Once Whonix will be based on Debian version 9 codename Stretch, systemd will provide an ApparmorProfile= option.
Quoted from https://wiki.debian.org/AppArmor/Progress:
Integrate with systemd by: waiting for systemd v210+, which has a ApparmorProfile= option, or ship upstart's /lib/init/apparmor-profile-load as an apparmor helper script and call it in systemd's ExecPreStart=
Quoted from http://manpages.debian.org/cgi-bin/man.cgi?&query=systemd.exec:
AppArmorProfile= Takes a profile name as argument. The process executed by the unit will switch to this profile when started. Profiles must already be loaded in the kernel, or the unit will fail. This result in a non operation if AppArmor is not enabled. If prefixed by "-", all errors will be ignored.
onion-grater (Control Port Filter Proxy)'s AppArmor profile /etc/apparmor.d/usr.sbin.cpfpd is effective without that option. One can verify that by test wise out commenting something form the profile. After reboot, denied messages would pop up.
TODO research:
- What's the ApparmorProfile= option good for?
- Should we use it?
- Should we prefix by -?