Comment 3 for bug 1447345

After talking with other members of upstream AppArmor, there's nothing that exists today to trigger an AppArmor profile transition upon the call to clone(2). So, the best option would be if we could introduce a patch to call aa_change_profile(2) just before the call to clone(2). That would allow us to place the 'capability sys_admin,' AppArmor rule into the profile that is changed to.