Comment 3 for bug 1503762

Darix suggests the instances isn't a great idea. He instead recommends reading variables from a configuration file that are then used in the exec lines of the systemd unit file:

[Unit]
Description=AppArmor profiles
DefaultDependencies=no
After=local-fs.target
Before=sysinit.target

[Service]
Type=oneshot
EnvironmentFile=-/etc/sysconfig/apparmor
ExecStart=/usr/sbin/apparmor_parser -r $APPAMOR_SEARCH_LIST
ExecStop=/usr/sbin/apparmor_parser -R $APPAMOR_SEARCH_LIST
ExecReload=/usr/sbin/apparmor_parser --reload $APPAMOR_SEARCH_LIST
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Then we could set the APPARMOR_SEARCH_LIST to /etc/apparmor.d/ on traditional systems, /etc/apparmor.d/ and /var/foo/click/apparmor.d/ on phones, /var/bar/snap/apparmor.d/ on snap-based things, etc.

cboltz reports that one-shot units do support ExecReload.