Merge Profile updates from testing on Ubuntu 24.04/noble

Did some testing on a fresh post-release image of noble, and uncovered some new denials:

#### Xorg

`2024-05-06T19:55:36.782484-04:00 image-ubuntu64 kernel: audit: type=1400 audit(1715039736.765:174): apparmor="DENIED" operation="link" class="file" profile="Xorg" name="/tmp/.X0-lock" pid=1366 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 target="/tmp/.tX0-lock"`

#### chromium_browser

`2024-05-06T21:17:09.674963-04:00 image-ubuntu64 kernel: audit: type=1400 audit(1715040834.256:168): apparmor="DENIED" operation="userns_create" class="namespace" profile="chromium_browser" pid=2133 comm="chromium" requested="userns_create" denied="userns_create"`

#### firefox

`2024-05-06T21:33:09.387356-04:00 image-ubuntu64 kernel: audit: type=1400 audit(1715045589.369:505): apparmor="DENIED" operation="userns_create" class="namespace" profile="firefox" pid=3610 comm="firefox" requested="userns_create" denied="userns_create"`

`2024-05-06T21:36:48.911280-04:00 image-ubuntu64 kernel: audit: type=1400 audit(1715045808.884:682): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/sys/fs/cgroup/user.slice/user-1000.slice/session-c2.scope/cpu.max" pid=4348 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

`2024-05-06T21:42:34.152955-04:00 image-ubuntu64 dbus-daemon[1628]: apparmor="DENIED" operation="dbus_bind"  bus="session" name="org.mpris.MediaPlayer2.firefox.instance_1_82" mask="bind" pid=4348 label="firefox"`


#### Xorg (second commit)

I neglected to set `abi/4.0` when this went in originally. (I was using the profile on jammy, hence the `3.0`.)

Also, testing on an older laptop that *doesn't* support KMS revealed that Xorg needs some pretty serious permissions then. I've added them in commented-out form, with an explanatory comment. (The `#nokms#` bit is meant to simplify uncommenting those two lines mechanically, e.g. `sed -i 's/#nokms#//'`)

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1227
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>

profiles/apparmor.d/Xorg

@@ -5,7 +5,7 @@
 #   https://bugs.launchpad.net/bugs/1292324
 #   https://github.com/canonical/lightdm/issues/18
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
@@ -89,7 +89,7 @@ profile Xorg /usr/lib/xorg/Xorg flags=(attach_disconnected, complain) {
 
   /etc/X11/** r,
 
-  owner /tmp/.tX[0-9]*-lock    w,
+  owner /tmp/.tX[0-9]*-lock    rw,
   owner /tmp/.X[0-9]*-lock     wl,
   owner /tmp/serverauth.*      r,    # startx(1)
   owner /tmp/server-[0-9]*.xkm rw,
@@ -113,6 +113,11 @@ profile Xorg /usr/lib/xorg/Xorg flags=(attach_disconnected, complain) {
   owner /var/lib/gdm*/.local/share/xorg/Xorg.pid-[1-9]*.log    rw,
   owner /var/lib/gdm*/.local/share/xorg/Xorg.[0-9]*.log{,.old} rw,
 
+  # When running without a kernel mode-setting (KMS) driver, Xorg may need
+  # these additional permissions. DO NOT enable these unless necessary!
+  #nokms#/dev/mem rw,
+  #nokms#@{sys}/devices/pci[0-9]*/*/*/resource[0-9] w,
+
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/Xorg>
 }

profiles/apparmor/profiles/extras/chromium_browser

@@ -39,6 +39,8 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
   capability sys_chroot,
   capability sys_ptrace,
 
+  userns,
+
   # UPower
   # Not sure why these are needed, so deny for now
   deny dbus (send)

profiles/apparmor/profiles/extras/firefox

@@ -45,6 +45,8 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
   capability sys_chroot,
   capability sys_ptrace,
 
+  userns,
+
   include <abstractions/dbus-accessibility-strict>
   dbus (send)
        bus=session
@@ -187,11 +189,11 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
   owner @{PROC}/@{pid}/{uid,gid}_map w,
   @{PROC}/filesystems r,
   @{PROC}/sys/vm/overcommit_memory r,
-  @{sys}/fs/cgroup/user.slice/user-[0-9]*.slice/session-[0-9]*.scope/cpu.max r,
+  @{sys}/fs/cgroup/user.slice/user-[0-9]*.slice/session-{,c}[0-9]*.scope/cpu.max r,
   # prevent crash LP: #1931602
   /sys/devices/pci[0-9]*/**/{uevent,resource,irq,class} r,
   /sys/devices/platform/**/uevent r,
-  /sys/devices/pci*/**/{busnum,config,idVendor,idProduct,revision} r,
+  /sys/devices/pci*/**/{boot_vga,busnum,config,idVendor,idProduct,revision} r,
   /sys/devices/pci*/**/{,subsystem_}device r,
   /sys/devices/pci*/**/{,subsystem_}vendor r,
   /sys/devices/system/node/node[0-9]*/meminfo r,
@@ -391,7 +393,7 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
   # MPRIS D-Bus Interface Specification
   dbus (bind)
        bus=session
-       name=org.mpris.MediaPlayer2.firefox.instance[0-9]*,
+       name=org.mpris.MediaPlayer2.firefox.instance{,_}[0-9]*,
   dbus (receive)
        bus=session
        path=/org/mpris/MediaPlayer2