Additional Configurations for Codex in Ubuntu

AppArmor Configuration

To install and configure the additional AppArmor profiles required for the Codex sandbox to function correctly (on modern distributions like Ubuntu 24.04), follow these steps:

Install AppArmor Packages

First, ensure the core AppArmor utilities and the collection of community-maintained profiles are installed on your system.

sudo apt update
sudo apt install apparmor apparmor-utils apparmor-profiles

Enable User Namespace Profiles

Modern versions of Ubuntu restrict unprivileged user namespaces by default, which can cause the Codex Sandbox (which uses bubblewrap or bwrap) to fail. You must enable the specific profile that permits these operations:

Copy the extra profile to the active AppArmor directory:

sudo cp /usr/share/apparmor/extra-profiles/bwrap-userns-restrict /etc/apparmor.d/

Load the profile into the kernel:

sudo apparmor_parser -r /etc/apparmor.d/bwrap-userns-restrict

Reload AppArmor to apply changes:

sudo systemctl reload apparmor

Verify the Configuration

Check that the profiles are correctly loaded and that the sandbox can now initialize namespaces.

Check AppArmor status: Run sudo aa-status and look for bwrap or unprivileged_userns in the output.

Test Bubblewrap directly:

/usr/bin/bwrap --unshare-user --uid 0 --gid 0 --proc /proc --dev /dev --ro-bind /bin /bin --ro-bind /lib /lib --ro-bind /lib64 /lib64 /bin/true

If this command returns no error, the sandbox should now function.