Cursor AppArmor profile prevents root from killing stuck cursorsandbox process

v_frolov · May 7, 2026, 4:54pm

Where does the bug appear (feature/product)?

Cursor IDE

Describe the Bug

Cursor starts agent shell tool calls via:
/usr/share/cursor/resources/app/resources/helpers/cursorsandbox

A tool call got stuck. The process was owned by my user, but sudo kill failed:
sudo kill
kill: (): Permission denied

Process details:

AppArmor: cursor_sandbox (enforce)
NoNewPrivs: 1
Seccomp: 2
uid_map: 0 1000 1
/proc//attr/current:
cursor_sandbox (enforce)

The command inside the sandbox was just:
helm show values oci://registry-1.docker.io/bitnamicharts/kube-prometheus --version 11.3.10

Workaround:
Add to /etc/apparmor.d/cursor-sandbox profiles:
signal (receive) peer=unconfined,
Then reload:
sudo apparmor_parser -r /etc/apparmor.d/cursor-sandbox

After that sudo kill works.

Steps to Reproduce

Use Cursor on Linux with AppArmor enabled.
Trigger any long-running or stuck agent shell tool call, for example a command that hangs inside Cursor’s shell tool execution.
Find the spawned Cursor sandbox helper process:
ps aux | grep ‘[c]ursorsandbox’
Confirm it is confined by AppArmor:
cat /proc//attr/current
Output:
cursor_sandbox (enforce)
Try to terminate it as root:
sudo kill -TERM
Observe that kill fails with:
kill: (): Permission denied

Expected Behavior

The machine owner/root user should always be able to terminate a local Cursor sandbox helper process

Operating System

Linux

Version Information

Version: 3.2.21
VSCode Version: 1.105.1
Commit: 806df57ed3b6f1ee0175140d38039a38574ec720
Date: 2026-05-03T01:46:14.413Z
Layout: editor
Build Type: Stable
Release Track: Default
Electron: 39.8.1
Chromium: 142.0.7444.265
Node.js: 22.22.1
V8: 14.2.231.22-electron.0
OS: Linux x64 6.17.0-23-generic

Does this stop you from using Cursor

No - Cursor works, but with this issue

mohitjain · May 8, 2026, 8:31am

This is a known bug. The AppArmor profile shipped with Cursor doesn’t include signal rules, so on Ubuntu 24.04+ (which enables signal mediation by default), signals from outside the sandbox boundary get blocked. Your workaround is exactly right.

Our team is tracking this and working on updating the profile. In the meantime, there are a few other options if you hit a stuck process:

Kill the parent bwrap process (it’s in the host namespace, so it’s killable): pkill -9 bwrap
Close the terminal tab in Cursor that started the process.
Restart Cursor — all sandboxed processes will be cleaned up on exit.
Disable the sandbox temporarily: Cursor Settings > Agents > Sandbox (removes the isolation layer entirely).

There’s also more discussion on this in a related thread. We will update that thread with the latest information, closing this one to ensure it’s well tracked.

Topic		Replies	Views
Sandbox processes persist after Cursor exit and cannot be killed by user Bug Reports sandbox , linux , linear-linked	3	83	May 6, 2026
Orphan cursorsandbox cannot be killed (AppArmor signal denial); survives Cursor restart Bug Reports sandbox , terminal , linux	3	23	May 21, 2026
Critical Governance Issue: cursor_sandbox and Seccomp blocking Root/Sudo kill signals (EACCES) Bug Reports sandbox , terminal , linux	7	142	May 22, 2026
Cursor-sandbox-remote AppArmor profile missing abi declaration and network rule — breaks sandbox on Ubuntu 24.04+ Bug Reports sandbox , ssh , security , linux	3	701	March 26, 2026
Agent CLI: Linux sandbox preflight fails (unshare EPERM) unless run under strace; apparmor_restrict_unprivileged_userns=1 Bug Reports sandbox , cli , linux , linear-linked	4	53	May 20, 2026