Freeze the AppArmor kernel feature set too

The goal here is to speed up boot by generating a binary policy cache
that will match the policy features the parser will use at runtime.

On Buster parser.conf was using features-file and it just worked.

But on Bullseye, the old --features-file was split into --kernel-features
and --compile-features, and the default parser.conf only
sets --compile-features (which makes sense on Debian, less so in the context of
this pre-compiling hook). So without this commit, at build time, the parser
asks the Vagrant box's kernel which features it supports, which fails
because we're in a chroot, and then it fails to save the cache.

Similarly, without --kernel-features, at boot time a newer kernel, whose feature
set does not match the one used when compiling the cache, would invalidate
that cache.

To fix this, let's set kernel-features ourselves, to go back to the Buster
situation, both wrt. generating the cache, and wrt. loading the cache.

refs #18906