Cursor-sandbox-remote AppArmor profile missing abi declaration and network rule — breaks sandbox on Ubuntu 24.04+

Where does the bug appear (feature/product)?

Cursor IDE

Describe the Bug

Summary

On Ubuntu 24.04 LTS with kernel.apparmor_restrict_unprivileged_userns=1 (the default), the cursor-sandbox-remote AppArmor profile shipped for Cursor’s remote SSH server fails to grant the necessary permissions for the cursorsandbox helper. This causes the sandbox preflight to fail and Cursor falls back to unsandboxed shell execution.

Environment

• Cursor: 2.5.26 (stable)
• Cursor Server commit: 7d96c2a03bb088ad367615e9da1a3fe20fbbc6a0
• Ubuntu 24.04.4 LTS (Noble), kernel 6.8.0-101-generic
• AppArmor parser 4.0.1
• kernel.apparmor_restrict_unprivileged_userns = 1 (default on Ubuntu 24.04)
• Cursor remote server via SSH

Errors

From ~/.cursor-server/data/logs/*/exthost*/remoteexthost.log:

User namespace creation denied:

Error: Failed to apply sandbox: IO error: Step 1-2/7 (user namespace) failed:
IO error: Failed to write /proc/self/uid_map (mapping UID 0 -> 155076):
Operation not permitted (os error 1) (errno 1)

Loopback network setup denied:

Error: Failed to apply sandbox: IO error: Step 2.5/7 (loopback setup) failed:
IO error: loopback: failed to bind NETLINK_ROUTE socket

Sandbox support is detected as false, so Cursor runs without sandboxing.

Root Cause

The installed profile at /etc/apparmor.d/cursor-sandbox-remote has three issues:

1. Missing abi <abi/4.0>, — On AppArmor 4.0 (Ubuntu 24.04+), the userns rule requires the ABI 4.0 declaration to be properly recognized. Compare with Ubuntu’s own VS Code profile at /etc/apparmor.d/code which correctly includes it.
2. Missing include <tunables/global> — Standard practice for AppArmor profiles; needed for proper variable resolution.
3. Missing network and capability net_admin rules — The sandbox performs loopback network setup (NETLINK_ROUTE socket), which requires these permissions.

Current (broken) profile

profile cursor_sandbox_remote /home/*/.cursor-server/bin/*/*/resources/helpers/{cursor-sandbox,cursorsandbox} {
  file,
  /** ix,
  capability sys_admin,
  capability chown,
  capability setuid,
  capability setgid,
  capability setpcap,
  userns,
  mount,
  remount,
  umount,
  /home/*/.cursor-server/bin/*/*/resources/helpers/{cursor-sandbox,cursorsandbox} mr,
}

Proposed Fix

abi <abi/4.0>,
include <tunables/global>

profile cursor_sandbox_remote /home/*/.cursor-server/bin/*/*/resources/helpers/{cursor-sandbox,cursorsandbox} {
  file,
  /** ix,

  capability sys_admin,
  capability chown,
  capability setuid,
  capability setgid,
  capability setpcap,
  capability net_admin,

  userns,
  network,

  mount,
  remount,
  umount,

  /home/*/.cursor-server/bin/*/*/resources/helpers/{cursor-sandbox,cursorsandbox} mr,
}

After applying: sudo apparmor_parser -r /etc/apparmor.d/cursor-sandbox-remote

Suggestion

Cursor should ship the corrected profile and ideally auto-install/reload it during remote server setup (with appropriate privilege escalation), or at minimum surface a clear diagnostic message when the sandbox preflight fails due to AppArmor, pointing users to the fix.

Steps to Reproduce

1. Set up an Ubuntu 24.04 server with default AppArmor configuration (kernel.apparmor_restrict_unprivileged_userns = 1).
2. Connect to the server via Cursor’s Remote-SSH.
3. Cursor installs ~/.cursor-server and deploys the cursor-sandbox-remote AppArmor profile to /etc/apparmor.d/.
4. Open a terminal or trigger any agent/shell execution in Cursor.
5. The sandbox preflight fails silently — Cursor falls back to unsandboxed execution.
6. Errors are logged in ~/.cursor-server/data/logs/*/exthost*/remoteexthost.log.

Expected Behavior

The cursorsandbox helper should pass its preflight check and Cursor should run shell commands inside a sandboxed environment. The shipped AppArmor profile should work out of the box on Ubuntu 24.04+ with default kernel settings.

Actual Behavior

The sandbox preflight fails with permission errors. Cursor detects sandbox support as false and runs all shell commands unsandboxed, reducing security.

Operating System

MacOS

Version Information

Version: 2.5.26
VSCode Version: 1.105.1
Commit: 7d96c2a03bb088ad367615e9da1a3fe20fbbc6a0
Date: 2026-02-26T04:57:56.825Z
Build Type: Stable
Release Track: Default
Electron: 39.4.0
Chromium: 142.0.7444.265
Node.js: 22.22.0
V8: 14.2.231.22-electron.0
OS: Darwin arm64 25.3.0

Does this stop you from using Cursor

No - Cursor works, but with this issue

@deanrie

Hi again, while updating the shipped AppArmor profile as proposed here would likely fix Ubuntu 24.04 specifically, this may be a good opportunity to make the remote sandbox setup more environment-aware overall.

Instead of relying on a static profile, the remote installer could:

• Detect the AppArmor version and relevant kernel flags (e.g. apparmor_restrict_unprivileged_userns)

• Generate or adapt the profile dynamically based on the host environment

• Validate that the profile loads successfully

• Surface a clear diagnostic if sandbox initialization fails, rather than silently falling back to unsandboxed execution

Given that security defaults evolve across distro releases (and some environments use SELinux or stricter AppArmor policies), a static profile may continue to break over time. Making sandbox initialization adaptive and explicit in failure cases would likely improve long-term robustness and security guarantees.

Hey there!

Thanks for sharing this. It looks like this was also shared here, and a ticket has been filed with the team.