# Permit unprivileged user namespace creation for SingularityCE starter.
# Uses AppArmor 4 ABI on Ubuntu >=23.10
abi <abi/4.0>,
include <tunables/global>

profile singularity-ce /usr/lib/@{multiarch}/singularity/bin/starter{,-suid} flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/singularity-ce>
}
