Update unprivileged_userns_restriction

unprivileged_userns_restriction.md

@@ -45,6 +45,14 @@ userns_create
 
 If the value `userns_create` is present AppArmor can control the creation of namespaces in policy and the use of unprivileged user namespaces by unconfined.
 
+To check if apparmor support changing the profile on when a task creates a new user namespace
+```
+$ sudo cat /sys/kernel/security/apparmor/features/namespaces/userns_create
+pciu&
+```
+
+This ability is used to be able to allow unprivileged user namespaces but remove capabilities within the namespace.
+
 # Audit message
 
 If AppArmor denies an unconfined unprivileged process from creating a user namespace, it will log a message to the Audit subsystem. Similar to the following example message.
@@ -53,6 +61,11 @@ If AppArmor denies an unconfined unprivileged process from creating a user names
 apparmor="DENIED" operation="userns_create" class="namespace" info="User namespace creation restricted" error=-13 profile="unconfined" pid=21323 comm="steamwebhelper" requested="userns_create" denied="userns_create"
 ```
 
+If transitions are supported
+```
+apparmor="DENIED" operation="userns_create" class="namespace" info="User namespace creation restricted - failed to find unprivileged profile" error=-13 profile="unconfined" pid=1638 comm="plasmashell" requested="userns_create" denied="userns_create" target="unpriv_userns"
+```
+
 # Checking the current state of restricted unprivileged user namespaces
 
 The /proc file that can be introspected to determine if AppArmor restrictions on unprivileged user namespaces are available also provides the current status of the restriction.