Comment 3 for bug 2046844

This is affecting Falkon and qutebrowser as well. Just now me and a couple of the Lubuntu devs did a deep debugging session and found the issue.

About four days ago, an upload was made in AppArmor that no longer allows unprivileged programs to create user namespaces. See https://launchpad.net/ubuntu/+source/apparmor/4.0.0~alpha2-0ubuntu7 and https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046477. As it turns out, Epiphany, Falkon, and qutebrowser (and it sounds like Evolution and something related to PackageKit) all use these features. When something tries to create a user namespace and fails, apparently it can result in a SIGTRAP pretty quickly.

2023-12-19T14:43:35.821206-05:00 user-standardpc kernel: [ 2092.018163] audit: type=1400 audit(1703015015.816:119): apparmor="DENIED" operation="userns_create" class="namespace" info="User namespace creation restricted" error=-13 profile="unconfined" pid=4348 comm="falkon" requested="userns_create" denied="userns_create"
2023-12-19T14:43:35.821230-05:00 user-standardpc kernel: [ 2092.018657] traps: falkon[4348] trap int3 ip:7f196dbd7b13 sp:7ffea3141ea0 error:0 in libQt5WebEngineCore.so.5.15.15[7f196b9b4000+6931000]

First the failure to make the namespace, then the breakpoint trap.

This can be worked around trivially but very, very dangerously by disabling sandboxing (using QTWEBENGINE_DISABLE_SANDBOX=1 for Falkon and qutebrowser, or WEBKIT_DISABLE_SANDDBOX_THIS_IS_DANGEROUS=1 for Epiphany). This hint led us to the source of the issue.

Accroding to the AppArmor bug report, "For each of these binaries, an apparmor profile is required so that the binary can be granted use of unprivileged user namespaces". So... I guess that means we have many packages that need AppArmor profiles now.