Skip to content

bwrap fails on Ubuntu 24.04+ due to AppArmor userns restrictions #74

New issue
New issue
Open
Open
bwrap fails on Ubuntu 24.04+ due to AppArmor userns restrictions#74
@charles-cooper

Description

@charles-cooper
charles-cooper
opened on Dec 18, 2025

Problem

On Ubuntu 24.04+, bwrap fails with:

bwrap: loopback: Failed RTM_NEWADDR: Operation not permitted

This occurs because Ubuntu now sets kernel.apparmor_restrict_unprivileged_userns=1 by default, which blocks network namespace operations (including loopback setup) for unprivileged processes.

Root Cause

The sandbox uses --unshare-net which creates a new network namespace and attempts to configure loopback. This requires capabilities that AppArmor now blocks by default.

Workaround

Users can create an AppArmor profile for bwrap:

sudo tee /etc/apparmor.d/bwrap << 'PROFILE'
abi <abi/4.0>,
include <tunables/global>

profile bwrap /usr/bin/bwrap flags=(unconfined) {
  userns,
  include if exists <local/bwrap>
}
PROFILE

sudo systemctl reload apparmor

Reference: https://etbe.coker.com.au/2024/04/24/ubuntu-24-04-bubblewrap/

Suggested Fix

Consider using --share-net instead of --unshare-net in the bwrap invocation. Network namespace isolation provides minimal additional security for a coding assistant, and the host typically already provides network-level isolation (firewall, container, etc.).

Alternatively, detect this failure mode and provide a helpful error message pointing users to the workaround.

Environment

  • Ubuntu 24.04+
  • bwrap 0.9.0
  • kernel.apparmor_restrict_unprivileged_userns=1 (default)

This issue was drafted by Claude Code at the direction of the submitter.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions