From ba75587132d379932362bf86a73811608f810f33 Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Wed, 21 Jan 2026 04:49:25 +0900
Subject: [PATCH] internal/pkg: allow user namespace creation

No good reason to filter this in the execArtifact container, and the extended filter breaks certain programs.

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 internal/pkg/exec.go    | 2 +-
 internal/rosa/python.go | 5 ++---
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/internal/pkg/exec.go b/internal/pkg/exec.go
index a4ade28..f891317 100644
--- a/internal/pkg/exec.go
+++ b/internal/pkg/exec.go
@@ -290,7 +290,7 @@ func (a *execArtifact) cure(f *FContext, hostNet bool) (err error) {
 
 	z := container.New(ctx, f.GetMessage())
 	z.WaitDelay = execWaitDelay
-	z.SeccompPresets |= std.PresetStrict
+	z.SeccompPresets |= std.PresetStrict & ^std.PresetDenyNS
 	z.ParentPerm = 0700
 	z.HostNet = hostNet
 	z.Hostname = "cure"
diff --git a/internal/rosa/python.go b/internal/rosa/python.go
index 274fe81..3e82427 100644
--- a/internal/rosa/python.go
+++ b/internal/rosa/python.go
@@ -20,10 +20,9 @@ func (t Toolchain) NewPython() pkg.Artifact {
 		"test_urllibnet",
 		"test_urllib2net",
 
-		// hits std.PresetExt ruleset
+		// makes assumptions about uid_map/gid_map
 		"test_os",
-		"test_posix",
-		"test_shutil",
+		"test_subprocess",
 
 		// somehow picks up mtime of source code
 		"test_zipfile",