Apparmor rule missing for qemu 7.2.0+

A change in qemu modified the way that pre-allocation is done: https://lore.kernel.org/all/20220721120732.118133-7-david@redhat.com/T/#mc0d33502f69c89ee308f089923b5e8d32970d5f0

This change particularly invokes some libnuma calls. These calls seem to require access to /sys/devices/system/node/*/cpumap, which currently isn't permitted under the standard apparmor profile.

We're not sure under which exact circumstances this is triggered, but our suspicion is that it requires host with multiple numa nodes, a guest configured with huge-pages for memory, and possibly a CPU pinning configuration.

With the standard apparmor profile the following error/warning messages will show:

$ sudo virsh start test-vm                                                                                                                                 
error: Failed to start domain 'test-vm'
error: internal error: process exited while connecting to monitor: libnuma: Warning: /sys not mounted or invalid. Assuming one node: Permission denied                                                                                                                                                                                                                    
2023-08-02T12:09:35Z qemu-system-x86_64: The nodes select no CPUs

For some reason apparmor does not log an error for this. But strace does give a hint of what's going on:

openat(AT_FDCWD, "/sys/devices/system/node/node0/cpumap", O_RDONLY) = -1 EACCES (Permission denied)

After adding the following to the apparmor profile, the guest does start:

  /sys/devices/system/node/*/cpumap r,