fix(apparmor): reduce slow boot caused by large profile sets

[TuxLux40]

$(cat <<'EOF'

Problem

On boot, AppArmor can hang for 1–3 minutes (or more) at:

[ *** ] A start job is running for Load App…mor profiles (2min 10s / no limit)

This happens because:

1. The setup script installs 500–2000+ extended profiles (apparmor-profiles-extra, apparmor.d-git) unconditionally
2. AppArmor's parser re-reads and recompiles all text-format profiles on every boot unless a binary cache is configured
3. Cache configuration (write-cache / cache-loc) was only applied for Arch Linux, not for Debian/Ubuntu or other distros

Changes

• Extended profiles are now opt-in: a [y/N] prompt with a clear warning about the boot-time trade-off appears before installing the large profile packages. Users who just want AppArmor enabled (without the full extended set) can answer N and get a fast boot immediately.
• configure_apparmor_cache() now runs for all distros: writes write-cache and cache-loc /etc/apparmor/earlypolicy/ into /etc/apparmor/parser.conf so the parser stores a compiled binary cache and reads it on subsequent boots instead of reparsing text files.
• Cache is pre-populated at install time: apparmor_parser --write-cache runs immediately after profile installation, so the very first reboot is also fast.

Test plan

• Run apparmor-setup.sh on Ubuntu — answer N to extended profiles, verify boot is fast
• Run apparmor-setup.sh on Ubuntu — answer Y to extended profiles, verify /etc/apparmor/earlypolicy/ is populated and boot is noticeably faster than before this fix
• Run apparmor-setup.sh on Arch — same two scenarios
• Verify aa-status shows loaded profiles after reboot in both cases
• Verify cat /sys/kernel/security/lsm includes apparmor

https://claude.ai/code/session_016enaEcHMPpE4a97o6Zv1f8
EOF
)

---

Generated by Claude Code