That’s not the issue. We don’t depend on a preexisting /etc/machine-id. We use sandbox-app-launcher/usr/share/sandbox-app-launcher/machine-id at master · Kicksecure/sandbox-app-launcher · GitHub and overwrite /etc/machine-id within the namespace.
Your issue is:
bwrap: Can’t create file at /etc/machine-id: Read-only file system
I.e. /etc is mounted read-only so we can’t add our own machine-id.
sdwdate.
Yes. Also see if allow_dynamic_native_code_exec=no works. If so, add that too.
I’m confused as to what you’re trying to do. Is this the same issue as sdwdate and sdwdate-gui development thread - #376 by Patrick? Are you trying to use systemd sandboxing and sandbox-app-launcher together? Or a custom url_to_unixtime AppArmor profile (not the default sandbox-app-launcher profile) with the rest of sandbox-app-launcher?