Comment 17 for bug 2051574

So I found https://github.com/linuxmint/mint22-beta/issues/82 which contains an explanation of this issue. The AppArmor policy is indeed to blame.

What I don't understand is: wouldn't this break WebKit for *all* Ubuntu users?

Anyway, it seems clear you have three options. (a) Backtrack on this change and reenable unprivileged userns. (b) Build bubblewrap to use suid rather than userns. (But suid seems like a bigger security risk than userns! And probably nobody has tested suid bubblewrap in a while.) Or (c) determine which apps are using WebKit or Chromium and add AppArmor exceptions for every single one of them. (Doesn't seem very practical? Especially for applications not shipped by Ubuntu?)

Anyway, user namespaces are the foundation of Linux desktop sandboxing, and WebKit is right to crash if it cannot create a sandbox. Having no sandbox is definitely the worst security outcome.