add more unconfined profiles

These applications need to use user namespaces, hence it needs an
unconfined profile when user namespaces are restricted from unconfined
like other applications in MR #1123

!1123

In addition this serves as a handle to uniquely identify them instead
of unconfined to peers in policy.

Note that unconfined mode should be changed for default_allow when
!1109

 is merged.

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

profiles/apparmor.d/devhelp

+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile devhelp /usr/bin/devhelp flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/devhelp>
+}

profiles/apparmor.d/epiphany

+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile epiphany /usr/bin/epiphany{,-browser} flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/epiphany>
+}

profiles/apparmor.d/evolution

+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile evolution /usr/bin/evolution flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/evolution>
+}

profiles/apparmor.d/opam

+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile opam /usr/bin/opam flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/opam>
+}