diff --git a/.github/workflows/bwrap.apparmor b/.github/workflows/bwrap.apparmor
new file mode 100644
index 00000000..8f1390dc
--- /dev/null
+++ b/.github/workflows/bwrap.apparmor
@@ -0,0 +1,13 @@
+# SPDX-FileCopyrightText: 2024 Russell Coker <russell@coker.com.au>
+# SPDX-License-Identifier: CC-BY-NC-SA-3.0
+# source: https://etbe.coker.com.au/2024/04/24/ubuntu-24-04-bubblewrap/
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile bwrap /usr/bin/bwrap flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/bwrap>
+}
diff --git a/.github/workflows/bwrap.yml b/.github/workflows/bwrap.yml
index e3e5637d..464de327 100644
--- a/.github/workflows/bwrap.yml
+++ b/.github/workflows/bwrap.yml
@@ -18,6 +18,8 @@ jobs:
     steps:
       - name: Install bubblewrap
         run: sudo apt install bubblewrap
+      - name: Work around Ubuntu 24.04 bubblewrap bug
+        run: sudo cp .github/workflows/bwrap.apparmor /etc/apparmor.d/bwrap && sudo systemctl reload apparmor
       - name: Checkout repo
         uses: actions/checkout@v4
         with:
@@ -65,6 +67,8 @@ jobs:
     steps:
       - name: Install bubblewrap
         run: sudo apt install bubblewrap
+      - name: Work around Ubuntu 24.04 bubblewrap bug
+        run: sudo cp .github/workflows/bwrap.apparmor /etc/apparmor.d/bwrap && sudo systemctl reload apparmor
       - name: Checkout repo
         uses: actions/checkout@v4
         with:
@@ -125,6 +129,8 @@ jobs:
           # There is a strange bug(?) in nongnu, when you clone a git repository
           # against a commit != HEAD with depth=1, it errors out.
           fetch-depth: 0
+      - name: Work around Ubuntu 24.04 bubblewrap bug
+        run: sudo cp .github/workflows/bwrap.apparmor /etc/apparmor.d/bwrap && sudo systemctl reload apparmor
       - name: Get pass2_image
         uses: actions/download-artifact@v4
         with: