diff --git a/src/DEBIAN/postinst b/src/DEBIAN/postinst
index b79ff81..c312530 100755
--- a/src/DEBIAN/postinst
+++ b/src/DEBIAN/postinst
@@ -17,8 +17,12 @@ if [ "${PACKAGE_NAME}" = "cn.flamescion.bookworm-compatibility-mode" ];then
 systemctl daemon-reload
 systemctl enable ace-bookworm-auto-upgrade
 systemctl start ace-bookworm-auto-upgrade
+        # enable kernel.unprivileged_userns_clone
+        # disable kernel.apparmor_restrict_unprivileged_unconfined and kernel.apparmor_restrict_unprivileged_userns
+        if [ -f /usr/lib/sysctl.d/amber-ce.conf ];then
+                sysctl -p /usr/lib/sysctl.d/amber-ce.conf
+        fi
+
 fi
 
-systemctl reload apparmor
-
 true
diff --git a/src/etc/apparmor.d/amber-ce-bookworm b/src/etc/apparmor.d/amber-ce-bookworm
deleted file mode 100644
index 5555573..0000000
--- a/src/etc/apparmor.d/amber-ce-bookworm
+++ /dev/null
@@ -1,7 +0,0 @@
-abi <abi/4.0>,
-include <tunables/global>
-profile bwrap /usr/bin/bwrap flags=(unconfined) {
-userns,
-#Site-specific additions and overrides. See local/README for details.
-include if exists <local/bwrap>
-}
diff --git a/src/usr/lib/sysctl.d/amber-ce.conf b/src/usr/lib/sysctl.d/amber-ce.conf
new file mode 100644
index 0000000..10177b4
--- /dev/null
+++ b/src/usr/lib/sysctl.d/amber-ce.conf
@@ -0,0 +1,6 @@
+# ACE app runs in a container, need privileges within user namespace, so we need to set it
+kernel.unprivileged_userns_clone=1
+# Ubuntu 24.04 has more limitation on unprivileged user namespace,so we have to disable them.
+# refer to https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
+kernel.apparmor_restrict_unprivileged_unconfined=0
+kernel.apparmor_restrict_unprivileged_userns=0