Please see the docs[1] about using sandboxing settings in user units. tl;dr - For these to work at all in user services, one usually at least needs PrivateUsers=true to setup a user namespace. But, this requires access to unprivileged user namespaces, which is restricted by AppArmor by default on Ubuntu[2]. Hence, this is not a systemd bug.
[1] https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#Sandboxing [2] https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces ** Changed in: systemd (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2127962 Title: AppArmor DENIED capable operation in unprivileged_userns To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2127962/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
