apparmor: allow getattr on usb devices

apparmor: allow getattr on usb devices

For the handling of usb we already allow plenty of read access,
but so far /sys/bus/usb/devices only needed read access to the directory
to enumerate the symlinks in there that point to the actual entries via
relative links to ../../../devices/.

But in more recent systemd with updated libraries a program might do
getattr calls on those symlinks. And while symlinks in apparmor usually
do not matter, as it is the effective target of an access that has to be
allowed, here the getattr calls are on the links themselves.

On USB hostdev usage that causes a set of denials like:
 apparmor="DENIED" operation="getattr" class="file"
 name="/sys/bus/usb/devices/usb1" comm="qemu-system-x86"
 requested_mask="r" denied_mask="r" ...

It is safe to read the links, therefore add a rule to allow it to
the block of rules that covers the usb related access.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Michal Privoznik <mprivozn at redhat.com>