Fixing Broken Thumbnails on Ubuntu 24.04.4 LTS Caused by AppArmor User Namespaces

Fixing Broken Thumbnails on Ubuntu 24.04.4 LTS Caused by AppArmor User Namespaces #

On my Ubuntu 24.04.4 LTS desktop, which I’d been using for about six months, I ran into a surprisingly stubborn issue: GNOME Files (Nautilus) completely stopped generating thumbnails for both images and videos. At first glance it looked like a typical desktop breakage: thumbnail cache issues, missing codecs, or a corrupted Nautilus config. But none of the usual fixes helped.

Symptoms #

The problem was fairly clear:

  • No image thumbnails (JPG, PNG, etc.)
  • No video thumbnails
  • Nautilus was clearly attempting to generate them
  • The thumbnail cache filled up with failures under: ~/.cache/thumbnails/fail/gnome-thumbnail-factory/

Rebuilding caches, reinstalling thumbnail-related packages, and clearing GNOME settings had no effect. The system was trying—but everything was failing at runtime.

The Real Cause #

The root issue turned out to be a security restriction in the Linux kernel related to AppArmor and unprivileged user namespaces:

kernel.apparmor_restrict_unprivileged_userns=1

This setting prevents unprivileged processes from creating user namespaces. On Ubuntu 24.04, this can interfere with sandboxed helper processes used by GNOME’s thumbnailing system, causing them to fail silently or exit immediately.

In my case, the gnome-thumbnail-factory pipeline was unable to execute its helper components properly, resulting in constant thumbnail generation failures. The processes would exit without useful error messages—they just silently failed whenever they tried to create a namespace.

What the Logs Look Like #

If you check /var/log/syslog during this issue, you’ll see AppArmor audit logs like:

apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=24933 comm="bwrap" capability=8  capname="setpcap"
apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=24933 comm="bwrap" capability=12  capname="net_admin"
apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=24932 comm="bwrap" requested="userns_create" target="unprivileged_userns"

These denials show the kernel blocking capability operations within unprivileged user namespaces. The bwrap (bubblewrap) command is a sandboxing tool that various GNOME components use, including the thumbnail factory.

This is a deliberate security hardening measure to prevent certain privilege escalation attack vectors, but it has the side effect of breaking legitimate use cases that rely on unprivileged user namespaces for sandboxing and isolation.

The Fix #

Disabling this restriction immediately restored thumbnail generation:

sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

After running this command:

  • Thumbnails started generating again instantly
  • Both image and video previews worked in Nautilus
  • No further changes were required
  • The thumbnail cache began populating normally

Making the Change Persistent #

If you want this change to survive reboots, add it to /etc/sysctl.d/:

echo "kernel.apparmor_restrict_unprivileged_userns=0" | sudo tee /etc/sysctl.d/99-apparmor-userns.conf
sudo sysctl -p /etc/sysctl.d/99-apparmor-userns.conf

Verify the change:

sysctl kernel.apparmor_restrict_unprivileged_userns