fix(apparmor): allow inet/inet6/unix sockets in cri-containerd profile

Add explicit AppArmor rules to permit common socket types (inet, inet6, unix)
needed by Kubernetes workloads (e.g., kube-controller, coredns). Plucky ships
AppArmor 4.1.0, which is stricter and requires exact socket types to be set.
This resolves "apparmor=DENIED operation=create class=net" denials.

Fixes #5082
Fixes #5190
Fixes #5140

Author: bschimke95

microk8s-resources/containerd-profile

@@ -6,7 +6,9 @@ profile cri-containerd.apparmor.d flags=(attach_disconnected,mediate_deleted) {
   #include <abstractions/base>
 
 
-  network,
+  network inet,
+  network inet6,
+  network unix,
   capability,
   file,
   umount,
@@ -37,4 +39,4 @@ profile cri-containerd.apparmor.d flags=(attach_disconnected,mediate_deleted) {
 
   signal (receive) peer=snap.microk8s.daemon-kubelite,
   signal (receive) peer=snap.microk8s.daemon-containerd,
-}
+}