Ubuntu AppArmor note: On Ubuntu 25.04, installing bubblewrap from Ubuntu’s package repository should work without extra AppArmor setup. The bwrap-userns-restrict profile ships in the apparmor package at /etc/apparmor.d/bwrap-userns-restrict.
On Ubuntu 24.04, Copy and load the extra profile:
sudo apt update
sudo apt install apparmor-profiles apparmor-utils
sudo install -m 0644
/usr/share/apparmor/extra-profiles/bwrap-userns-restrict
/etc/apparmor.d/bwrap-userns-restrict
sudo apparmor_parser -r /etc/apparmor.d/bwrap-userns-restrict
apparmor_parser -r loads the profile into the kernel without a reboot. You can also reload all AppArmor profiles:
sudo systemctl reload apparmor.service
If that profile is unavailable or does not resolve the issue, you can disable the AppArmor unprivileged user namespace restriction with:
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
Ubuntu AppArmor note: On Ubuntu 25.04, installing bubblewrap from Ubuntu’s package repository should work without extra AppArmor setup. The bwrap-userns-restrict profile ships in the apparmor package at /etc/apparmor.d/bwrap-userns-restrict.
On Ubuntu 24.04, Copy and load the extra profile:
sudo apt update
sudo apt install apparmor-profiles apparmor-utils
sudo install -m 0644
/usr/share/apparmor/extra-profiles/bwrap-userns-restrict
/etc/apparmor.d/bwrap-userns-restrict
sudo apparmor_parser -r /etc/apparmor.d/bwrap-userns-restrict
apparmor_parser -r loads the profile into the kernel without a reboot. You can also reload all AppArmor profiles:
sudo systemctl reload apparmor.service
If that profile is unavailable or does not resolve the issue, you can disable the AppArmor unprivileged user namespace restriction with:
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0