dusk/bubblewrap-apparmor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1 Commit 1 Branch 0 Tags
master
T
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Jason Thistlethwaite 9b9d44c384 Initial commit
2026-05-01 06:48:52 -04:00
profiles
Initial commit
2026-05-01 06:48:52 -04:00
install.sh
Initial commit
2026-05-01 06:48:52 -04:00
README.md
Initial commit
2026-05-01 06:48:52 -04:00
verify.sh
Initial commit
2026-05-01 06:48:52 -04:00

README.md

AppArmor bwrap fix

Ubuntu 24.04 and later can restrict unprivileged user namespaces through AppArmor. When that restriction applies to Bubblewrap, tools that use bwrap for sandboxed execution may fail before the intended command starts.

One common symptom is:

bwrap: loopback: Failed RTM_NEWADDR: Operation not permitted

This project installs a small AppArmor profile for /usr/bin/bwrap that keeps the profile otherwise unconfined while explicitly allowing user namespace creation.

Install

Review the profile first:

sed -n '1,120p' profiles/usr.bin.bwrap

Install and reload it with:

sudo ./install.sh

The installer copies profiles/usr.bin.bwrap to /etc/apparmor.d/usr.bin.bwrap and reloads it with apparmor_parser -r.

Verify

Run:

./verify.sh

The verifier prints the relevant namespace sysctls, checks that the bwrap profile is installed, and runs a minimal Bubblewrap smoke test.

Security notes

This does not change system sysctl settings. It adds a targeted AppArmor profile for /usr/bin/bwrap with the userns permission needed by Bubblewrap on affected Ubuntu systems.

The profile is intentionally limited to bwrap. Browser-specific profiles and per-user home directory paths are out of scope for this project.

Reference in New Issue View Git Blame Copy Permalink
S
Description
Apparmor profile for bubblewrap on Ubuntu so OpenAI Codex can run properly
Readme 25 KiB
Languages
Shell 100%