Add sysctl_kernel_apparmor_restrict_unprivileged_unconfined rule

[israel-villar]

Add a new rule and variable to enforce
kernel.apparmor_restrict_unprivileged_unconfined=1 via the sysctl template. This sysctl prevents unprivileged processes from loading AppArmor profiles without confinement, reducing the local attack surface. Map the new rule to the apparmor component.

Description:

• Add new rule sysctl_kernel_apparmor_restrict_unprivileged_unconfined
  and its associated variable
  sysctl_kernel_apparmor_restrict_unprivileged_unconfined_value.var
  to enforce kernel.apparmor_restrict_unprivileged_unconfined=1.
• Uses the sysctl template.
• Map the new rule to the apparmor component.

Rationale:

• When kernel.apparmor_restrict_unprivileged_unconfined is set to 1,
  unprivileged processes are prevented from loading AppArmor profiles
  without confinement. This reduces the local attack surface by limiting
  what an unprivileged user can do with AppArmor.

Review Hints:

• One new rule directory and one .var file under
  linux_os/guide/system/permissions/restrictions/.
• Build to verify: ./build_product debian13 --datastream-only

[openshift-ci]

Hi @israel-villar. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.