diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ceadf80b..2e2ad223 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,6 +8,7 @@ jobs:
       image: debian:bookworm
       options: --security-opt seccomp=unconfined --privileged --security-opt systempaths=unconfined # needed to make clone3() work in the container, and mount cgroup2 read-write, and /proc mountable
     steps:
+      - run: echo 0 > /proc/sys/kernel/apparmor_restrict_unprivileged_userns
       - run: mount -t cgroup2 -o nsdelegate,remount none /sys/fs/cgroup
       - run: useradd tester
       - run: chown -R tester:tester /sys/fs/cgroup
@@ -27,6 +28,7 @@ jobs:
       image: ubuntu:24.04
       options: --security-opt seccomp=unconfined --privileged --security-opt systempaths=unconfined # needed to make clone3() work in the container, and mount cgroup2 read-write, and /proc mountable
     steps:
+      - run: echo 0 > /proc/sys/kernel/apparmor_restrict_unprivileged_userns
       - run: mount -t cgroup2 -o nsdelegate,remount none /sys/fs/cgroup
       - run: useradd tester
       - run: chown -R tester:tester /sys/fs/cgroup
@@ -46,6 +48,7 @@ jobs:
       image: fedora:39
       options: --security-opt seccomp=unconfined --privileged --security-opt systempaths=unconfined # needed to make clone3() work in the container, and mount cgroup2 read-write, and /proc mountable
     steps:
+      - run: echo 0 > /proc/sys/kernel/apparmor_restrict_unprivileged_userns
       - run: mount -t cgroup2 -o nsdelegate,remount none /sys/fs/cgroup
       - run: useradd tester
       - run: chown -R tester:tester /sys/fs/cgroup
@@ -64,6 +67,7 @@ jobs:
       image: archlinux
       options: --security-opt seccomp=unconfined --privileged --security-opt systempaths=unconfined # needed to make clone3() work in the container, and mount cgroup2 read-write, and /proc mountable
     steps:
+      - run: echo 0 > /proc/sys/kernel/apparmor_restrict_unprivileged_userns
       - run: mount -t cgroup2 -o nsdelegate,remount none /sys/fs/cgroup
       - run: useradd tester
       - run: chown -R tester:tester /sys/fs/cgroup
@@ -82,6 +86,7 @@ jobs:
       image: debian:bookworm
       options: --security-opt seccomp=unconfined --privileged --security-opt systempaths=unconfined # needed to make clone3() work in the container, and mount cgroup2 read-write, and /proc mountable
     steps:
+      - run: echo 0 > /proc/sys/kernel/apparmor_restrict_unprivileged_userns
       - run: mount -t cgroup2 -o nsdelegate,remount none /sys/fs/cgroup
       - run: useradd tester
       - run: chown -R tester:tester /sys/fs/cgroup
@@ -102,6 +107,7 @@ jobs:
       image: debian:bookworm
       options: --security-opt seccomp=unconfined --privileged --security-opt systempaths=unconfined # needed to make clone3() work in the container, and mount cgroup2 read-write, and /proc mountable
     steps:
+      - run: echo 0 > /proc/sys/kernel/apparmor_restrict_unprivileged_userns
       - run: mount -t cgroup2 -o nsdelegate,remount none /sys/fs/cgroup
       - run: useradd tester
       - run: chown -R tester:tester /sys/fs/cgroup
@@ -121,6 +127,7 @@ jobs:
       image: ubuntu:24.04
       options: --security-opt seccomp=unconfined --privileged --security-opt systempaths=unconfined # needed to make clone3() work in the container, and mount cgroup2 read-write, and /proc mountable
     steps:
+      - run: echo 0 > /proc/sys/kernel/apparmor_restrict_unprivileged_userns
       - run: mount -t cgroup2 -o nsdelegate,remount none /sys/fs/cgroup
       - run: useradd tester
       - run: chown -R tester:tester /sys/fs/cgroup
@@ -140,6 +147,7 @@ jobs:
       image: fedora:39
       options: --security-opt seccomp=unconfined --privileged --security-opt systempaths=unconfined # needed to make clone3() work in the container, and mount cgroup2 read-write, and /proc mountable
     steps:
+      - run: echo 0 > /proc/sys/kernel/apparmor_restrict_unprivileged_userns
       - run: mount -t cgroup2 -o nsdelegate,remount none /sys/fs/cgroup
       - run: useradd tester
       - run: chown -R tester:tester /sys/fs/cgroup
@@ -158,6 +166,7 @@ jobs:
       image: archlinux
       options: --security-opt seccomp=unconfined --privileged --security-opt systempaths=unconfined # needed to make clone3() work in the container, and mount cgroup2 read-write, and /proc mountable
     steps:
+      - run: echo 0 > /proc/sys/kernel/apparmor_restrict_unprivileged_userns
       - run: mount -t cgroup2 -o nsdelegate,remount none /sys/fs/cgroup
       - run: useradd tester
       - run: chown -R tester:tester /sys/fs/cgroup
@@ -176,6 +185,7 @@ jobs:
       image: debian:bookworm
       options: --security-opt seccomp=unconfined --privileged --security-opt systempaths=unconfined # needed to make clone3() work in the container, and mount cgroup2 read-write, and /proc mountable
     steps:
+      - run: echo 0 > /proc/sys/kernel/apparmor_restrict_unprivileged_userns
       - run: mount -t cgroup2 -o nsdelegate,remount none /sys/fs/cgroup
       - run: useradd tester
       - run: chown -R tester:tester /sys/fs/cgroup