diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index de62ba216..63874daa5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -46,12 +46,16 @@ jobs:
       - name: test (offline)
         if: matrix.conf.os == 'ubuntu-latest'
         run: |
+          # Look at me. I am the captain now.
+          sudo sysctl -w kernel.unprivileged_userns_clone=1
+          sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
+
           # We use `unshare` to "un-share" the default networking namespace,
           # in effect running the tests as if the host is offline.
           # This in turn effectively exercises the correctness of our
           # "online-only" test markers, since any test that's online
           # but not marked as such will fail.
-          # We also explicitly exclude the intergration tests, since these are
+          # We also explicitly exclude the integration tests, since these are
           # always online.
           unshare --map-root-user --net make test T="test/unit" TEST_ARGS="--skip-online -vv --showlocals"