apparmor: allow tunnelled migrations.

The pathname for the pipe for tunnelled migration is unresolvable.  The
libvirt apparmor driver therefore refuses access, causing migration to
fail.  If we can't resolve the path, the worst that can happen is that
we should have given permission to the file but didn't.  Otherwise
(especially since this is a /proc/$$/fd/N file) the file is already open
and libvirt won't be refused access by apparmor anyway.

Also adjust virt-aa-helper to allow access to the
*.tunnelmigrate.dest.name files.

For more information, see https://launchpad.net/bugs/869553.
Signed-off-by: NSerge Hallyn <serge.hallyn@canonical.com>

src/security/security_apparmor.c

@@ -38,6 +38,7 @@
 #include "virfile.h"
 #include "configmake.h"
 #include "command.h"
+#include "logging.h"
 
 #define VIR_FROM_THIS VIR_FROM_SECURITY
 #define SECURITY_APPARMOR_VOID_DOI      "0"
@@ -791,9 +792,9 @@ AppArmorSetImageFDLabel(virSecurityManagerPtr mgr,
     }
 
     if (virFileResolveLink(proc, &fd_path) < 0) {
-        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
-                               "%s", _("could not find path for descriptor"));
-        return rc;
+        /* it's a deleted file, presumably.  Ignore? */
+        VIR_WARN("could not find path for descriptor %s, skipping", proc);
+        return 0;
     }
 
     return reload_profile(mgr, vm, fd_path, true);

src/security/virt-aa-helper.c

@@ -1220,6 +1220,10 @@ main(int argc, char **argv)
                               LOCALSTATEDIR, ctl->def->name);
             virBufferAsprintf(&buf, "  \"/run/libvirt/**/%s.pid\" rwk,\n",
                               ctl->def->name);
+            virBufferAsprintf(&buf, "  \"%s/run/libvirt/**/*.tunnelmigrate.dest.%s\" rw,\n",
+                              LOCALSTATEDIR, ctl->def->name);
+            virBufferAsprintf(&buf, "  \"/run/libvirt/**/*.tunnelmigrate.dest.%s\" rw,\n",
+                              ctl->def->name);
             if (ctl->files)
                 virBufferAdd(&buf, ctl->files, -1);
         }