feat(box): check some needed kernel settings at runtime

Signed-off-by: ComixHe <[email protected]>

apps/ll-box/src/main.cpp

@@ -676,6 +676,50 @@ Overload(Ts...) -> Overload<Ts...>;
 
 int main(int argc, char **argv)
 {
+    // detecting some kernel features at runtime to reporting errors friendly
+    std::error_code ec;
+    std::filesystem::path feature{ "/proc/sys/kernel/unprivileged_userns_clone" };
+
+    auto check = [](const std::filesystem::path &setting, int expected) {
+        // We assume that the fact that a file does not exist or that an error occurs during the
+        // detection process does not mean that the feature is disabled.
+        // Some distros may not enable some kernel features in default.
+        std::error_code ec;
+        if (!std::filesystem::exists(setting, ec)) {
+            return true;
+        }
+
+        std::ifstream stream{ setting };
+        if (!stream.is_open()) {
+            return true;
+        }
+
+        std::string content;
+        std::getline(stream, content);
+
+        try {
+            return std::stoi(content) == expected;
+        } catch (std::exception &e) {
+            logWan() << "ignore exception" << e.what() << "and continue"; // NOLINT
+            return true;
+        }
+    };
+
+    if (!check("/proc/sys/kernel/unprivileged_userns_clone", 1)) {
+        logErr() << "unprivileged_userns_clone is not enabled";
+        return EPERM;
+    }
+
+    if (!check("/proc/sys/kernel/apparmor_restrict_unprivileged_unconfined", 0)) {
+        logErr() << "apparmor_restrict_unprivileged_unconfined is not disabled";
+        return EPERM;
+    }
+
+    if (!check("/proc/sys/kernel/apparmor_restrict_unprivileged_userns", 0)) {
+        logErr() << "apparmor_restrict_unprivileged_userns is not disabled";
+        return EPERM;
+    }
+
     if (argc == 1) {
         logErr() << "please specify a command";
         return -1;