This is in v255. This log snippet is taken from a local autopkgtest build:
exec-privatenetwork-yes-privatemounts-yes.service: Will spawn child (service_enter_start): /bin/sh
exec-privatenetwork-yes-privatemounts-yes.service: Failed to set 'trusted.invocation_id' xattr on control group /system.slice/test-execute-48e27182b3724b7.scope/99d288e6f11f869e/system.slice/exec-privatenetwork-yes-privatemounts-yes.service, ignoring: Operation not permitted
exec-privatenetwork-yes-privatemounts-yes.service: Failed to remove 'trusted.delegate' xattr flag on control group /system.slice/test-execute-48e27182b3724b7.scope/99d288e6f11f869e/system.slice/exec-privatenetwork-yes-privatemounts-yes.service, ignoring: Operation not permitted
exec-privatenetwork-yes-privatemounts-yes.service: Failed to remove 'trusted.survive_final_kill_signal' xattr flag on control group /system.slice/test-execute-48e27182b3724b7.scope/99d288e6f11f869e/system.slice/exec-privatenetwork-yes-privatemounts-yes.service, ignoring: Operation not permitted
exec-privatenetwork-yes-privatemounts-yes.service: Passing 0 fds to service
exec-privatenetwork-yes-privatemounts-yes.service: About to execute: /bin/sh -x -c "! ip link show dummy-test-exec"
Serializing sd-executor-state to memfd.
exec-privatenetwork-yes-privatemounts-yes.service: Forked /bin/sh as 5092
Closing set fd 21 (socket:[116840])
Closing set fd 19 (socket:[113527])
Closing set fd 20 (socket:[116839])
exec-privatenetwork-yes-privatemounts-yes.service: Changed dead -> start
Received SIGCHLD from PID 5092 (sh).
Child 5092 (sh) died (code=exited, status=0/SUCCESS)
exec-privatenetwork-yes-privatemounts-yes.service: Child 5092 belongs to exec-privatenetwork-yes-privatemounts-yes.service.
exec-privatenetwork-yes-privatemounts-yes.service: Main process exited, code=exited, status=0/SUCCESS (success)
exec-privatenetwork-yes-privatemounts-yes.service: Running next main command for state start.
exec-privatenetwork-yes-privatemounts-yes.service: Will spawn child (service_run_next_main): /bin/sh
exec-privatenetwork-yes-privatemounts-yes.service: Passing 0 fds to service
exec-privatenetwork-yes-privatemounts-yes.service: About to execute: /bin/sh -x -c "test ! -e /proc/sys/net/ipv4/conf/dummy-test-exec"
Serializing sd-executor-state to memfd.
exec-privatenetwork-yes-privatemounts-yes.service: Forked /bin/sh as 5094
Closing set fd 21 (socket:[116840])
Closing set fd 19 (socket:[113527])
Closing set fd 20 (socket:[116839])
Received SIGCHLD from PID 5094 (sh).
Child 5094 (sh) died (code=exited, status=0/SUCCESS)
exec-privatenetwork-yes-privatemounts-yes.service: Child 5094 belongs to exec-privatenetwork-yes-privatemounts-yes.service.
exec-privatenetwork-yes-privatemounts-yes.service: Main process exited, code=exited, status=0/SUCCESS (success)
exec-privatenetwork-yes-privatemounts-yes.service: Running next main command for state start.
exec-privatenetwork-yes-privatemounts-yes.service: Will spawn child (service_run_next_main): /bin/sh
exec-privatenetwork-yes-privatemounts-yes.service: Passing 0 fds to service
exec-privatenetwork-yes-privatemounts-yes.service: About to execute: /bin/sh -x -c "test ! -e /sys/class/net/dummy-test-exec"
Serializing sd-executor-state to memfd.
exec-privatenetwork-yes-privatemounts-yes.service: Forked /bin/sh as 5095
Closing set fd 21 (socket:[116840])
Closing set fd 19 (socket:[113527])
Closing set fd 20 (socket:[116839])
exec-privatenetwork-yes-privatemounts-yes.service: Control group is empty.
Received SIGCHLD from PID 5095 (sh).
Child 5095 (sh) died (code=exited, status=1/FAILURE)
exec-privatenetwork-yes-privatemounts-yes.service: Child 5095 belongs to exec-privatenetwork-yes-privatemounts-yes.service.
exec-privatenetwork-yes-privatemounts-yes.service: Main process exited, code=exited, status=1/FAILURE
exec-privatenetwork-yes-privatemounts-yes.service: Failed with result 'exit-code'.
exec-privatenetwork-yes-privatemounts-yes.service: Service will not restart (restart setting)
exec-privatenetwork-yes-privatemounts-yes.service: Changed start -> failed
exec-privatenetwork-yes-privatemounts-yes.service: Unit entered failed state.
exec-privatenetwork-yes-privatemounts-yes.service: Consumed 27ms CPU time.
src/test/test-execute.c:1109:test_exec_privatenetwork: exec-privatenetwork-yes-privatemounts-yes.service: can_unshare=yes: exit status 1, expected 0
(test-execute-root) terminated by signal ABRT.
Assertion 'r >= 0' failed at src/test/test-execute.c:1330, function prepare_ns(). Aborting.
The problem here is that the AppArmor policy prevents the private mount namespace from being setup, but systemd continues on after:
Jan 04 21:10:39 noble (sh)[565]: Applying namespace mount on /run/systemd/ mount-rootfs/ sys namespace- SO6qp6 (MS_NOSUID| MS_NODEV| MS_NOEXEC "")... namespace- SO6qp6 (MS_NOSUID| MS_NODEV| MS_NOEXEC ""): Permission denied net/dummy- test-exec
Jan 04 21:10:39 noble (sh)[565]: Mounting sysfs (sysfs) on /run/systemd/
Jan 04 21:10:39 noble (sh)[565]: Failed to mount sysfs (type sysfs) on /run/systemd/
Jan 04 21:10:39 noble sh[565]: + test ! -e /sys/class/
So the test fails, because a private sysfs was not mounted. NB the above snippet is take from debug level logs when running this test manually in a LXD container.