If the dynamic behavior is based on kernel abilities, why are we going to create an external tool which is then added on a boot sequence so it can update a file which is then read by snap-confine so it can then take a decision to use apparmor or not? Alternative: add the exact same logic in snap-confine and read/write nothing?
That’s the sort of thinking we need to put on this problem before we create the kitchen sink. We need to think through the actual problems we’re solving before we do busy work which seems to make progress but in unclear ways.