rootless (non-dpkg): update docs and `dockerd-rootless-setuptool.sh check` for Ubuntu 24.04 (`kernel.apparmor_restrict_unprivileged_userns`)

[AkihiroSuda]

Description

Ubuntu 24.04 will enable kernel.apparmor_restrict_unprivileged_userns by default (LP 2046477, LP 2046844), so rootless setup with https://get.docker.com/rootless (non-dpkg) needs the following steps:

if [ ! -e "/etc/apparmor.d/usr.local.bin.rootlesskit" ] && [ -e "/etc/apparmor.d/abi/4.0" ] && [ -e "/proc/sys/kernel/apparmor_restrict_unprivileged_userns" ]; then
  cat >"/etc/apparmor.d/usr.local.bin.rootlesskit" <<EOF
# Ubuntu 23.10 introduced kernel.apparmor_restrict_unprivileged_userns
# to restrict unsharing user namespaces:
# https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
#
# kernel.apparmor_restrict_unprivileged_userns is still opt-in in Ubuntu 23.10,
# but it is expected to be enabled in future releases of Ubuntu.
abi <abi/4.0>,
include <tunables/global>

/usr/local/bin/rootlesskit flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/usr.local.bin.rootlesskit>
}
EOF
  systemctl restart apparmor.service

This additional step is not needed for dpkg setup (apt-get install docker-ce-rootless-extras), as the apparmor package is shipped with the profile for /usr/bin/rootlesskit:
https://packages.ubuntu.com/noble/amd64/apparmor/filelist

/etc/apparmor.d/rootlesskit

# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"

abi <abi/4.0>,
include <tunables/global>

profile rootlesskit /usr/bin/rootlesskit flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/rootlesskit>
}

[AkihiroSuda]

Reopening, as we haven't added docs yet

[thaJeztah]

cc @dvdksn