AppArmor cursor-sandbox profile incomplete on Linux — sandbox does not work correctly (missing network, signal, userns)

Support Bug Reports
, ,
1

Where does the bug appear (feature/product)?

Cursor IDE

Describe the Bug

On Linux systems with AppArmor enabled, the bundled /etc/apparmor.d/cursor-sandbox profile is incomplete. The current configuration is not enough for the sandbox to work correctly inside Cursor.

What’s wrong with the profile:

  1. Missing network rules — The profile does not allow network access. The sandbox needs it for language servers (LSP), extensions, and updates. Rules to add: network unix, and network inet stream, (for both cursor_sandbox and cursor_sandbox_remote).

  2. Missing signal rules — Processes inside the sandbox cannot send/receive signals to each other, which can break process coordination and clean shutdown. Rules to add: signal send peer=cursor_sandbox, and signal receive peer=cursor_sandbox,.

  3. userns commented out — The profile ships with userns commented and a note “Uncomment this on AppArmor 4.0”. On systems with AppArmor 4.0+, the sandbox needs user namespaces; leaving it commented causes failures. It should be uncommented so the profile works on AppArmor 4.0+.

  4. cursor_sandbox_remote binary name — The remote profile only matches the binary name cursorsandbox. In some setups the binary is named cursor-sandbox (with a hyphen). The profile should cover both, e.g. /home/*/.cursor-server/bin/*/*/resources/helpers/{cursor-sandbox,cursorsandbox}.

Result: sandbox errors, no network for language servers/extensions, and process coordination issues until the profile is manually updated.

Steps to Reproduce

  1. Install Cursor on a Linux system with AppArmor enabled (e.g. Ubuntu 24.04) using the .deb package.
  2. Ensure /etc/apparmor.d/cursor-sandbox is the one installed/updated by the Cursor .deb (default after install).
  3. Launch Cursor and use features that rely on the sandbox (e.g. agent/terminal, language servers, extensions that run in the sandbox).
  4. Observe: sandbox failures, missing network for LSP/extensions, or process coordination issues.

Expected Behavior

The sandbox should work correctly without manual edits: language servers and extensions should have network access, processes inside the sandbox should be able to coordinate via signals, and user namespaces should work on AppArmor 4.0+. The profile shipped with Cursor should include the rules above so no workaround is needed.

Operating System

Linux

Version Information

Version: 2.6.11
VSCode Version: 1.105.1
Commit: 8c95649f251a168cc4bb34c89531fae7db4bd990
Date: 2026-03-03T18:57:48.001Z
Build Type: Stable
Release Track: Default
Electron: 39.6.0
Chromium: 142.0.7444.265
Node.js: 22.22.0
V8: 14.2.231.22-electron.0
OS: Linux x64 6.17.0-14-generic

Additional Information

Example workaround (what I had to do on Ubuntu 24.04 until the profile is fixed):

  1. Back up the current profile (the one written by the Cursor .deb installer):

    sudo cp /etc/apparmor.d/cursor-sandbox /etc/apparmor.d/cursor-sandbox.bak

  2. Compare cursor-sandbox.bak with cursor-sandbox after any Cursor install/update to see what the installer changed. The installer’s version is missing the rules above; the .bak can hold your corrected version for comparison or restore.

  3. Apply the complete profile (e.g. save the suggested profile below as cursor-sandbox-merged and run):

    sudo cp /path/to/cursor-sandbox-merged /etc/apparmor.d/cursor-sandbox
sudo cp /path/to/cursor-sandbox-merged /etc/apparmor.d/cursor-sandbox.bak
sudo apparmor_parser -r /etc/apparmor.d/cursor-sandbox

  4. Make the file immutable so the Cursor .deb installer does not overwrite the fix on the next run:

    sudo chattr +i /etc/apparmor.d/cursor-sandbox

    To remove immutability later: sudo chattr -i /etc/apparmor.d/cursor-sandbox

Suggested full profile (to ship in future Cursor versions):

profile cursor_sandbox /usr/share/cursor/resources/app/resources/helpers/cursorsandbox {
  file,
  /** ix,

  capability sys_admin,
  capability net_admin,
  capability chown,
  capability setuid,
  capability setgid,
  capability setpcap,

  userns,

  mount,
  remount,
  umount,

  # Allow binary execution and mapping
  /usr/share/cursor/resources/app/resources/helpers/cursorsandbox mr,
  network unix,
  network inet stream,
  signal send peer=cursor_sandbox,
  signal receive peer=cursor_sandbox,
}

profile cursor_sandbox_remote /home/*/.cursor-server/bin/*/*/resources/helpers/{cursor-sandbox,cursorsandbox} {
  file,
  /** ix,

  capability sys_admin,
  capability net_admin,
  capability chown,
  capability setuid,
  capability setgid,
  capability setpcap,

  userns,

  mount,
  remount,
  umount,

  # Allow binary execution and mapping
  /home/*/.cursor-server/bin/*/*/resources/helpers/{cursor-sandbox,cursorsandbox} mr,
  network unix,
  network inet stream,
  signal send peer=cursor_sandbox,
  signal receive peer=cursor_sandbox,
}

Request: Include the above rules (network, signal, userns, and dual binary name for remote) in the official cursor-sandbox AppArmor profile shipped with Cursor, so the sandbox works correctly on Linux with AppArmor enabled. Thanks for considering this for future releases.

Does this stop you from using Cursor

No - Cursor works, but with this issue

2 Likes
Shell Sandbox preflight fails (Exit 101)
Create correct AppArmor configuration for nightly curror
Shell Sandbox preflight fails (Exit 101)
Linux sandbox fails — cannot find ripgrep in mount namespace
3

Two additional blockers on Ubuntu 24.04 (kernel 6.14, AppArmor 4.0) that aren’t covered above. Even with network, signal, and userns fixed as described, the sandbox still won’t start without addressing these.

1. Missing dac_override capability

The suggested profile lists sys_admin, net_admin, chown, setuid, setgid, setpcap — but newuidmap and newgidmap also need dac_override to write to /proc/[pid]/uid_map and /proc/[pid]/gid_map. Without it, UID/GID mapping fails and the namespace can’t be set up. This shows up in dmesg as:

apparmor="DENIED" operation="capable" class="cap" profile="cursor_sandbox"
  comm="newuidmap" capability=1 capname="dac_override"

Adding capability dac_override, to the profile fixes it. Or use blanket capability, — the profile already grants file, and /** ix, so selective capability restrictions don’t meaningfully reduce the attack surface.

2. No AppArmor profile for the main Cursor binary (unprivileged_userns)

This is a separate failure mode from the cursor_sandbox profile issues. Ubuntu 24.04 ships a system-wide unprivileged_userns AppArmor profile (/etc/apparmor.d/unprivileged_userns) that restricts user namespace creation. When an unconfined process creates a user namespace, it transitions to this profile, which denies sys_admin.

The cursor_sandbox profile only covers the helper binary at /usr/share/cursor/resources/app/resources/helpers/cursorsandbox. The main Electron binary at /usr/share/cursor/cursor has no profile — it runs unconfined and gets caught by unprivileged_userns:

apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns"
  comm="cursor" capability=21 capname="sys_admin"

Neither the cursor .deb nor the cursor-sandbox-apparmor companion package installs a profile for this binary. The fix is to create /etc/apparmor.d/cursor:

abi <abi/4.0>,

profile cursor /usr/share/cursor/cursor flags=(unconfined) {
  userns,
}

This is the same pattern Docker Desktop uses on Ubuntu. It prevents the transition to unprivileged_userns without changing what Cursor can otherwise do — it was already running unconfined.

Upgrade overwrite

As a note for anyone who gets this working: /etc/apparmor.d/cursor-sandbox is owned by the cursor package, so every .deb upgrade overwrites your patched profile. The upgrade doesn’t reload the profile afterward either, so the old (now incorrect) profile stays in kernel memory. Cursor then silently falls back to unsandboxed execution with no warning — as @fscm44xyz noted, a clear diagnostic on failure would be much better than silent fallback.

chattr +i on the file (as suggested above) prevents the overwrite. Otherwise, re-patch and reload after each upgrade:

sudo apparmor_parser -r /etc/apparmor.d/cursor-sandbox
sudo apparmor_parser -r /etc/apparmor.d/cursor
5

Hey, thanks for the detailed report, and @a2f3, great add-on about dac_override and the profile for the main binary.

This is a known issue affecting users on Ubuntu 24.04+ with AppArmor 4.0 and kernel 6.2+. A few forum threads with the same problem:

The team is aware. I shared your thread for prioritization since it has the most complete analysis and a concrete proposed profile. There is no ETA for a fix yet.

For now, your workaround with chattr +i is probably the best option for users who want to keep AppArmor enabled. For users who want a quick fix, disabling the user namespaces restriction also works:

sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

(but this is less secure)

I’ll post an update here if there’s any news.

2 Likes
Terminal Sandbox Issue Linux
Cursor-sandbox-remote AppArmor profile missing abi declaration and network rule — breaks sandbox on Ubuntu 24.04+
8

Hi everyone, I wanted to share a workaround that solved the AppArmor issues with cursor_sandbox and cursor_sandbox_remote for me on Ubuntu 24.04.4 LTS (Kernel 6.17.0-14-generic) , especially the DENIED errors related to network, userns, and capability dac_override.

In addition to the fixes mentioned in other threads, I was running into the problem that Cursor would overwrite the profile every time I reinstalled or updated it. What worked reliably for me was keeping only the minimal fix in the main profile, moving the additional permissions into /etc/apparmor.d/local/, and using dpkg-divert so the profile isn’t replaced during updates.

sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=1

sudo cp -a /etc/apparmor.d/cursor-sandbox /etc/apparmor.d/cursor-sandbox.predivert.$(date +%F_%H%M%S)

sudo dpkg-divert --local --rename --add \
  --divert /etc/apparmor.d/cursor-sandbox.distrib \
  /etc/apparmor.d/cursor-sandbox

sudo mkdir -p /etc/apparmor.d/local

sudo tee /etc/apparmor.d/cursor-sandbox >/dev/null <<'EOF'
abi <abi/4.0>,
include <tunables/global>

profile cursor_sandbox /usr/share/cursor/resources/app/resources/helpers/cursorsandbox {
  file,
  /** ix,

  capability sys_admin,
  capability net_admin,
  capability chown,
  capability setuid,
  capability setgid,
  capability setpcap,

  mount,
  remount,
  umount,

  /usr/share/cursor/resources/app/resources/helpers/cursorsandbox mr,

  include if exists <local/cursor-sandbox>
}

profile cursor_sandbox_remote /home/*/.cursor-server/bin/*/*/resources/helpers/cursorsandbox {
  file,
  /** ix,

  capability sys_admin,
  capability net_admin,
  capability chown,
  capability setuid,
  capability setgid,
  capability setpcap,

  mount,
  remount,
  umount,

  /home/*/.cursor-server/bin/*/*/resources/helpers/cursorsandbox mr,

  include if exists <local/cursor-sandbox-remote>
}
EOF

sudo tee /etc/apparmor.d/local/cursor-sandbox >/dev/null <<'EOF'
capability dac_override,
userns,
network,
EOF

sudo tee /etc/apparmor.d/local/cursor-sandbox-remote >/dev/null <<'EOF'
capability dac_override,
userns,
network,
EOF

sudo apparmor_parser -r /etc/apparmor.d/cursor-sandbox
sudo systemctl reload apparmor 2>/dev/null || true