Jason Thistlethwaite
1.3 KiB
Executable File
AppArmor bwrap fix
Ubuntu 24.04 and later can restrict unprivileged user namespaces through
AppArmor. When that restriction applies to Bubblewrap, tools that use bwrap
for sandboxed execution may fail before the intended command starts.
One common symptom is:
bwrap: loopback: Failed RTM_NEWADDR: Operation not permitted
This project installs a small AppArmor profile for /usr/bin/bwrap that keeps
the profile otherwise unconfined while explicitly allowing user namespace
creation.
Install
Review the profile first:
sed -n '1,120p' profiles/usr.bin.bwrap
Install and reload it with:
sudo ./install.sh
The installer copies profiles/usr.bin.bwrap to
/etc/apparmor.d/usr.bin.bwrap and reloads it with apparmor_parser -r.
Verify
Run:
./verify.sh
The verifier prints the relevant namespace sysctls, checks that the bwrap profile is installed, and runs a minimal Bubblewrap smoke test.
Security notes
This does not change system sysctl settings. It adds a targeted AppArmor profile
for /usr/bin/bwrap with the userns permission needed by Bubblewrap on
affected Ubuntu systems.
The profile is intentionally limited to bwrap. Browser-specific profiles and per-user home directory paths are out of scope for this project.