Fixing markdown file preview with /tmp/install_apparmor_profile.sh1

Answered
Avatar
PatS2265
Created

I just updated/installed the latest IntelliJ Ultimate version 2025.3.3 and opened a markdown file README.md.

IntelliJ gave a prompt that said:

Embedded Browser is suspended

The system restricts the embedded browsser from running with the sandbox enabled. A corresponding…
Install Profile…    Disable Sandbox  Learn more…

I selected Install Profile… and was prompted to enter my password to run a script 

/usr/bin/sh /tmp/install_apparmor_profile.sh1

Before I ran that I wanted to inspect it but I was not given that option.

My questions are:

1. What does that script do, other than the obvious answer, which is that it allows IntelliJ to preview markdown files.

2. Where is the source code for that script.

3. Where does the Learn more… link go, what is the URL it opens?  NOTE: I did not click on the Learn more… option and now that I've installed it I don't have that button to look at what it says.

 

Thanks, in advance.

Love your products!

Votes

0

Share

2 comments
Avatar
Arina Efremova
Created

Hi Pat, let me reply to your questions one by one.

What does that script do

On Ubuntu 24.04+ and similar systems, the AppArmor security system now blocks unprivileged user namespaces, which prevents the embedded Chromium (JCEF) browser used by IntelliJ from starting. That's what triggers the "Embedded Browser is suspended" notification.

When you click Install Profile…, IntelliJ runs the install_apparmor_profile.sh1 helper script that:

  1. Creates an AppArmor profile for the IDE's Java binary (JBR) under /etc/apparmor.d/…
    Example from the official knowledge-base article:

    # This profile is autogenerated by IntelliJ IDEA Ultimate Edition to allow running sandboxed JCEF
abi <abi/4.0>,
include <tunables/global>

profile /path/to/your/idea/jbr/bin/java flags=(unconfined) {
    userns,
    include if exists <local/chrome>
}

  2. Loads or reloads that profile with:

    apparmor_parser -r <path_to_profile>

The effect is:

  • Granting userns permission to the IDE's Java binary under AppArmor, which is the Ubuntu‑recommended way to allow sandboxed apps to run again
  • Re‑enabling all JCEF usage in the IDE (Markdown preview, SVG viewer, What's New page, and any plugin that embeds a browser), not just Markdown preview

It does not touch other system areas beyond writing one profile file in /etc/apparmor.d and calling apparmor_parser -r to load it.

Where is the source code for that script

There is no standalone, shipped shell script source file in the IntelliJ installation. Instead, the IDE platform code generates the contents dynamically, writes a temporary script into /tmp/install_apparmor_profile.sh*, and executes it.

You can see the exact result by inspecting the profile now present in /etc/apparmor.d/ (its name will be something like idea-ultimate / idea-ultimate-edition depending on your install).

Where does the Learn more… link go

It points to the official JetBrains knowledge‑base article on the matter: https://youtrack.jetbrains.com/articles/JBR-A-11

There is also an open ticket in our system to eventually move this content to standard documentation.

Hope this helps👍🏻

1
Avatar
PatS2265
Created

Your answers are exactly what I needed.  Feel free to close this question.

Kindest regards,

Patrick

0

Please sign in to leave a comment.