Comment 112 for bug 2046844

Unless your app and Bubblewrap can both work without any capabilities in an unprivileged user namespace, things will probably go south. You should probably be installing an AppArmor profile for your app that allows you to use unprivileged user namespaces normally again, as described in Comment 5 (https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844/comments/5). You can look at `/etc/apparmor.d/chrome` as an example profile, and make your profile similar. This will require that your build of Bubblewrap be installed into a static location on the filesystem - if you're depending on Bubblewrap working no matter where the binary is on the filesystem (for instance, if your app is portable and is shipped as a .tar.gz that people unpack into their home dir and then use), you'll need to turn off the user namespace restrictions entirely during the install process, as described in the Ubuntu 24.04 release notes (https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890):

* Disable this restriction using a persistent setting by adding a new file (/etc/sysctl.d/60-apparmor-namespace.conf) with the following contents:

  kernel.apparmor_restrict_unprivileged_userns=0

  Reboot. This is similar to the previous behaviour, but it does not mitigate against kernel exploits that abuse the unprivileged user namespaces feature.

Try to avoid using the "disable unprivileged user namespace restriction" solution if at all possible.