update apparmor security driver for new udev paths

In the Ubuntu development release we recently got a new udev that
moves /var/run to /run, /var/lock to /run/lock and /dev/shm to /run/shm.
This change in udev requires updating the apparmor security driver in
libvirt[1].

Attached is a patch that:
 * adjusts src/security/virt-aa-helper.c to allow both
LOCALSTATEDIR/run/libvirt/**/%s.pid and /run/libvirt/**/%s.pid. While
the profile is not as precise, LOCALSTATEDIR/run/ is typically a symlink
to /run/ anyway, so there is no additional access (remember that
apparmor resolves symlinks, which is why this is still required even
if /var/run points to /run).
 * adjusts example/apparmor/libvirt-qemu paths for /dev/shm

[1]https://launchpad.net/bugs/810270

--
Jamie Strandboge             | http://www.canonical.com

examples/apparmor/libvirt-qemu

@@ -27,9 +27,9 @@
   # but may constitute a security risk. If your environment does not require
   # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
   # the rules for files in /dev.
-  /dev/shm/ r,
-  /dev/shm/pulse-shm* r,
-  /dev/shm/pulse-shm* rwk,
+  /{dev,run}/shm r,
+  /{dev,run}/shmpulse-shm* r,
+  /{dev,run}/shmpulse-shm* rwk,
   /dev/snd/* rw,
   capability ipc_lock,
   # 'kill' is not required for sound and is a security risk. Do not enable

src/security/virt-aa-helper.c

@@ -1166,6 +1166,8 @@ main(int argc, char **argv)
                               LOCALSTATEDIR, ctl->def->name);
             virBufferAsprintf(&buf, "  \"%s/run/libvirt/**/%s.pid\" rwk,\n",
                               LOCALSTATEDIR, ctl->def->name);
+            virBufferAsprintf(&buf, "  \"/run/libvirt/**/%s.pid\" rwk,\n",
+                              ctl->def->name);
             if (ctl->files)
                 virBufferAdd(&buf, ctl->files, -1);
         }