[apparmor] dynamic profiles

[Kees Cook]

We have a situation where "/etc/init.d/apparmor reload" will remove all
profiles that are not listed in /etc/apparmor.d/ but this causes a problem
for profiles that are dynamically generated (for example, libvirt's
profiles).

I'm not sure the best way to deal with this, though I would note that at
least in libvirt's case, the profile name does not start with a leading
"/", so it could be possible to just have apparmor leave profiles like that
in place.

Thoughts?

-Kees

-- 
Kees Cook
Ubuntu Security Team