[Qubes] Icedove with qubes-split-gpg requires /dev/xen/privcmd permissions


Qubes updates (2016-12-04) have added a new apparmor requirement for using qubes-split-gpg.

audit: type=1400 audit(1480979960.153:62): apparmor="DENIED" operation="open" profile="/usr/lib/icedove/icedove" name="/dev/xen/privcmd" pid=3371 comm="qrexec-client-v" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0

The current profile allows @{PROC}/xen/privcmd rw. Adding /dev/xen/privcmd rw fixes the issue.

Don’t know why this change occurred or security implications.

edit: appears that @{PROC}/xen/privcmd rw is no longer needed.