So I found https://github.com/linuxmint/mint22-beta/issues/82 which contains an explanation of this issue. The AppArmor policy is indeed to blame.
What I don't understand is: wouldn't this break WebKit for *all* Ubuntu users? Anyway, it seems clear you have three options. (a) Backtrack on this change and reenable unprivileged userns. (b) Build bubblewrap to use suid rather than userns. (But suid seems like a bigger security risk than userns! And probably nobody has tested suid bubblewrap in a while.) Or (c) determine which apps are using WebKit or Chromium and add AppArmor exceptions for every single one of them. (Doesn't seem very practical? Especially for applications not shipped by Ubuntu?) Anyway, user namespaces are the foundation of Linux desktop sandboxing, and WebKit is right to crash if it cannot create a sandbox. Having no sandbox is definitely the worst security outcome. ** Bug watch added: github.com/linuxmint/mint22-beta/issues #82 https://github.com/linuxmint/mint22-beta/issues/82 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2051574 Title: gnome-shell-portal-helper crashed with SIGTRAP in waitUntilSyncedOrDie() from WebKit::XDGDBusProxy::launch() ["bwrap: setting up uid map: Permission denied" ; "Failed to fully launch dbus- proxy: Child process exited with code 1"] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-shell/+bug/2051574/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
