lxd/apparmor/instance_lxc: fix all ro+remount rules

While investigating canonical#13810 I found that all ro+remount rules in the form:

mount options=(ro,remount,bind,A,B,C) /some_pattern{,/**},

just does not work at all. This remount+bind case is a very special one,
and we should rewrite all rules in this form:

mount options=(ro,remount,bind,A,B,C) -> /some_pattern{,/**},

This syntax is not new. This change should be compatible with very old
AppArmor versions including 2.11.

Explanation why it was not noticed for years is that for unprivileged
container case we have analogical rule but in a wider form:

mount options=(ro,remount,bind,nodev,A,B,C),

which masks the issue. But for privileged containers it's not.

So, let's fix this for correctness.

Signed-off-by: Alexander Mikhalitsyn <[email protected]>