rootless: update docs and containerd-rootless-setuptool.sh check for Ubuntu 24.04 (kernel.apparmor_restrict_unprivileged_userns)

[AkihiroSuda]

Ubuntu 24.04 will enable kernel.apparmor_restrict_unprivileged_userns by default (LP 2046477, LP 2046844), so rootless setup needs the following steps:

if [ ! -e "/etc/apparmor.d/usr.local.bin.rootlesskit" ] && [ -e "/etc/apparmor.d/abi/4.0" ] && [ -e "/proc/sys/kernel/apparmor_restrict_unprivileged_userns" ]; then
  cat >"/etc/apparmor.d/usr.local.bin.rootlesskit" <<EOF
# Ubuntu 23.10 introduced kernel.apparmor_restrict_unprivileged_userns
# to restrict unsharing user namespaces:
# https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
#
# kernel.apparmor_restrict_unprivileged_userns is still opt-in in Ubuntu 23.10,
# but it is expected to be enabled in future releases of Ubuntu.
abi <abi/4.0>,
include <tunables/global>

/usr/local/bin/rootlesskit flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/usr.local.bin.rootlesskit>
}
EOF
  systemctl restart apparmor.service

Lima already does this automatically.
https://github.com/lima-vm/lima/blob/v0.20.1/pkg/cidata/cidata.TEMPLATE.d/boot/40-install-containerd.sh#L80-L98