merge https://code.launchpad.net/~intrigeri/apparmor/dnsmasq-better-confine-libvirt-leaseshelper/+merge/267822

from intrigery:
  dnsmasq profile: extract confinement of libvirt_leaseshelper into a dedicated sub-profile.

Acked-by: Christian Boltz <apparmor@cboltz.de>

profiles/apparmor.d/usr.sbin.dnsmasq

@@ -57,19 +57,16 @@
   @{TFTP_DIR}/ r,
   @{TFTP_DIR}/** r,
 
-  # libvirt config, lease and hosts files for dnsmasq
+  # libvirt config and hosts file for dnsmasq
   /var/lib/libvirt/dnsmasq/          r,
   /var/lib/libvirt/dnsmasq/*         r,
-  /var/lib/libvirt/dnsmasq/*.leases  rw,
-  /var/lib/libvirt/dnsmasq/*.status* rw,
 
   # libvirt pid files for dnsmasq
   /{,var/}run/libvirt/network/      r,
   /{,var/}run/libvirt/network/*.pid rw,
 
   # libvirt lease helper
-  /usr/lib{,64}/libvirt/libvirt_leaseshelper ix,
+  /usr/lib{,64}/libvirt/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
-  /{,var/}run/leaseshelper.pid rwk,
 
   # lxc-net pid and lease files
   /{,var/}run/lxc/dnsmasq.pid    rw,
@@ -81,6 +78,25 @@
   /{,var/}run/NetworkManager/dnsmasq.conf r,
   /{,var/}run/NetworkManager/dnsmasq.pid w,
 
+  profile libvirt_leaseshelper {
+    #include <abstractions/base>
+
+    /etc/libnl-3/classid r,
+
+    owner @{PROC}/@{pid}/net/psched r,
+    owner @{PROC}/@{pid}/status r,
+
+    /sys/devices/system/cpu/ r,
+    /sys/devices/system/node/ r,
+    /sys/devices/system/node/*/meminfo r,
+
+    # libvirt lease and status files for dnsmasq
+    /var/lib/libvirt/dnsmasq/*.leases  rw,
+    /var/lib/libvirt/dnsmasq/*.status* rw,
+
+    /{,var/}run/leaseshelper.pid rwk,
+  }
+
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.sbin.dnsmasq>
 }