Hi again, while updating the shipped AppArmor profile as proposed here would likely fix Ubuntu 24.04 specifically, this may be a good opportunity to make the remote sandbox setup more environment-aware overall.
Instead of relying on a static profile, the remote installer could:
-
Detect the AppArmor version and relevant kernel flags (e.g.
apparmor_restrict_unprivileged_userns) -
Generate or adapt the profile dynamically based on the host environment
-
Validate that the profile loads successfully
-
Surface a clear diagnostic if sandbox initialization fails, rather than silently falling back to unsandboxed execution
Given that security defaults evolve across distro releases (and some environments use SELinux or stricter AppArmor policies), a static profile may continue to break over time. Making sandbox initialization adaptive and explicit in failure cases would likely improve long-term robustness and security guarantees.