feat(profiles): add initial userns rule.

Require apparmor 4 to be enabled.

apparmor.d/abstractions/chromium

@@ -31,6 +31,8 @@
   include <abstractions/vulkan>
   include <abstractions/wayland>
 
+  # userns,
+
   capability setgid,
   capability setuid,
   capability sys_admin,

apparmor.d/groups/virt/virtiofsd

@@ -10,6 +10,8 @@ include <tunables/global>
 profile virtiofsd @{exec_path} {
   include <abstractions/base>
 
+  # userns,
+
   capability chown,
   capability dac_override,
   capability dac_read_search,

apparmor.d/profiles-s-z/slirp4netns

@@ -10,6 +10,8 @@ include <tunables/global>
 profile slirp4netns @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
+  # userns,
+
   capability net_admin,
   capability setpcap,
   capability sys_admin,

apparmor.d/profiles-s-z/thunderbird

@@ -35,6 +35,8 @@ profile thunderbird @{exec_path} {
   include <abstractions/vulkan>
   include <abstractions/wayland>
 
+  # userns,
+
   capability sys_admin, # If kernel.unprivileged_userns_clone = 1
   capability sys_chroot, # If kernel.unprivileged_userns_clone = 1
 

pkg/prebuild/build.go

@@ -22,11 +22,9 @@ var (
 	regAttachments   = regexp.MustCompile(`(profile .* @{exec_path})`)
 	regFlags         = regexp.MustCompile(`flags=\(([^)]+)\)`)
 	regProfileHeader = regexp.MustCompile(` {`)
-	regAbi4To3       = util.ToRegexRepl([]string{
+	regAbi4To3       = util.ToRegexRepl([]string{ // Currently Abi3 -> Abi4
-		`abi/4.0`, `abi/3.0`,
+		`abi/3.0`, `abi/4.0`,
-		`(?m)^.*mqueue.*$`, ``,
+		`# userns,`, `userns,`,
-		`(?m)^.*userns.*$`, ``,
-		`(?m)^.*io_uring.*$`, ``,
 	})
 )