tldr solution

At least on ubuntu 24.04 you have to create apparmor profiles to enable the sandbox to use namespaces (see https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890).

To solve the issue you can create a profile in /etc/apparmor.d like this:

include <tunables/global>/nix/store/*-vscodium-*/bin/codium flags=(unconfined) {  userns,}

The wildcards in the path above are necessary because the has of the store will change after updates and also the version may change, this solution will work in both scenarios.

You can then load it like this and put in your filename at the end (for reference see https://ubuntu.com/server/docs/apparmor):

sudo apparmor_parser -r /etc/apparmor.d/...

original question

I'm migrating my Home-Configuration on Ubuntu to Nix and Home-Manager.I've got it all running and installed some applications already.But when trying to install vscodium I couldn't get it to run and didn't find a solution on the web.

When I try run codium --verbose (with version 1 of the config) I get the error:

The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now.

I found this related question: Ubuntu Linux returns an error with the SUID sandboxThe only answer suggested reinstallation, which in the nix context doesn't make sense and the other two would (as far as I understand them) compromise the security the sandbox would give. The comments on this also didn't help, because I would have to dynamicly change the permissions on the sandbox in a nix store.

On the nixos wiki I found an article for VSCodium: https://nixos.wiki/wiki/VSCodiumThere vscodium.fhs was mentioned, so I tried it in version 2 of the config.When running it the following error appears:

bwrap: setting up uid map: Permission denied

I found many discussions like this one: https://github.com/NixOS/nixpkgs/issues/89599But there was never a real outcome I could try out.To be honest, I'm just getting started nix and going a bit deeper into Linux permissions, so probably I just have to go much deeper to really understand whats going, but is there maybe some workaround to get this working?

My configuration is like this:

flake.nix:

{  description = "Home Manager configuration of dominic";  inputs = {    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";    home-manager = {      url = "github:nix-community/home-manager";      inputs.nixpkgs.follows = "nixpkgs";    };    nixgl = {      url = "github:nix-community/nixGL";      inputs.nixpkgs.follows = "nixpkgs";    };    alacritty-theme.url = "github:alexghr/alacritty-theme.nix";  };  outputs = { nixpkgs, home-manager, nixgl, alacritty-theme, ... }:    let      pkgs = import nixpkgs {        system = "x86_64-linux";        overlays = [ nixgl.overlay alacritty-theme.overlays.default ];      };    in {      homeConfigurations."dominic" = home-manager.lib.homeManagerConfiguration {        inherit pkgs;        modules = [ ./home.nix ];        extraSpecialArgs = {          nixgl = nixgl;        };      };    };}

home.nix:

{ config, pkgs, nixgl, ... }:{  nixGL = {    packages = nixgl.packages;  };  home.username = "dominic";  home.homeDirectory = "/home/dominic";  home.stateVersion = "24.11";  home.packages = [  ];  home.file = {".config/nix/nix.conf".source = dotfiles/nix/nix.conf;  };  home.sessionVariables = {    # Fix Krita errors    QT_XCB_GL_INTEGRATION = "none";  };  programs.home-manager.enable = true;  programs = {    alacritty = import ./programs/alacritty.nix {inherit config pkgs;};    vscode = import ./programs/vscode.nix {inherit config pkgs;};  };}

programs/vscode.nix (version 1):

{  config,  pkgs}: {  enable = true;  package = (config.lib.nixGL.wrap pkgs.vscodium);}

programs/vscode.nix (version 2):

{  config,  pkgs}: {  enable = true;  package = (config.lib.nixGL.wrap pkgs.vscodium.fhs);}