I'm thinking of enabling the whole system AppArmor protection? As far as I understand, to do this, the init system needs to do the following:
- Load AppArmor profiles into the kernel
- Switch into the AppArmor profile
- Remove CAP_MAC_ADMIN from capability bounding set
If I understand this correctly, after this, all processes would be confined by AppArmor and no process will be able to disable it (since even logging in as root won't give the user the CAP_MAC_ADMIN permission needed to change AppArmor settings since it's removed from capability bounding set).
I'm asking this, because I've already did it in container (particularly, proposed a pull request to Waydroid project that would enable it for the container). However, in those cases, it was done by the container manager -- not by init process. I wonder, whether it's required to modify the init to do this, or it's possible to achieve this in initramfs, by loading the profiles (and removing CAP_MAC_ADMIN) first and then executing the systemd confined by AppArmor.