Pin the AppArmor feature set to the Stretch's kernel one.
Linux 4.14 brings new AppArmor mediation features and the policy shipped in Stretch may not be ready for it. So let's disable these new features to avoid breaking stuff: it's too hard to check if all the policy for apps we ship (and that users install themselves) has the right rules to cope with these new mediation features. This feature set file will be: - either removed: once we install an apparmor package that ships its own, maintained elsewhere, feature set (probably via Debian#879585); - or upgraded: to the Buster kernel's, when we move to Buster, iff. Debian does not ship any pinned feature set then (refs: #15149). This commit ports to our build system the changes that are in Buster/sid currently, except we include the Stretch's kernel feature set while Buster/sid is pinned to Linux 4.14's feature set (the policy in Buster/sid was updated to support it). This is exactly what will likely land in the next Debian Stretch point release. I'm using a different filename from the one used on Debian, in order to make it easier to compare the "upstream" (Debian) file with ours. And while I'm at it I'm adding a build-time sanity check that will warn us if there's some maintenance work to do on our side.