Use aliases so that our AppArmor policy applies to /lib/live/mount/overlay/ and /lib/live/mount/rootfs/filesystem.squashfs/ as well as to it applies to /.

That's something I wanted to avoid initially, for various reasons that are
explained already in [[contribute/design/application_isolation]]. However, now
that /lib/live/mount/overlay/ is accessible, I see no better way to protect
files accessed via this path as well as the same files accessed by
"normal" paths.

These changes are likely to increase policy compilation time a bit, benchmarking
will tell. If that's too severe a problem, we have a few potential ways out,
that are already documented in the "Increased policy compilation time" section
of the aforementioned piece of design doc.