feat(profile): enable abi 4 rules by default.

apparmor.d/abstractions/app/chromium

@@ -43,7 +43,7 @@
   include <abstractions/user-read-strict>
   include <abstractions/video>
 
-  # userns,
+  userns,
 
   capability setgid,
   capability setuid,

apparmor.d/abstractions/app/firefox

@@ -30,7 +30,7 @@
   include <abstractions/thumbnails-cache-read>
   include <abstractions/uim>
 
-  # userns,
+  userns,
 
   capability sys_admin, # If kernel.unprivileged_userns_clone = 1
   capability sys_chroot, # If kernel.unprivileged_userns_clone = 1

apparmor.d/abstractions/common/bwrap

@@ -7,7 +7,7 @@
 # - the flag: attach_disconnected
 # - bwrap execution: '@{bin}/bwrap rix,'
 
-  # userns,
+  userns,
 
   capability net_admin,
   capability setpcap,

apparmor.d/abstractions/common/chromium

@@ -6,7 +6,7 @@
 # This abstraction is for chromium based application. Chromium based browsers
 # need to use abstractions/chromium instead.
 
-  # userns,
+  userns,
 
   capability setgid, # If kernel.unprivileged_userns_clone = 1
   capability setuid, # If kernel.unprivileged_userns_clone = 1

apparmor.d/abstractions/common/electron

@@ -18,7 +18,7 @@
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
 
-  # userns,
+  userns,
 
   capability setgid, # If kernel.unprivileged_userns_clone = 1
   capability setuid, # If kernel.unprivileged_userns_clone = 1

apparmor.d/groups/gnome/nautilus

@@ -26,7 +26,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
   include <abstractions/nameservice-strict>
   include <abstractions/trash-strict>
 
-  # mqueue r type=posix /,
+  mqueue r type=posix /,
 
   #aa:dbus own bus=session name=org.gnome.Nautilus interface=org.gtk.{Application,Actions}
   #aa:dbus own bus=session name=org.freedesktop.FileManager1

apparmor.d/groups/kde/plasmashell

@@ -28,7 +28,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
   include <abstractions/ssl_certs>
   include <abstractions/thumbnails-cache-read>
 
-  # userns,
+  userns,
 
   capability sys_ptrace,
 

apparmor.d/groups/systemd/systemd-coredump

@@ -13,7 +13,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted
   include <abstractions/nameservice-strict>
   include <abstractions/common/systemd>
 
-  # userns,
+  userns,
 
   capability dac_override,
   capability dac_read_search,

apparmor.d/groups/systemd/systemd-logind

@@ -27,7 +27,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
 
   network netlink raw,
 
-  # mqueue r type=posix /,
+  mqueue r type=posix /,
 
   unix (bind) type=stream addr=@@{hex16}/bus/systemd-logind/system,
 

apparmor.d/groups/ubuntu/package-system-locked

@@ -17,7 +17,7 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) {
   network inet dgram,
   network inet6 dgram,
 
-  # mqueue r type=posix /,
+  mqueue r type=posix /,
 
   ptrace (read),
 

apparmor.d/groups/virt/virtiofsd

@@ -10,7 +10,7 @@ include <tunables/global>
 profile virtiofsd @{exec_path} {
   include <abstractions/base>
 
-  # userns,
+  userns,
 
   capability chown,
   capability dac_override,

apparmor.d/profiles-a-f/flatpak

@@ -18,7 +18,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
 
-  # userns,
+  userns,
 
   capability dac_override,
   capability dac_read_search,

apparmor.d/profiles-g-l/lvm

@@ -23,7 +23,7 @@ profile lvm @{exec_path} flags=(attach_disconnected) {
 
   ptrace (read),
 
-  # mqueue r type=posix /,
+  mqueue r type=posix /,
 
   @{exec_path} rm,