in web001 you should be able to get things working with:
mount -t tmpfs tmpfs /sys/kernel/security/systemctl restart snapdsnap install lxdlxc profile set default security.privileged truelxc profile set default raw.lxc lxc.apparmor.profile=unchanged
That last one is needed as LXC also cannot access the profiles after everything got masked under /sys/kernel/security, so telling it to not change anything will have it behave as wanted.