Sandbox failures on `ubuntu-24.04`

[maxrake]

Overview

There are failures in CI when attempting to use the ubuntu-24.04 runners.

How To Reproduce

Steps to reproduce this behavior:

1. Change the build and test runners from ubuntu-20.04 or ubuntu-22.04 to ubuntu-24.04
2. Kick off a Test workflow in CI
3. See test failures related to sandboxing

failures:
    extensions::fs_sandboxing_success
    extensions::injected_api
    extensions::net_sandboxing_success
    extensions::permissions::correct_sandbox_run_permission_successful_install_and_run
    parse::parse_with_project_lockfile
    parse::parse_with_project_lockfile_relative_paths
    sandbox::allow_env
    sandbox::allow_fs
    sandbox::allow_net
    sandbox::default_deny_env
    sandbox::default_deny_fs
    sandbox::default_deny_net

All the errors are of the same sort:

thread 'sandbox::default_deny_net' panicked at /rustc/4eb161250e340c8f48f66e2b929ef4a5bed7c181/library/core/src/ops/function.rs:250:5:
Unexpected stderr, failed var.contains(Could not resolve host: veracode.com)
├── var: sandboxing failure: Operation not permitted (os error 1)
└── var as str: sandboxing failure: Operation not permitted (os error 1)

Expected Behavior

Sandboxing works on newer versions of Ubuntu.

Additional Context

From @matt-phylum:

There's a new "feature" in Ubuntu 24 where user namespaces are different from other distributions. https://wiki.ubuntu.com/Security/Features#apparmor-unprivileged-userns-restrictions

Perhaps this should be an issue in the phylum-dev/birdcage repo as well/instead.

Currently accessible logs can be viewed here, until they are removed: https://github.com/phylum-dev/cli/actions/runs/13979756308

[kwillmon-veracode]

I tested disabling apparmor by adding these lines to our tests (as suggested here):

sudo aa-teardown || true
sudo systemctl disable --now apparmor.service

That seems to let the code get further along, but we are still getting "Permission denied (os error 13)" from the sandboxed processes.