diff --git a/src/syscall/exec_linux.go b/src/syscall/exec_linux.go
index e6d6343ed889cdce78452d02c495c2d938949c86..e4b9ce1bf47da34845348577a8e1aaba442c24a5 100644
--- a/src/syscall/exec_linux.go
+++ b/src/syscall/exec_linux.go
@@ -53,6 +53,10 @@ const (
 
 // SysProcIDMap holds Container ID to Host ID mappings used for User Namespaces in Linux.
 // See user_namespaces(7).
+//
+// Note that User Namespaces are not available on a number of popular Linux
+// versions (due to security issues), or are available but subject to AppArmor
+// restrictions like in Ubuntu 24.04.
 type SysProcIDMap struct {
 	ContainerID int // Container ID.
 	HostID      int // Host ID.
diff --git a/src/syscall/exec_linux_test.go b/src/syscall/exec_linux_test.go
index 68ec6fe3f8e7cb8d11be33cc7849f965d4b688f7..728f10b2416d4f1bf03f21c08b1e8e4c902ea572 100644
--- a/src/syscall/exec_linux_test.go
+++ b/src/syscall/exec_linux_test.go
@@ -642,6 +642,10 @@ func TestAmbientCaps(t *testing.T) {
 }
 
 func TestAmbientCapsUserns(t *testing.T) {
+	b, err := os.ReadFile("/proc/sys/kernel/apparmor_restrict_unprivileged_userns")
+	if err == nil && strings.TrimSpace(string(b)) == "1" {
+		t.Skip("AppArmor restriction for unprivileged user namespaces is enabled")
+	}
 	testAmbientCaps(t, true)
 }