qemu mount namespaces conflict with libvirt 4.6

Reproducible manually in LXD, so we can at least easily iterate on new apparmor rules.

Same issue confirmed on all architectures

We already have plenty of mount move rules due to https://libvirt.org/git/?p=libvirt.git;a=blobdiff;f=examples/apparmor/usr.sbin.libvirtd;h=8d61d154e1e1c3daa9a06d76dbe6ab71e27d28a1;hp=12b9d45bf0534a2bf2d2c68b56458fb76aa96d6e;hb=3343ab0cd99c04761c17a36d9af354536df9e741;hpb=3b1d19e6c9500d392b6635de92877b725d214f7f

But those seem not to cover the new need.

Quick check if non-lXD environments are affected starting at Bionic to be sure:
- Bionic - ok
- Cosmic - ok
- Cosmic with libvirt 4.6 - ok

So the special rule is only needed when stacking
1. apparmor controlled daemons
2. modifying mount namespaces of guests
3. inside containers

Yeah complexity FTW!

Due to that prio for the world = low, prio for my test env = high - lets agree on medium for the bug :-)

Those extra MPs only exist in LXD containers, but other solutions might have other sub /dev/* MPs.
Newer libvirt tries to preserve these into the qemu namespace, which is what breaks it now.

But when resolving the LXD specials I found that others are hit just as much.
E.g. mount:
  devpts on /dev/console type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
triggers:
  profile="/usr/sbin/libvirtd" name="/run/libvirt/qemu/1-kvmguest-cosmic-norm.console" srcname="/dev/console" flags="rw, move"

Essentially any mounts under /dev would have to be covered, we don't want to have a LXD only solution that tomorrow breaks on any other container and/or different LXD setup.

Also hit /dev/net/tun, ... this is not LXD only at all

So instead of the defined list that [1] was for it now tries to preserve al lmounts under /dev.
Since we can't know all the combinations that might be, but trust libvirt with a rather lenient profile anyway lets tweak the rules to match what it does now.

While doing so it might carry a trailing / from the mountpoint.
E.g. /dev/hugepages/ is used with trailing /, but /dev/console is not.
So allow both.

Further libvirt will strip the mount to a simple pathname without subdirs.
For example:
  /dev/net/tun -> /var/run/libvirt/qemu/1-kvmguest-cosmic-norm.net.tun

Therefore an appropriate and in tests working rule would be:

  # libvirt provides any mounts under /dev to qemu namespaces
  mount options=(rw, move) /dev/ -> /{var/,}run/libvirt/qemu/*.dev/,
  mount options=(rw, move) /dev/**{/,} -> /{var/,}run/libvirt/qemu/*{/,},
  mount options=(rw, move) /{var/,}run/libvirt/qemu/*.dev/ -> /dev/,
  mount options=(rw, move) /{var/,}run/libvirt/qemu/*{/,} -> /dev/**{/,},

[1]: https://libvirt.org/git/?p=libvirt.git;a=commit;h=3343ab0cd99c04761c17a36d9af354536df9e741

FYI: Some of these rules are currently in discussion upstream as I summarized the proposed changes to be included there.

https://www.redhat.com/archives/libvir-list/2018-August/msg00785.html

This bug was fixed in the package libvirt - 4.6.0-2ubuntu1

---------------
libvirt (4.6.0-2ubuntu1) cosmic; urgency=medium

  * Merged with Debian unstable (LP: #1786957).
    Among many other new features and fixes this includes fixes
    for (LP: #1754871), Remaining changes:
    - Disable libssh2 support (universe dependency)
    - Disable firewalld support (universe dependency)
    - Set qemu-group to kvm (for compat with older ubuntu)
    - Additional apport package-hook
    - Autostart default bridged network (As upstream does, but not Debian).
      In addition to just enabling it our solution provides:
      + do not autostart if subnet is already taken (e.g. in guests).
      + iterate some alternative subnets before giving up
    - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is
      the group based access to libvirt functions as it was used in Ubuntu
      for quite long.
      + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests
        due to the group access change.
      + d/libvirt-daemon-system.postinst: add users in sudo to the libvirt
        group.
    - ubuntu/parallel-shutdown.patch: set parallel shutdown by default.
    - d/p/ubuntu/enable-kvm-spice.patch: compat with older Ubuntu qemu/kvm
      which provided a separate kvm-spice.
    - Xen related
      - d/p/ubuntu/ubuntu-libxl-qemu-path.patch: this change was split. The
        section that adapts the path of the emulator to the Debian/Ubuntu
        packaging is kept.
      - d/p/ubuntu/ubuntu-libxl-Fix-up-VRAM-to-minimum-requirements.patch: auto
        set VRAM to minimum requirements
      - d/p/ubuntu/xen-default-uri.patch: set default URI on xen hosts
      - Add libxl log directory
      - libvirt-uri.sh: Automatically switch default libvirt URI for users on
        Xen dom0 via user profile (was missing on changelogs before)
    - d/p/ubuntu/apibuild-skip-libvirt-common.h: drop libvirt-common.h from
      included_files to avoid build failures due to duplicate definitions.
    - Update README.Debian with Ubuntu changes
    - Convert libvirt0, libnss_libvirt and libvirt-dev to multi-arch.
    - Enable some additional features on ppc64el and s390x (for arch parity)
      + systemtap, zfs, numa and numad on s390x.
      + systemtap on ppc64el.
    - d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making
      vmlinuz available and accessible (Debian bug 848314)
    - d/t/control, d/t/smoke-lxc: fix up lxc smoke test isolation
    - Add dnsmasq configuration to work with system wide dnsmasq (drop >18.04,
      no more UCA onto Xenial then which has global dnsmasq by default).
    - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx
    - Further upstreamed apparmor Delta, especially any new one
      Our former delta is split into logical pieces and is either Ubuntu only
      or is part of a continuous upstreaming effort.
      Listing related remaining changes in debian/patches/ubuntu-aa/:
      + 0001-apparmor-Allow-pygrub-to-run-on-Debian-Ubuntu.patch: apparmor:
        Allow pygrub to run on Debian/Ubuntu
      + 0003-apparmor-libvirt-qemu-Allow-read-access-to-overcommi.patch:
        ...