what is it?
Linux Security Module implementation that restricts applications’ capabilities and permissions with profiles that are set per-program - link
Issues
Ubuntu 24 has it enabled by default. This messes with electron apps, such as Obsidian, when trying to declaratively install it using nix package manager
[73448:0430/205321.652818:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /nix/store/gghjll0dfdrg1nahq9fvm6ii7qrdmld3-electron-28.3.1/libexec/electron/chrome-sandbox is owned by root and has mode 4755.
Trace/breakpoint trap (core dumped)Fix
Add AppArmor profile with userns permission
cd /etc/apparmor.d
sudoedit nix-obsidianabi <abi/4.0>,
include <tunables/global>
profile nix-obsidian /nix/store/*-obsidian-*/bin/obsidian flags=(unconfined) {
userns,
include if exists <local/nix-obsidian>
}sudo apparmor_parser -r /etc/apparmor.d/nix-obsidian
sudo systemctl reload apparmor