update apparmor security driver for new udev paths

In the Ubuntu development release we recently got a new udev that
moves /var/run to /run, /var/lock to /run/lock and /dev/shm to /run/shm.
This change in udev requires updating the apparmor security driver in
libvirt[1].

Attached is a patch that:
 * adjusts src/security/virt-aa-helper.c to allow both
LOCALSTATEDIR/run/libvirt/**/%s.pid and /run/libvirt/**/%s.pid. While
the profile is not as precise, LOCALSTATEDIR/run/ is typically a symlink
to /run/ anyway, so there is no additional access (remember that
apparmor resolves symlinks, which is why this is still required even
if /var/run points to /run).
 * adjusts example/apparmor/libvirt-qemu paths for /dev/shm

[1]https://launchpad.net/bugs/810270

--
Jamie Strandboge             | http://www.canonical.com

1 files changed, 3 insertions, 3 deletions

diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 32515366c..10cdd36b5 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -27,9 +27,9 @@
   # but may constitute a security risk. If your environment does not require
   # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
   # the rules for files in /dev.
-  /dev/shm/ r,
-  /dev/shm/pulse-shm* r,
-  /dev/shm/pulse-shm* rwk,
+  /{dev,run}/shm r,
+  /{dev,run}/shmpulse-shm* r,
+  /{dev,run}/shmpulse-shm* rwk,
   /dev/snd/* rw,
   capability ipc_lock,
   # 'kill' is not required for sound and is a security risk. Do not enable