Running snapd inside `lxc.apparmor.profile=unconfined` containers

We looked into running snapd in lxc containers that use a config like:

raw.lxc: |

In this configuration the container itself will not have “CAP_MAC_ADMIN” which means that nothing inside the container can manipulate the apparmor confinement. This is a problem for snapd which relies on apparmor. After some unsuccessful attempts to run snapd without apparmor inside such an environment I think we need to error with a clean message.

The following PR: implements this new approach.

This will avoid the very confusing errors that people currently get when trying to run snaps inside such an environment.