Public bug reported:
Bug summary:
AppArmor now enforces kernel.apparmor_restrict_unprivileged_userns=1 by default
on Ubuntu 24.10, breaking Electron, Chromium, and QtWebEngine applications that
rely on unprivileged user namespaces for sandboxing.
Impact:
Multiple unrelated third-party desktop applications fail to start after routine
system updates, including:
Cursor editor (Electron)
Antigravity editor (Electron)
openfortinet-webview-qt (QtWebEngine)
This is a system-wide regression affecting common desktop software.
Ubuntu version:
Ubuntu 24.10 (Oracular)
Affected packages:
apparmor
linux-sysctl-defaults
(kernel support involved but not the root cause)
Regression:
Yes. These applications worked correctly on the same system prior to recent
updates. No application updates were required to trigger the failure.
Symptoms:
Applications fail immediately at startup with fatal sandbox errors similar to:
FATAL:sandbox/linux/services/credentials.cc:134
Check failed: Permission denied (13)
What does NOT fix the issue:
Correct setuid permissions on chrome-sandbox or cursor-sandbox
kernel.unprivileged_userns_clone=1
Running an older kernel version
AppArmor complain mode
Disabling or modifying individual AppArmor profiles
What DOES fix the issue:
Setting the following sysctl restores functionality immediately:
kernel.apparmor_restrict_unprivileged_userns=0
After applying this change, all affected applications launch and
function normally, including on newer kernels.
Expected behavior:
Unprivileged user namespaces should not be globally restricted by default in a
way that breaks Chromium, Electron, and QtWebEngine sandboxing without explicit
opt-in, scoped policy, or documented migration guidance.
Actual behavior:
Unprivileged user namespaces are silently restricted by AppArmor, causing
widespread application failures without warning or documentation.
Minimal reproduction steps:
Install Ubuntu 24.10
Install any Electron or QtWebEngine-based application (for example,
Cursor)
Launch the application and observe an immediate sandbox-related crash
Run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
Relaunch the application; it now works correctly
Additional notes:
This behavior appears to be driven by AppArmor-enforced sysctl defaults rather
than a kernel regression alone. The restriction applies even when
kernel.unprivileged_userns_clone=1 is enabled, which is unexpected and
undocumented for desktop users.
ProblemType: Bug
DistroRelease: Ubuntu 25.10
Package: apparmor 5.0.0~alpha1-0ubuntu8.3
ProcVersionSignature: Ubuntu 6.17.0-8.8-generic 6.17.2
Uname: Linux 6.17.0-8-generic x86_64
ApportVersion: 2.33.1-0ubuntu3
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: ubuntu:GNOME
Date: Fri Dec 19 08:36:10 2025
InstallationDate: Installed on 2022-06-01 (1297 days ago)
InstallationMedia: Ubuntu 20.04.3 LTS "Focal Fossa" - Release amd64 (20210819)
ProcEnviron:
LANG=en_US.UTF-8
PATH=(custom, no user)
SHELL=/bin/zsh
TERM=xterm-ghostty
XDG_RUNTIME_DIR=<set>
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-6.17.0-8-generic
root=/dev/mapper/vgubuntu-root ro quiet splash usbcore.autosuspend=-1
workqueue.watchdog_thresh=30 pcie_aspm=off vt.handoff=7
SourcePackage: apparmor
UpgradeStatus: Upgraded to questing on 2025-10-07 (73 days ago)
modified.conffile..etc.apparmor.d.unprivileged_userns: [deleted]
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug questing wayland-session
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2136883
Title:
apparmor_restrict_unprivileged_userns breaks some Electron, Chromium,
and QtWebEngine applications
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2136883/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
