mrtoth/agent-sandbox
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add README note about ubuntu apparmor woes with bubblewrap

Browse Source
This commit is contained in:
Kristóf Tóth
2026-04-08 09:27:40 +02:00
parent 25f0037aab
commit 327c2933e7
1 changed files with 10 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
README.md
View File

@@ -58,3 +58,13 @@ agent-sandbox --ro ~/.aws -- claude --dangerously-skip-permissions
agent-sandbox --setenv DATABASE_URL=postgres://localhost/dev -- claude agent-sandbox --setenv DATABASE_URL=postgres://localhost/dev -- claude
agent-sandbox --unsetenv HTTP_PROXY -- claude agent-sandbox --unsetenv HTTP_PROXY -- claude
``` ```
## Ubuntu 23.10+: AppArmor unprivileged userns restrictions
Ubuntu 23.10 and later ship with `kernel.apparmor_restrict_unprivileged_userns=1`, which blocks `bwrap` from creating user namespaces and causes failures like `bwrap: setting up uid map: Permission denied`. Ubuntu does not enable a profile for `bwrap` by default, but the `apparmor-profiles` package ships an opt-in `bwrap-userns-restrict` profile that grants the necessary access while still preventing `bwrap` from being used to bypass the userns restriction generally:
```bash
sudo apt install apparmor-profiles
sudo ln -s /usr/share/apparmor/extra-profiles/bwrap-userns-restrict /etc/apparmor.d/
sudo apparmor_parser -r /etc/apparmor.d/bwrap-userns-restrict
```