As far as historical context for network-interface-security.conf, it is all about loading the profiles that the symlinks in /etc/apparmor/init/network-interface-security/* point to in time. Looking at a 14.10 system, I see that there are two things there: sbin.dhclient and usr.sbin.ntpd. This suggests to me that Martin's approach of changing the dependencies is best. That said, I'm not yet incredibly familiar with systemd boot ordering-- it sounds like you are saying that ifup@.service will always run before networking comes up or NetworkManager. Therefore if we change ifup@.service to use After=apparmor.service, then this sounds sufficient. In terms of user experience when the cache is invalidated, it only shifts the policy recompilation earlier (ie, the boot speed to login remains the same).
As far as historical context for network- interface- security. conf, it is all about loading the profiles that the symlinks in /etc/apparmor/ init/network- interface- security/ * point to in time. Looking at a 14.10 system, I see that there are two things there: sbin.dhclient and usr.sbin.ntpd. This suggests to me that Martin's approach of changing the dependencies is best. That said, I'm not yet incredibly familiar with systemd boot ordering-- it sounds like you are saying that ifup@.service will always run before networking comes up or NetworkManager. Therefore if we change ifup@.service to use After=apparmor. service, then this sounds sufficient. In terms of user experience when the cache is invalidated, it only shifts the policy recompilation earlier (ie, the boot speed to login remains the same).