feat(profiles): add initial userns rule.

Require apparmor 4 to be enabled.

apparmor.d/abstractions/chromium

@@ -31,6 +31,8 @@
   include <abstractions/vulkan>
   include <abstractions/wayland>
 
+  # userns,
+
   capability setgid,
   capability setuid,
   capability sys_admin,

apparmor.d/groups/virt/virtiofsd

@@ -10,6 +10,8 @@ include <tunables/global>
 profile virtiofsd @{exec_path} {
   include <abstractions/base>
 
+  # userns,
+
   capability chown,
   capability dac_override,
   capability dac_read_search,

apparmor.d/profiles-s-z/slirp4netns

@@ -10,6 +10,8 @@ include <tunables/global>
 profile slirp4netns @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
+  # userns,
+
   capability net_admin,
   capability setpcap,
   capability sys_admin,

apparmor.d/profiles-s-z/thunderbird

@@ -35,6 +35,8 @@ profile thunderbird @{exec_path} {
   include <abstractions/vulkan>
   include <abstractions/wayland>
 
+  # userns,
+
   capability sys_admin, # If kernel.unprivileged_userns_clone = 1
   capability sys_chroot, # If kernel.unprivileged_userns_clone = 1