Comment 34 for bug 2017980

The feature exists in the Lunar kernel (this includes 6.2 hwe kernels) but is not enabled by default, and is currently enabled by default on 6.5 kernel builds.

* If the user is using a 6.2 kernel and has enabled via the sysctl or /proc the above restriction will occur.

* If the user is using a 6.5 kernel and has NOT disabled via sysctl or /proc the above restriction will occur.

This feature is not dependent on he userspace but on the kernel in use.

There are 3 ways to address the above issue
1. Application Level
   Install or create a profile for the application

2. System Level, temporarily (until reboot) disable via
   echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns

3. System Level, disable via
   sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

OR
    add a new file /etc/sysctl.d/60-apparmor-namespace.conf with contents

        kernel.apparmor_restrict_unprivileged_userns=0

    and reboot.

Going forward the 6.5 kernel is going to move to the feature is going to be tweaked so that the userspace will have to enable it. The apparmor package in mantic will enabled it. This will prevent installation of the 6.5 kernel or HWE build variants from automatically enabling the feature on older releases.