Introduce AppArmor profile

Upstream doesn't ship an AppArmor profile, but now that tools call passt(1) to set up network connectivity, given that passt ships one, we also need a profile for guestfs-tools with its own passt subprofile, to allow passt to create socket and PID files in the locations specified by guestfs-tools.

Add a very loose profile, at least to start with, granting pretty much unlimited access to the filesystem as well as any capability we might need to manipulate disk images and to untar supermin appliances.

Closes: #1086844