apparmor: virtualize the policy/ directory

virtualize the apparmor policy/ directory so that the current namespace
affects what part of policy is seen. This is done by

 * creating a new apparmorfs filesystem
 * creating a magic symlink from securityfs to the correct apparmorfs
   file in the tree (similar to nsfs use).

apparmor fs data and fns also get renamed some to help indicate where
they are used

  aafs - special magic apparmorfs
  aa_sfs - for fns/data that go into securityfs
  aa_fs - for fns/data that may be used in the either of aafs or securityfs

Signed-off-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
10 files changed