Ubuntu does enable unprivileged userns by default (at least on desktop installs?), but there's at least one exception to watch out for: the lightdm "guest session" option applies an AppArmor policy that allows CLONE_NEWUSER but denies any use of the resulting capabilities; see also https://bugzilla.mozilla.org/show_bug.cgi?id=1434528 where we ran into that with Firefox. There's an exception for Chromium's sandbox, so in principle that could also be done for bubblewrap.
** Bug watch added: Mozilla Bugzilla #1434528 https://bugzilla.mozilla.org/show_bug.cgi?id=1434528 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1709164 Title: [MIR] bubblewrap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1709164/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs