 4 files changed, 20 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b16e1a6d34c8..0b6b170bc23c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -38,6 +38,10 @@ jobs:
     - run: yarn type-check
     - run: yarn build-all
 
+    # Since Ubuntu 23, dev builds of Chromium need this.
+    # https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md
+    - run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
+
     # Run pptr tests using ToT Chrome instead of stable default.
     - name: Install Chrome ToT
       run: bash $GITHUB_WORKSPACE/core/scripts/download-chrome.sh
diff --git a/.github/workflows/devtools.yml b/.github/workflows/devtools.yml
index 7655bcb83e83..3c0cbfc98826 100644
--- a/.github/workflows/devtools.yml
+++ b/.github/workflows/devtools.yml
@@ -160,6 +160,10 @@ jobs:
     - run: yarn build-report
       working-directory: ${{ github.workspace }}/lighthouse
 
+    # Since Ubuntu 23, dev builds of Chromium need this.
+    # https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md
+    - run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
+
     - name: Install Chrome ToT
       run: bash ${{ github.workspace }}/lighthouse/core/scripts/download-chrome.sh
 
diff --git a/.github/workflows/smoke.yml b/.github/workflows/smoke.yml
index 83c2547f0e83..22ab4898648c 100644
--- a/.github/workflows/smoke.yml
+++ b/.github/workflows/smoke.yml
@@ -41,6 +41,10 @@ jobs:
       with:
         node-version: 18.x
 
+    # Since Ubuntu 23, dev builds of Chromium need this.
+    # https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md
+    - run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
+
     # Chrome Stable is already installed by default.
     - name: Install Chrome ToT
       if: matrix.chrome-channel == 'ToT'
@@ -151,6 +155,10 @@ jobs:
     - run: yarn build-report
     - run: yarn build-devtools
 
+    # Since Ubuntu 23, dev builds of Chromium need this.
+    # https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md
+    - run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
+
     - name: Install Chrome ToT
       run: bash $GITHUB_WORKSPACE/core/scripts/download-chrome.sh
 
diff --git a/.github/workflows/unit.yml b/.github/workflows/unit.yml
index 0d755b182a20..275709a92656 100644
--- a/.github/workflows/unit.yml
+++ b/.github/workflows/unit.yml
@@ -53,6 +53,10 @@ jobs:
     - run: yarn build-report
     - run: yarn reset-link
 
+    # Since Ubuntu 23, dev builds of Chromium need this.
+    # https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md
+    - run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
+
     # Run pptr tests using ToT Chrome instead of stable default.
     - name: Install Chrome ToT
       run: bash $GITHUB_WORKSPACE/core/scripts/download-chrome.sh