#!/usr/bin/env bash
set -euo pipefail

echo "== AppArmor namespace sysctls =="
sysctl kernel.apparmor_restrict_unprivileged_userns kernel.unprivileged_userns_clone

echo
echo "== Profile files =="
profile="/etc/apparmor.d/usr.bin.bwrap"
if [[ -f "${profile}" ]]; then
  echo "present: ${profile}"
else
  echo "missing: ${profile}"
fi

echo
echo "== bubblewrap smoke test =="
/usr/bin/bwrap \
  --ro-bind /usr /usr \
  --ro-bind /bin /bin \
  --ro-bind /lib /lib \
  --ro-bind /lib64 /lib64 \
  /bin/true
echo "bwrap smoke test passed"