Troubleshooting

AppArmor Restrictions

On Ubuntu 23.10 and later, unprivileged user namespaces are restricted by AppArmor by default. MōBrowser applications rely on Chromium’s multi-process sandbox, which requires user namespaces. When AppArmor blocks them, the application fails to start.

So, if you try to run the application in development mode using npm run dev on Ubuntu 23.10+ or another Linux distro that has disabled unprivileged user namespaces with AppArmor, you will see the following error:

✓ Building application [0.78s]
✓ Running application in development mode...
/App/build/bin/App [10214:10214:0410/114605.785856:FATAL:
  content/browser/zygote_host/zygote_host_impl_linux.cc:128]
  No usable sandbox! If you are running on Ubuntu 23.10+ or
  another Linux distro that has disabled unprivileged user
  namespaces with AppArmor...

Information: This only happens when the application is launched from a terminal. Applications packaged into installers typically include their own AppArmor profiles, so they are not affected.

Solution 1: Create an AppArmor profile (recommended)

The recommended fix is to create an AppArmor profile that grants the userns permission to your application binary. It can be done automatically via MōBrowser CLI or manually.

Automatically

When you run npm run dev, the MōBrowser CLI can detect the restriction and propose to create the profile automatically:

⚠️ AppArmor is restricting unprivileged user namespaces on this system.
...
? Create the profile and reload AppArmor? (requires sudo) (Y/n)

Pressing Enter will create the profile and reload AppArmor. This requires sudo and only needs to be done once.

Manually

To create the profile manually, you need to create a file at /etc/apparmor.d/{APP_NAME}-dev with the following content:

abi <abi/4.0>,
include <tunables/global>

profile {app_name}-dev "/project/build/bin/{APP_NAME}" flags=(unconfined) {
  userns,
  include if exists <local/{app_name}-dev>
}

Replace the following placeholders:

{APP_NAME} with the application name from mobrowser.conf.json.
{app_name} with the same application name lowercased with spaces removed.

Then reload AppArmor:

sudo service apparmor reload

Solution 2: Disable AppArmor restriction globally

The quickest workaround is to disable the restriction entirely:

echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns

To make this persist across reboots:

echo kernel.apparmor_restrict_unprivileged_userns=0 | sudo tee /etc/sysctl.d/60-apparmor-namespace.conf

⚠️ Warning: This is not recommended. It disables AppArmor’s user namespace restriction system-wide for all applications, not just yours.