Terminal Sandbox Issue Linux

MagentaX · February 28, 2026, 9:17pm

Same issue here on Zorin OS 18 (Ubuntu 24.04 base), kernel 6.17.0-14-generic, Cursor 2.5.25.

I spent a while debugging this and wanted to document everything for anyone else who hits it.

Diagnosis

Running sudo journalctl -xe | grep -i apparmor | grep cursor | grep DENIED revealed that the official AppArmor profile shipped in cursor-sandbox-apparmor.deb is incomplete. It is missing several rules that the sandbox actually requires. The denials I saw were:

capability dac_override — missing from the profile entirely
network unix stream / network unix dgram — no network rules at all in the profile
network netlink raw — also required but not included

What I tried

I progressively updated /etc/apparmor.d/cursor-sandbox to add the missing rules, reloading with sudo apparmor_parser -r /etc/apparmor.d/cursor-sandbox each time. Each fix resolved one layer of denials but revealed the next. Even after adding all of the above, the sandbox still failed to start.

The profile I ended up with (still not working):

abi <abi/4.0>,
include <tunables/global>

profile cursor_sandbox /usr/share/cursor/resources/app/resources/helpers/cursorsandbox {
  file,
  /** ix,
  network unix,
  network netlink raw,
  capability sys_admin,
  capability chown,
  capability setuid,
  capability setgid,
  capability setpcap,
  capability dac_override,
  userns,
  mount,
  remount,
  umount,
  /usr/share/cursor/resources/app/resources/helpers/cursorsandbox mr,
}

profile cursor_sandbox_remote /home/*/.cursor-server/bin/*/*/resources/helpers/{cursor-sandbox,cursorsandbox} {
  file,
  /** ix,
  network unix,
  network netlink raw,
  capability sys_admin,
  capability chown,
  capability setuid,
  capability setgid,
  capability setpcap,
  capability dac_override,
  userns,
  mount,
  remount,
  umount,
  /home/*/.cursor-server/bin/*/*/resources/helpers/{cursor-sandbox,cursorsandbox} mr,
}

Note: the install path on my system is /usr/share/cursor/ not /opt/Cursor/ as the docs suggest — worth checking yours matches.

The only workaround that actually fixes it:

echo 'kernel.apparmor_restrict_unprivileged_userns=0' | sudo tee /etc/sysctl.d/99-userns.conf
sudo sysctl --system

This disables the unprivileged user namespace restriction system-wide. Not ideal from a security standpoint but it works immediately with no Cursor restart needed.

Summary

The official AppArmor profile from Cursor is missing rules that the sandbox actually needs on Ubuntu 24.04 / Zorin OS 18. This seems to be a case of the shipped profile not being tested against this specific kernel + AppArmor configuration. The documented fix does not resolve the issue — the sysctl workaround is currently the only reliable solution on this distro.

Hope this helps the Cursor team track it down and ship a corrected profile. Thx :

Topic		Replies	Views
AppArmor cursor-sandbox profile incomplete on Linux — sandbox does not work correctly (missing network, signal, userns) Bug Reports sandbox , installation , linux	11	818	April 16, 2026
Shell Sandbox preflight fails (Exit 101) Bug Reports sandbox , installation , linux	7	72	April 3, 2026
Linux: terminal sandbox preflight fails — `uid_map` EPERM after mitigations (earlier: loopback error) Bug Reports sandbox , terminal , linux	2	19	March 27, 2026
Linux update no longer runs in sandboxed mode Help installation , linux	6	93	March 29, 2026
[Cursor 2.6] Waiting for Extension Host Bug Reports extensions , linux	41	5007	April 7, 2026

Terminal Sandbox Issue Linux

Related topics