profiles: also confine Xorg.wrap in addition to Xorg

For now, also use a complain mode flag like with Xorg. However, it may be
possible for complain mode to be dropped from both in the future,
tightening confinement (especially since Xorg.wrap is setuid). A
complain-mode profile can still be useful for Xorg.wrap by giving it a
separate label.

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>

profiles/apparmor.d/Xorg

@@ -9,6 +9,23 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
+profile Xorg_wrap /usr/lib/xorg/Xorg.wrap flags=(complain) {
+  include <abstractions/base>
+  # Broad directory rules here cover the Xorg wrapper config file too
+  # Included abstractions/dri-common includes dri device files
+  include <abstractions/X>
+
+  # Privileges dropped if root is not needed due to cards supporting kms
+  capability setuid,
+  capability setgid,
+
+  /usr/lib/xorg/Xorg.wrap mr,
+  /usr/lib/xorg/Xorg px,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/Xorg_wrap>
+}
+
 # Note: attach_disconnected appears necessary in rootless mode
 profile Xorg /usr/lib/xorg/Xorg flags=(attach_disconnected, complain) {
   include <abstractions/base>