After updating from cursor_2.3.34_amd64 to the newer versions on Linux, cursor no longer runs in sandbox mode. Is this intentional or a problem?
Hey, can you clarify what you mean by sandbox mode? It could be one of these:
- Electron or Chromium sandbox. The app is running with the
--no-sandboxflag, and you might see a warning about it on startup. - Terminal sandbox. The Run in sandbox option in Cursor Settings > Agents > Auto-run Mode for agent commands.
If it’s the terminal sandbox, it’s a known issue on Linux and is usually related to AppArmor. More details and workarounds are here: Terminal Sandbox Issue Linux
A few details would help narrow it down:
- Which Linux distro and kernel version are you on?
- What Cursor version did you update to?
- Do you see any error messages on startup or in the terminal?
Let me know and we’ll go from there.
I guess it’s the terminal sandbox,
more details:
running kubuntu 24.04
cursor: cursor_2.3.34_amd64 (went back to this version, no issues here)
updated to: cursor_2.5.26_amd64 and got warnings that sandbox is not supported / running anymore.
so at the moment just working with the 2.3.34 version, which works but is not up to date.
hope that helps, thanks for your help on this matter
This is a known issue on Ubuntu 24.04+ and related distros like Kubuntu, Zorin OS, and Linux Mint. AppArmor blocks unprivileged user namespaces by default on kernel 6.2+, and Cursor’s terminal sandbox needs them.
Step 1 - Check what AppArmor is blocking:
grep -R "Failed to apply sandbox" ~/.config/Cursor/logs | tail -n 20
sudo journalctl -k -b --since "5 minutes ago" --no-pager | grep -iE 'apparmor="DENIED"|cursor_sandbox'
Step 2 - Install the AppArmor profile package latest version:
curl -fsSL https://downloads.cursor.com/lab/enterprise/cursor-sandbox-apparmor_0.6.0_all.deb -o cursor-sandbox-apparmor.deb
sudo dpkg -i cursor-sandbox-apparmor.deb
Step 3 - If the sandbox still fails, the shipped profile is probably missing rules. Add them like this:
sudo install -d -m 0755 /etc/apparmor.d/local
sudo tee /etc/apparmor.d/local/cursor-sandbox > /dev/null <<'EOF'
userns,
network netlink raw,
network netlink dgram,
network unix stream,
network unix dgram,
capability dac_override,
EOF
sudo apparmor_parser -r /etc/apparmor.d/cursor-sandbox
Step 4 - Remove any conflicting old profile:
sudo aa-status | grep cursor
If you see cursor_sandbox the old one, remove it:
sudo apparmor_parser -R /etc/apparmor.d/cursor_sandbox
sudo rm /etc/apparmor.d/cursor_sandbox
sudo systemctl restart apparmor
Step 5 - Restart Cursor.
Quick workaround if you need it working right now, less secure:
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
The team knows about this and is working on a proper fix. More details: Terminal Sandbox Issue Linux
Let me know what you see in the step 1 logs. That’ll help narrow it down if this doesn’t fully fix it.
thanks Dean, I will check that out next week, and be back until then I just keep working with cursor_2.3.34_amd64, thanks, hope the proper fix will work soon.
The guide above got me close (thanks, Dean!) but I had to do a few things differently. I had claude do a writeup/additional guide of what finally got it working:
Step 1 — Confirm this is your issue:
/usr/share/cursor/resources/app/resources/helpers/cursorsandbox --sandbox-policy-cwd $HOME --sandbox-policy '{"type":"workspace_readwrite","cwd":"'$HOME'","additionalReadwritePaths":[],"additionalReadonlyPaths":[],"networkAccess":false,"disableTmpWrite":false}' --preflight-only -- /bin/true
If you see Failed to apply sandbox: IO error: Step 2.5/7 (loopback setup) failed: IO error: loopback: failed to look up lo interface, this is it.
Step 2 — Verify you’re on AppArmor 4.0+:
apparmor_parser --version
Step 3 — Replace the broken profile:
sudo bash -c 'cat > /etc/apparmor.d/cursor-sandbox << "EOF"
abi <abi/4.0>,
profile cursor_sandbox /usr/share/cursor/resources/app/resources/helpers/cursorsandbox {
file,
/** ix,
capability sys_admin,
capability net_admin,
capability chown,
capability setuid,
capability setgid,
capability setpcap,
userns,
network,
mount,
remount,
umount,
/usr/share/cursor/resources/app/resources/helpers/cursorsandbox mr,
include if exists <local/cursor-sandbox>
}
profile cursor_sandbox_remote /home/*/.cursor-server/bin/*/*/resources/helpers/cursorsandbox {
file,
/** ix,
capability sys_admin,
capability net_admin,
capability chown,
capability setuid,
capability setgid,
capability setpcap,
userns,
network,
mount,
remount,
umount,
/home/*/.cursor-server/bin/*/*/resources/helpers/cursorsandbox mr,
include if exists <local/cursor-sandbox>
}
EOF
'
Step 4 — Reload the profile:
sudo apparmor_parser -r /etc/apparmor.d/cursor-sandbox
Step 5 — Verify (no sudo, as your regular user):
/usr/share/cursor/resources/app/resources/helpers/cursorsandbox --sandbox-policy-cwd $HOME --sandbox-policy '{"type":"workspace_readwrite","cwd":"'$HOME'","additionalReadwritePaths":[],"additionalReadonlyPaths":[],"networkAccess":false,"disableTmpWrite":false}' --preflight-only -- /bin/true && echo "SANDBOX WORKS"
Step 6 — Restart Cursor.
What’s wrong with the shipped profile:
-
Missing
abi <abi/4.0>,header for AppArmor 4.0 syntax -
userns,is commented out (#userns,) — blocks namespace creation -
No
network,rule — blocks socket creation inside the namespace (the actual “failed to look up lo interface” error) -
No
include if exists <local/cursor-sandbox>— local overrides are ignored
Note: sudo apt reinstall cursor will overwrite this fix with the broken profile. You’ll need to redo steps 3-4 after Cursor package updates until they ship a corrected profile.
1 Like
@Brennan_Plassmeyer Great write-up, this is really helpful. Your corrected profile fixes the three main issues in the shipped one: the missing abi <abi/4.0>, header, the commented-out userns,, and the missing network, rule.
One thing that’s worth calling out for anyone following along: as you noted, sudo apt reinstall cursor or any .deb upgrade will overwrite the fixed profile. To prevent that, you can lock it with:
sudo chattr +i /etc/apparmor.d/cursor-sandbox
Remove it with chattr -i when you need to update it on purpose.
The team knows about the incomplete shipped profile. There’s no ETA for a fix yet, but reports like yours help with prioritization.
@John_DOE21 When you get a chance to try the fix, let us know how it goes. Brennan’s profile above should work well on Kubuntu 24.04.
1 Like