From e0cb337d73792dc575dff457e41b47f17e95cdbd Mon Sep 17 00:00:00 2001
From: Brendan Emery <brendan.be.emery@bmw.de>
Date: Fri, 20 Mar 2026 08:43:09 +0100
Subject: [PATCH] Add Setup.md

---
 SETUP.md                                      | 25 +++++++++++++++++++
 .../action.yml                                | 16 +-----------
 .../action_callable.sh                        | 23 +++++++++++++++++
 3 files changed, 49 insertions(+), 15 deletions(-)
 create mode 100644 SETUP.md
 create mode 100755 actions/unblock_user_namespace_for_linux_sandbox/action_callable.sh

diff --git a/SETUP.md b/SETUP.md
new file mode 100644
index 000000000..c7e3187bc
--- /dev/null
+++ b/SETUP.md
@@ -0,0 +1,25 @@
+# Setup
+
+Prerequisites:
+- Bazel (Instructions for installing here: https://bazel.build/install)
+
+## Integration Tests
+
+Prerequisites:
+- Docker 
+  - Instructions for installing here: https://docs.docker.com/engine/install/ 
+  - Note. Running Docker in rootless mode is not yet officially supported but may work. See https://docs.docker.com/engine/security/rootless/ for more information.
+
+## Workarounds 
+
+### Linux-Sandbox Ubuntu24.04 Workaround
+
+Ubuntu 24.04 introduced the security framework apparmor. The standard configuration of apparmor which also includes unprivileged user namespaces interferes with the bazel sandboxing mechanism and inhibits the linux-sandbox. This affects all bazel tests and potentially any bazel runnables. 
+
+To work around this issue, you can run the following bash script:
+
+```bash
+bash actions/unblock_user_namespace_for_linux_sandbox/action_callable.sh
+```
+
+Note. This must be rerun whenever the bazel version is updated.
diff --git a/actions/unblock_user_namespace_for_linux_sandbox/action.yml b/actions/unblock_user_namespace_for_linux_sandbox/action.yml
index ef95bf369..20c8eb017 100644
--- a/actions/unblock_user_namespace_for_linux_sandbox/action.yml
+++ b/actions/unblock_user_namespace_for_linux_sandbox/action.yml
@@ -23,19 +23,5 @@ runs:
   steps:
     - name: Allow linux-sandbox to create user namespace
       run: |
-        INSTALL_BASE=$(bazel info install_base)
-        sudo bash -c "cat >>/etc/apparmor.d/score-linux-sandbox" <<-EOF
-        abi <abi/4.0>,
-        include <tunables/global>
-        
-        profile linux-sandbox ${INSTALL_BASE}/linux-sandbox flags=(unconfined) {
-          userns,
-        
-          # Site-specific additions and overrides. See local/README for details.
-          include if exists <local/score-linux-sandbox>
-        }
-        EOF
-        less /etc/apparmor.d/score-linux-sandbox
-        sudo apparmor_parser -r /etc/apparmor.d/score-linux-sandbox
-        ${INSTALL_BASE}/linux-sandbox "/bin/true"
+        bash actions/unblock_user_namespace_for_linux_sandbox/action_callable.sh 
       shell: bash
diff --git a/actions/unblock_user_namespace_for_linux_sandbox/action_callable.sh b/actions/unblock_user_namespace_for_linux_sandbox/action_callable.sh
new file mode 100755
index 000000000..fbd747cd0
--- /dev/null
+++ b/actions/unblock_user_namespace_for_linux_sandbox/action_callable.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+INSTALL_BASE=$(bazel info install_base)
+sudo bash -c "cat >/etc/apparmor.d/score-linux-sandbox" <<-EOF
+abi <abi/4.0>,
+include <tunables/global>
+
+profile linux-sandbox ${INSTALL_BASE}/linux-sandbox flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/score-linux-sandbox>
+}
+EOF
+sudo apparmor_parser -r /etc/apparmor.d/score-linux-sandbox
+
+${INSTALL_BASE}/linux-sandbox "/bin/true"
+EXIT_CODE=$?
+if [ $EXIT_CODE -ne 0 ]; then
+  echo "Warning: '${INSTALL_BASE}/linux-sandbox \"/bin/true\"' failed."
+else
+  echo "Success: '${INSTALL_BASE}/linux-sandbox \"/bin/true\"' succeeded."
+fi
+exit $EXIT_CODE