Comment 3 for bug 2064144

This bug is due to lxc using invalid mount rules according to the specification.

`man 5 apparmor.d` ==> `[mountpoint] must start with ’/’ (after variable expansion)`.

We can find such problematic rules in `src/lxc/lsm/apparmor.c` and config/apparmor/abstractions/{start-container.in,container-base,container-base.in}

    $ cd lxc
    $ grep -r '\-> \*\*,'
    config/apparmor/abstractions/start-container.in: mount options=(rw, make-slave) -> **,
    config/apparmor/abstractions/start-container.in: mount options=(rw, make-rslave) -> **,
    [...]
    src/lxc/lsm/apparmor.c:" mount options=(rw,make-unbindable) -> **,\n"
    src/lxc/lsm/apparmor.c:" mount options=(rw,make-runbindable) -> **,\n"
    [...]
    $ grep -r '\-> \*\*,'|wc -l
    36

Although this restriction is only enforced in AppArmor since version 4.0, similar restrictions have always been in place for files: `/** ix,` is a valid rule but `** ix` is not. Therefore, IMHO, the best way to handle this issue would be to create a merge request for lxc to update their rules (hence not making any change to AppArmor, since the rule is indeed invalid).

@jjohansen Would you agree with this approach ?

Side note: In man apparmor.d, we also find
    `mount,
    the 'mount' rule without any conditionals is the most generic and allows any mount. Equivalent to 'mount fstype=** options=** ** -> /**'.`

IMO we should remove the sentence `Equivalent to 'mount fstype=** options=** ** -> /**'` since this rule is very invalid, even for apparmor_parser and could confuse AppArmor users.