Using /proc/pid/cmdline is not secure since it can be trivially set
with, for instance:

    exec -a "pwned" sh -c 'cat /proc/$$/cmdline'

The /proc/pid/exe symlink is not good enough for scripts (since it will
point to the interpreter, not the script) so let's instead use
AppArmor's in-kernel solution for determining executable paths. We
fallback to /proc/pid/exe for unconfined processes, which leaves us with
only unconfined scripts not being supported by tor-controlport-filter.
However, profiles in complain mode is still good enough, so a trivial
stub profile in complain mode is enough, which is exactly what we do for
onionshare and onioncircuits.