[apparmor] Let's enable AppArmor by default (why not?)

[intrigeri]

Hi,

intrigeri:
> Chris Lamb:
>> So… in the spirit of taking (reversible!) risks, can you briefly outline
>> what's blocking us enabling this today? :)

> Thanks for asking!

> I've scheduled time on October 23-27 to:

We made good progress. Thanks a lot to Vincas Dargis and the Ubuntu
and openSUSE folks who helped quite a bit :)

> 1. identify what still prevents us from starting the proposed
>    experiment

Done, see below for the remaining ones.

> 2. fix all the problems identified in #1

We're almost there! Remaining blockers:

 - deal with Linux 4.14 bringing in new mediation features and having
   a bug (until -rc6 at least) precisely in the way it handles the
   obvious mitigation I've applied (feature set pinning): tracked by
   #877581, likely 4.14-rc7 will fix it; worst case, if Linux 4.14
   reaches sid with this bug not fixed yet, I'll revert the feature
   set pinning and we'll deal with whatever bits of policy need
   updates (the most important ones all have patches submitted
   upstream + to the BTS already so I'm confident)

 - enable AppArmor by default in our Linux kernel: I'll file a bug
   about it once the above issue is resolved

 - decide how to pull the AppArmor policy + userspace: tracked by
   #879590, started discussion on this list and with debian-boot@

 - anything else?

> 3. document on the BTS what must be fixed between the time we start
>    the experiment and the time we decide what to do for the Buster
>    release

I'll come back to this later. Not a blocker to start the experiment IMO.

Cheers,
-- 
intrigeri