How do I get my AppArmor profiles to work like they did in Ubuntu 22?

Until recently I was using Ubuntu 22. Being a paranoid sort, I like to have my stuff sandboxed. So I was running VS Code as a different user through 0install (0install run https://apps.0install.net/gui/vs-code.xml ). I had to jump through a few hoops: set the DISPLAY environment variable, and copy the magic cookie to the other user (with xauth extract - "$DISPLAY" and xauth merge -). But I was happy to pay that price. Then came Ubuntu 24. Now, when I try to run the 0install command, nothing happens and it exits with code 0. With the --verbose argument I get this:

[32146:0916/205416.674638:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /home/kevin/.cache/0install.net/implementations/sha256new_PLTHUJ6DVZ2RVZROAUFY7ANZGID5GEFNTKSAPKK4523ZXWBWZGZA/chrome-sandbox is owned by root and has mode 4755.

(That file is owned by kevin and has mode 555.) The internet tells me that this is something to do with the change to AppArmor settings in Ubuntu 24 ( https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#security-improvements , section "Security Improvements"). I've seen a few different suggestions of how to relax the security requirements, but I don't understand AppArmor well enough to convince myself that any of them are still sufficiently sandboxed. At the same time, messages appear in the dmesg log:

kern  :notice: [ 2796.519919] audit: type=1400 audit(1726516456.670:263): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=32146 comm="code" requested="userns_create" target="unprivileged_userns"
kern  :notice: [ 2796.520853] audit: type=1400 audit(1726516456.671:264): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=32148 comm="code" capability=21  capname="sys_admin"
kern  :info  : [ 2796.524131] traps: code trap int3 ip:609f9bb5c60a sp:7fff27a839d0 error:0 in code[609f9832c000+7e11000]

I don't fully understand what these logs mean, and I haven't found docs anywhere. It looks like it's failing to invoke the "sys_admin" capability. According to man capabilities, "sys_admin" is an overused capability; maybe this is an example of it being used where a more specific capability would be more appropriate. In any case I don't want to grant my process such sweeping powers. I don't know why it needs to do a permission check. The only reason I can think of is that X11 requires it. I also tried xhost without success. I'll give more details on that if you think X11 is the culprit. UPDATE: VS Code Portable Mode ( https://code.visualstudio.com/docs/editor/portable ) does exactly the same thing.