Comment 90 for bug 2046844

I believe bwrap was ignored intentionally, as the point of the apparmor change was to prevent arbitrary apps from making unprivileged user namespaces with capabilities. Allowing Bubblewrap to do so would provide a loophole. Same reason `unshare` isn't allowed to make unprivileged namespaces with capabilities.

Perhaps something about libgnome-desktop is incorrectly assuming it needs capabilities that it doesn't actually need? Or is the ability to make unprivileged user namespaces with no capabilities failing somehow?