apparmor: Allow umount(/dev)

Commit 379c0ce4bfed introduced a call to umount(/dev) performed
inside the namespace that we run QEMU in.

As a result of this, on machines using AppArmor, VM startup now
fails with

  internal error: Process exited prior to exec: libvirt:
  QEMU Driver error: failed to umount devfs on /dev: Permission denied

The corresponding denial is

  AVC apparmor="DENIED" operation="umount" profile="libvirtd"
      name="/dev/" pid=70036 comm="rpc-libvirtd"

Extend the AppArmor configuration for virtqemud and libvirtd so
that this operation is allowed.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Jim Fehlig <jfehlig@suse.com>

src/security/apparmor/usr.sbin.libvirtd.in

@@ -35,6 +35,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
   mount options=(rw,rslave)  -> /,
   mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/,
   umount /{var/,}run/libvirt/qemu/*.dev/,
+  umount /dev/,
 
   # libvirt provides any mounts under /dev to qemu namespaces
   mount options=(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/,

src/security/apparmor/usr.sbin.virtqemud.in

@@ -35,6 +35,7 @@ profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) {
   mount options=(rw,rslave)  -> /,
   mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/,
   umount /{var/,}run/libvirt/qemu/*.dev/,
+  umount /dev/,
 
   # libvirt provides any mounts under /dev to qemu namespaces
   mount options=(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/,