Hey, thanks for the detailed report, and @a2f3, great add-on about dac_override and the profile for the main binary.
This is a known issue affecting users on Ubuntu 24.04+ with AppArmor 4.0 and kernel 6.2+. A few forum threads with the same problem:
- Terminal Sandbox Issue Linux (1,100+ views)
- Cursor-sandbox-remote AppArmor profile missing abi declaration
The team is aware. I shared your thread for prioritization since it has the most complete analysis and a concrete proposed profile. There is no ETA for a fix yet.
For now, your workaround with chattr +i is probably the best option for users who want to keep AppArmor enabled. For users who want a quick fix, disabling the user namespaces restriction also works:
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
(but this is less secure)
I’ll post an update here if there’s any news.