We check files in /sys, so we must do this from host mount namespaces.

The write_img_inventory() is called after kerndat_init() and it's only
called on dump. The bug is triggered on restore, because the mount
namespace of the restored process doesn't have
/sys/kernel/security/apparmor/

I think it's better to initialize the host lsm in a one place for dump
and restore.

Currently we initialize the host lsm when we try to use it at a first
time. It works fine for the dump operation. On restore it doesn't work
because criu checks files in a restored mount namespace and it does this
for each process, what isn't optimal.
Signed-off-by: Andrew Vagin <avagin@openvz.org>
Signed-off-by: Andrey Vagin <avagin@openvz.org>
Acked-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>