Secmark allows us to label packets with fairly arbitrary iptables rules, and these patches give a mechanism for then applying Apparmor policy to those labels. I haven't really thought through how this applies to existing network policy, so feedback on that welcome.