Comment 2 for bug 491510

What I don't like is that it's a single-binary, network-facing process running as root, which seems very dangerous to have given that most of its operations can be done as unprivileged system user (pinging local services, etc.). I'd much rather have a small suid root callout which can restart processes (factor out the only thing that requires root), and have the main daemon run as "monitdaemon" without particular privileges.

If that's too much effort, can this get a very restrictive apparmor profile which greatly restricts file system read/write access and drops unnecessary capabilities?

Packaging looks fine.