My set up:
Version: 2.6.22
VSCode Version: 1.105.1
Commit: c6285feaba0ad62603f7c22e72f0a170dc8415a0
Date: 2026-03-27T15:59:31.561Z
Build Type: Stable
Release Track: Default
Electron: 39.8.1
Chromium: 142.0.7444.265
Node.js: 22.22.1
V8: 14.2.231.22-electron.0
OS: Linux x64 6.17.0-19-generic**

Fix: sandbox still failing after installing cursor-sandbox-apparmor deb (missing network rules + dac_override)**

If you’ve installed cursor-sandbox-apparmor_0.6.0_all.deb and are still getting sandbox failures, the installed AppArmor profile is missing network rules entirely and the dac_override capability. This causes newuidmap to be denied on both socket creation and capability, which is what kills the loopback setup step.

You can confirm this is your issue by running:

sudo journalctl -k -b --since "1 hour ago" --no-pager | grep -iE 'apparmor="DENIED".*cursor'

If you see denials like comm="newuidmap" family="unix" sock_type="stream" and capname="dac_override", this fix applies to you.

Fix

First, find the actual profile filename (it differs from what the docs suggest):

ls /etc/apparmor.d/ | grep -i cursor

Then edit the profile (likely cursor-sandbox not cursor_sandbox):

sudo nano /etc/apparmor.d/cursor-sandbox

Add capability dac_override and the missing network rules to both profiles in the file:

  capability sys_admin,
  capability net_admin,
  capability chown,
  capability setuid,
  capability setgid,
  capability setpcap,
  capability dac_override,    <-- add this
  network unix,
  network unix stream,        <-- add this
  network unix dgram,         <-- add this
  network inet stream,
  network inet6 stream,
  network netlink raw,

Reload the profile and restart Cursor:

sudo apparmor_parser -r /etc/apparmor.d/cursor-sandbox

Note: If Cursor updates itself it may reinstall the deb and reset the profile, so if the sandbox breaks again after an update this is the first place to check.

Tested on kernel 6.17.0-19-generic / Cursor 2.6.22 / cursor-sandbox-apparmor 0.6.0