unprivileged_userns profile interferes with Chromium sandbox

I've had a user report an issue that implies a serious problem with the unprivileged_userns profile.

The user is installing and running the ungoogled-chromium browser on Ubuntu 24.04. This is a modified version of Chromium that is currently not covered by any AppArmor profile. They installed the ungoogled-chromium and ungoogled-chromium-common packages, notably avoiding the ungoogled-chromium-sandbox package which contains the setuid sandbox binary. There should be no need for the latter on a modern system that allows for user namespaces.

Unfortunately, when they run the browser, they see this error (which I have reproduced):

$ ungoogled-chromium [8800:8800:0523/184810.049361:ERROR:zygote_host_impl_linux.cc(126)] No usable sandbox! If this is a Debian system, please install the chromium-sandbox package to solve this problem. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.

In syslog, I see this:

2024-05-23T18:37:17.563443-04:00 image-ubuntu64 kernel: audit: type=1400 audit(1716503837.548:165): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=8584 comm="chromium" requested="userns_create" target="unprivileged_userns" 2024-05-23T18:37:17.563445-04:00 image-ubuntu64 kernel: audit: type=1400 audit(1716503837.548:166): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=8612 comm="chromium" capability=21 capname="sys_admin"

To confirm that the profile is the problem, I tried unloading AppArmor completely, but ran into a separate issue:

# aa-teardown 
Unloading AppArmor profiles
/lib/apparmor/apparmor.systemd: 273: printf: printf: I/O error
/lib/apparmor/apparmor.systemd: 273: printf: printf: I/O error
/lib/apparmor/apparmor.systemd: 273: printf: printf: I/O error
/lib/apparmor/apparmor.systemd: 273: printf: printf: I/O error
/lib/apparmor/apparmor.systemd: 273: printf: printf: I/O error
[...]

It didn't actually unload anything, so I symlinked unprivileged_userns into disable/ instead and rebooted. The failure mode was different now...

$ ungoogled-chromium [2356:2356:0523/190844.251372:FATAL:credentials.cc(134)] Check failed: . : Permission denied (13) Trace/breakpoint trap (core dumped)

...and syslog showed a different issue:

2024-05-23T19:10:28.400203-04:00 image-ubuntu64 kernel: audit: type=1400 audit(1716505828.381:167): apparmor="DENIED" operation="userns_create" class="namespace" info="Userns create restricted - failed to find unprivileged_userns profile" error=-13 profile="unconfined" pid=2454 comm="chromium" requested="userns_create" denied="userns_create" target="unprivileged_userns"

I was planning to add /usr/bin/ungoogled-chromium to the chromium_browser profile here, but absent that, disallowing arbitrary programs from using normal userns functionality is a bridge too far. The user's only recourse is to follow the suggestion in the error message and install the ungoogled-chromium-sandbox package. Not only is the userns security mechanism not available to this application, the user has to add a setuid binary to their system, an approach we have been moving away from for very good reasons.