Add abstract profile for libnuma

For executables dynamically linked to libnuma, the runtimer linker
invokes libnuma functions (num_init) that try to access
/sys/devices/system/node/ and if the application's apparmor
profile does not allow this access, this access will be denied
by apparmor with following error message:

  apparmor="DENIED" operation="open" class="file"
  name="/sys/devices/system/node/" comm="qemu-bridge-hel"
  requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Here is the simplified call trace:

  0 ... in ?? () from /lib/x86_64-linux-gnu/libnuma.so.1
  1 ... in call_init (...) at ./elf/dl-init.c:74
  2 ... in call_init (...) at ./elf/dl-init.c:120
  3 _dl_init (...) at ./elf/dl-init.c:121
  4 ... in _dl_start_user () from /lib64/ld-linux-x86-64.so.2

This commit adds an abstract profile that applications that are
linked to libnuma can include in their apparmor profile.

MR: mailing list patch
Signed-off-by: Hector Cao <hector.cao@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

profiles/apparmor.d/abstractions/libnuma

@@ -0,0 +1,22 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2025 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+  abi <abi/4.0>,
+
+  # this abstract profile can be included by applications that are
+  # dynamically linked to libnuma
+  # libnuma defines the function num_init() as the .init function
+  # to be called by the runtime linker (ld) when libnuma is loaded
+
+  @{sys}/devices/system/cpu/node/ r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/libnuma.d>