Fix nsjail error, surface non-AybErrors more effectively

src/hosted_db/sqlite.rs

@@ -92,14 +92,19 @@ pub async fn potentially_isolated_sqlite_query(
             run_in_sandbox(Path::new(&isolation.nsjail_path), path, query, query_mode).await?;
         println!("potentially2");
         if !result.stderr.is_empty() {
-            println!("potentially3");
-            // Before shipping, consider whether to still try to parse and then catch the parsing error.
-            return Err(AybError::QueryError {
-                message: format!(
-                    "Error message from sandboxed query runner: {}",
-                    result.stderr
-                ),
-            });
+            let error: AybError = serde_json::from_str(&result.stderr);
+            // If the error could be deserialized into an AybError,
+            // return that. Otherwise, create a more generic AybError
+            // to at least surface an issue.
+            return match error {
+                Ok(error) => Err(error),
+                Err(error) => Err(AybError::QueryError {
+                    message: format!(
+                        "Error message from sandboxed query runner: {}",
+                        result.stderr
+                    ),
+                }),
+            };
         } else if result.status != 0 {
             println!("potentially5");
             return Err(AybError::QueryError {

tests/set_up_e2e_env.sh

@@ -18,3 +18,8 @@ DOCKER_FLAGS="-v ${SCRIPT_PATH}:/etc/localstack/init/ready.d/init-aws.sh" locals
 # On Ubuntu, assumes these requirements: sudo apt-get install -y libprotobuf-dev protobuf-compiler libnl-route-3-dev
 scripts/build_nsjail.sh
 mv nsjail tests/
+
+# Starting with Ubuntu 24.x, nsjail won't run with default permissions
+# (https://github.com/google/nsjail/issues/236).
+sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=0
+sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0