Comment 1 for bug 2063976

Commit 789cda2f089b3cd3c8c4ca387f023a36f7f1738a only controls the behavior of unprivileged user namespace mediation.

With the unprivileged_userns profile loaded, when a user namespace is created by an unprivileged unconfined application the task will be transitioned into the unprivileged_userns profile. The unprivileged_userns profile will then deny privileged operations capability, mount etc.

Without the unprivileged_userns profile loaded, the creation of the user namespace will be denied.

Through experimentation we have learned that many applications behave better (handle the errors better, eg. qtwebkit will handle the error and fallback to using a sandbox without usernamespaces while without the profile it crashes) with the unprivileged_userns loaded. So that has become the default behavior.

You can experiment with changing the behavior by manually unloading the unprivileged_userns profile using

  sudo apparmor_parser -R /etc/apparmor.d/unprivileged_userns

nsjail will likely require a profile to work, please see https://discourse.ubuntu.com/t/noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-15