The standard assumption up to now has been that applications that don't have a specific apparmor profile run in the "unconfined" profile, which essentially doesn't forbid anything. However, in 24.04, everything using unprivileged namespaces automatically ends up in the "unprivileged_userns" profile, which does add rules. Disabling this profile doesn't work, because that seems to block use of unprivileged namespaces completely.
What does work is to create a specifc apparmor profile for guix, that is really unconfined and allows user namespaces:
Create a file /etc/apparmor.d/guix
:
abi <abi/4.0>,
include <tunables/global>
profile guix /usr/bin/guix flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/guix>
}
Then do:
/etc/init.d/apparmor reload
aa-enforce guix
See:
- https://bugs.launchpad.net/ubuntu/+source/guix/+bug/2064115 Conflict between apparmor and guix on Ubuntu 24.04
- https://bugs.launchpad.net/apparmor/+bug/2046844 AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP