[18.03] Fix AppArmor not being applied to Exec processes

[thaJeztah]

cherry-pick of moby/moby#36466

git checkout -b 18.03-fix-exec-apparmor upstream/18.03 
git cherry-pick -s -S -x -Xsubtree=components/engine 8f3308ae10ec9ad0dd4edfb46fde53a0e1e19b34

No conflicts

fixes moby/moby#36456

Exec processes do not automatically inherit AppArmor profiles from the container.

This patch sets the AppArmor profile for the exec process.

Before this change:

apparmor_parser -q -r <<EOF
#include <tunables/global>
profile deny-write flags=(attach_disconnected) {
  #include <abstractions/base>
  file,
  network,
  deny /tmp/** w,
  capability,
}
EOF

docker run -dit --security-opt "apparmor=deny-write" --name aa busybox

Running docker exec doesn't get the profile applied:

docker exec aa sh -c 'mkdir /tmp/test'
(no error)

With this change:

Running docker exec gets the AppArmor profile applied

docker exec aa sh -c 'mkdir /tmp/test'
mkdir: can't create directory '/tmp/test': Permission denied

- How to verify it

Build a .deb from this PR, using the Docker CE packaging scripts; https://github.com/docker/docker-ce-packaging/tree/master/deb

make \
  ENGINE_DIR=$GOPATH/src/github.com/docker/docker \
  CLI_DIR=$GOPATH/src/github.com/docker/cli \
  ubuntu-xenial  

Which puts the package in debbuild/ubuntu-xenial

On an Ubuntu 16.04 machine, install the package:

dpkg -i ./docker-ce_0.0.0~dev~git20180302.121756.0.dae4588d4-0~ubuntu_amd64.deb

Run the reproduction steps above

- Description for the changelog

* Fix AppArmor profiles not being applied to `docker exec` processes [moby/moby#36466](https://github.com/moby/moby/pull/36466)

[andrewhsu]

LGTM