目录
Troubleshooting

AppArmor User Namespace RestrictionsLinux

The problem 

Starting with Ubuntu 23.10, unprivileged user namespaces are restricted by AppArmor by default. MōBrowser applications rely on Chromium’s multi-process sandbox, which requires user namespaces. When AppArmor blocks them, the application fails to start.

✓ Building application [0.78s]
✓ Running application in development mode...
/App/build/bin/App [10214:10214:0410/114605.785856:FATAL:content/browser/zygote_host/zygote_host_impl_linux.cc:128] No usable sandbox! If you are running on Ubuntu 23.10+ or another Linux distro that has disabled unprivileged user namespaces with AppArmor...

Note: This only happens when the application is launched from a terminal, for example with npm run dev. Applications packaged into installers typically include their own AppArmor profiles and are not affected.

The recommended fix is to create an AppArmor profile that grants the userns permission to your application binary — without weakening security for anything else on the system.

Automatic fix via MōBrowser CLI 

When you run npm run dev, the MōBrowser CLI detects the restriction and prompts you to create the profile automatically:

⚠  AppArmor is restricting unprivileged user namespaces on this system.
...
? Create the profile and reload AppArmor? (requires sudo) (Y/n)

Pressing Enter will create the profile and reload AppArmor. This requires sudo and only needs to be done once.

Manual fix 

Create a file at /etc/apparmor.d/<appname>-dev with the following content. Replace <AppName> with the application name from mobrowser.conf.json, and use the same name lowercased with spaces removed for <appname>:

abi <abi/4.0>,
include <tunables/global>

profile <appname>-dev "/path/to/your/project/build/bin/<AppName>" flags=(unconfined) {
  userns,
  include if exists <local/<appname>-dev>
}

Then reload AppArmor:

sudo service apparmor reload

Disable the restriction globally (least safe) 

The quickest workaround is to disable the restriction entirely:

echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns

To make this persist across reboots:

echo kernel.apparmor_restrict_unprivileged_userns=0 | sudo tee /etc/sysctl.d/60-apparmor-namespace.conf

This is not recommended — it disables AppArmor’s user namespace restriction system-wide for all applications, not just yours.

本页内容