## AppArmor bwrap fix

Ubuntu 24.04 and later can restrict unprivileged user namespaces through
AppArmor. When that restriction applies to Bubblewrap, tools that use `bwrap`
for sandboxed execution may fail before the intended command starts.

One common symptom is:

```text
bwrap: loopback: Failed RTM_NEWADDR: Operation not permitted
```

This project installs a small AppArmor profile for `/usr/bin/bwrap` that keeps
the profile otherwise unconfined while explicitly allowing user namespace
creation.

## Install

Review the profile first:

```bash
sed -n '1,120p' profiles/usr.bin.bwrap
```

Install and reload it with:

```bash
sudo ./install.sh
```

The installer copies `profiles/usr.bin.bwrap` to
`/etc/apparmor.d/usr.bin.bwrap` and reloads it with `apparmor_parser -r`.

## Verify

Run:

```bash
./verify.sh
```

The verifier prints the relevant namespace sysctls, checks that the bwrap
profile is installed, and runs a minimal Bubblewrap smoke test.

## Security notes

This does not change system sysctl settings. It adds a targeted AppArmor profile
for `/usr/bin/bwrap` with the `userns` permission needed by Bubblewrap on
affected Ubuntu systems.

The profile is intentionally limited to bwrap. Browser-specific profiles and
per-user home directory paths are out of scope for this project.