feat(abs): internal cleanup.

apparmor.d/abstractions/common/chromium

@@ -8,14 +8,11 @@
 
   # userns,
 
-  # Only needed when kernel.unprivileged_userns_clone is set to "1"
+  capability setgid, # If kernel.unprivileged_userns_clone = 1
+  capability setuid, # If kernel.unprivileged_userns_clone = 1
   capability sys_admin,
   capability sys_chroot,
-  capability setuid,
-  capability setgid,
-  owner @{PROC}/@{pid}/setgroups w,
-  owner @{PROC}/@{pid}/gid_map w,
-  owner @{PROC}/@{pid}/uid_map w,
+  capability sys_ptrace,
 
   owner @{HOME}/.pki/ rw,
   owner @{HOME}/.pki/nssdb/ rw,
@@ -37,4 +34,9 @@
         /dev/shm/ r,
   owner /dev/shm/.org.chromium.Chromium.* rw,
 
+  # If kernel.unprivileged_userns_clone = 1
+  owner @{PROC}/@{pid}/setgroups w,
+  owner @{PROC}/@{pid}/gid_map w,
+  owner @{PROC}/@{pid}/uid_map w,
+
   include if exists <abstractions/common/chromium.d>