deb: Apparmor profile for Ubuntu 23.10+ restricted unpriv userns

[dtrudg]

https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces

As detailed in the article above, Ubuntu 23.10 introduces restrictions on unpriv userns creation, via apparmor. The restrictions are off by default for now. However, they will be on by default at a later date via updates. This will probably apply to the next LTS - 24.04.

We need to ensure that we ship / document an apparmor profile suitable for the different execution modes of SingularityCE. Some of which rely on unpriv userns creation.

[dtrudg]

Still disabled by default in 23.10, and I can't find anything definitive about 24.04.

Let's deal with this in final packaging tweakes during the RC period, or a patch release, since it is not related to Singularity's code.

[dtrudg]

It's being tracked here...

https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046477

Will have a look today / tomorrow... but if anything non-obvious is met we'll defer to a patch release.

A lilttle bit challenging as it needs to have Ubuntu & version specific addition of a profile from our deb package, so we aren't installing the profile on apparmor systems that don't support it.

[dtrudg]

This is going to move to the 4.1.1 milestone.

Needs a bit more thought... do we add the apparmor profile install to make install (which would then ignore --prefix)? Do we add it just to Deb packages built on specific distros?

I haven't seen any guidance for what packages that aren't in Ubuntu core repos should do. Those that are have had their profiles added into the apparmor package.