ci: workaround new ubuntu 23 security issue for chromium

connorjclark · connorjclark · commit 220ea06f6aa3 · 2025-01-06T10:55:36.000-08:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -38,6 +38,10 @@ jobs:
     - run: yarn type-check
     - run: yarn build-all
 
+    # Since Ubuntu 23, dev builds of Chromium need this.
+    # https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md
+    - run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
+
     # Run pptr tests using ToT Chrome instead of stable default.
     - name: Install Chrome ToT
       run: bash $GITHUB_WORKSPACE/core/scripts/download-chrome.sh
diff --git a/.github/workflows/devtools.yml b/.github/workflows/devtools.yml
@@ -160,6 +160,10 @@ jobs:
     - run: yarn build-report
       working-directory: ${{ github.workspace }}/lighthouse
 
+    # Since Ubuntu 23, dev builds of Chromium need this.
+    # https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md
+    - run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
+
     - name: Install Chrome ToT
       run: bash ${{ github.workspace }}/lighthouse/core/scripts/download-chrome.sh
 
diff --git a/.github/workflows/smoke.yml b/.github/workflows/smoke.yml
@@ -41,6 +41,10 @@ jobs:
       with:
         node-version: 18.x
 
+    # Since Ubuntu 23, dev builds of Chromium need this.
+    # https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md
+    - run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
+
     # Chrome Stable is already installed by default.
     - name: Install Chrome ToT
       if: matrix.chrome-channel == 'ToT'
@@ -151,6 +155,10 @@ jobs:
     - run: yarn build-report
     - run: yarn build-devtools
 
+    # Since Ubuntu 23, dev builds of Chromium need this.
+    # https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md
+    - run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
+
     - name: Install Chrome ToT
       run: bash $GITHUB_WORKSPACE/core/scripts/download-chrome.sh
 
diff --git a/.github/workflows/unit.yml b/.github/workflows/unit.yml
@@ -53,6 +53,10 @@ jobs:
     - run: yarn build-report
     - run: yarn reset-link
 
+    # Since Ubuntu 23, dev builds of Chromium need this.
+    # https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md
+    - run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
+
     # Run pptr tests using ToT Chrome instead of stable default.
     - name: Install Chrome ToT
       run: bash $GITHUB_WORKSPACE/core/scripts/download-chrome.sh
