Detect kernel support for unprivileged user namespaces and add a conditional for it

[glitsj16]

There are several profiles that offer extra hardening opportunities when the kernel supports unprivileged user namespaces. An example is chromium-common.profile:

firejail/etc/profile-a-l/chromium-common.profile

Lines 28 to 31 in c16f7a2

	# If your kernel allows the creation of user namespaces by unprivileged users
	# (for example, if running `unshare -U echo enabled` prints "enabled"), you
	# can add the next line to your chromium-common.local.
	#include chromium-common-hardened.inc.profile

My guess is a large section of our users miss out on such hardening gains because they never actually read the profiles (for better or worse). If we could integrate a kernel support check for unprivileged user namespaces into Firejail (e.g. via the referenced unshare -U echo enabled code snippet or otherwise) it would be easy to add a conditional for that and ensure the profile is as hardened as possible.

The above example could then be rewritten in a one-liner:

?HAS_USERNS: include chromium-common-hardened.inc.profile