Merge Add curl profile

In order to test the profile, I did the following inside an oracular VM:

- `curl https://ubuntu.com/ -o /tmp/ubuntu`
- `curl 'https://ubuntu.com/security/{CVE-2024-12797,CVE-2025-24032}' -o '#1'`
- `curl -u dlpuser:rNrKYTX9g7z3RgJRmxWuGHbeu ftp://ftp.dlptest.com/`

Finally, I ran the package's testsuite:
```
apt source curl
cd curl-8.9.1
./configure --without-ssl # SSL has been tested using the above
make
cd test/server
make
cd ..
./runtests.pl -c $(which curl)
```

The only test which should fail should be the last one, since the build was configured with support for less protocols than the ones provided by the binary we're using (this is expected and happens regardless of whether the profile is loaded or not).

A spread smoke-test is also provided as part of this MR.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1560
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>

profiles/apparmor.d/curl

@@ -0,0 +1,44 @@
+#------------------------------------------------------------------
+#    Copyright (C) 2025 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile curl /usr/bin/curl {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/private-files-strict>
+  include <abstractions/ssl_certs>
+
+  @{exec_path} mr,
+
+  # allow reading configuration files from $HOME
+  priority=1 file r @{HOME}/.curlrc,
+  priority=1 file r @{HOME}/.config/curlrc,
+
+  # allow reading other configuration files/certs from $HOME
+  # (see --config, --cacert options)
+  file r @{HOME}/**,
+
+  # allow writing output to $HOME, /tmp (see -o option)
+  file w @{HOME}/**,
+  file w /tmp/**,
+
+  # allows UDP (for DNS), TCP (for http, https, etc), abstract Unix sockets, IPv4, IPv6
+  network unix stream,
+  network unix dgram,
+  network inet stream,
+  network inet dgram,
+  network inet6 stream,
+  network inet6 dgram,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/curl>
+}

tests/profiles/curl/task.yaml

@@ -0,0 +1,14 @@
+summary: smoke test for the curl profile
+execute: |
+    # set up fake HTTP server
+    echo -ne "HTTP/1.0 200 OK\nContent-type: text/html; charset=utf-8\nContent-Length: 12\n\nhello, world" > res
+    nc -lvp 8080 < res &
+
+    # HTTP GET to server, save result
+    curl http://localhost:8080/ -o /tmp/res
+
+    # assert result is correct
+    test "$(cat /tmp/res)" = "hello, world"
+
+    # The profile is attached based on the program path.
+    "$SPREAD_PATH"/tests/bin/actual-profile-of curl | MATCH 'curl \(enforce\)'