The other day I brought this matter on #debian-devel and also others
agreed that it's not a good idea do hard depend on apparmor.
Even the kernel, at most it recommends it.
From the #d-d conversation:
[03:27:59 PM] <peb> adding apparmor as a dependency was a suggestion from intrigeri, and I did not find any real reason to not do so
[03:28:42 PM] <peb> kibi: lxc upon startup tries to load the forementioned profile and thus needs apparmor to enforce it
[03:28:53 PM] <peb> so the alternative is to remove the config in default.conf
[03:30:00 PM] <jcristau> wat
[03:30:48 PM] <peb> jcristau: without apparmor, a container with the generated profile won't be able to start
[03:30:58 PM] <peb> "generated" (it's the name of the profile)
[03:31:16 PM] <jcristau> sounds like a silly design
[03:31:24 PM] <peb> so if we don't drag apparmor, I need to comment out/remove the profile = generated in /etc/lxc/default.conf
[03:31:36 PM] <peb> I'll do some tests
[03:31:48 PM] <peb> but ack, the current situation is probably not the appropriate one for stable
[03:31:56 PM] <peb> I'll find a way before asking for an unblock
[03:31:57 PM] <jcristau> it should be able to confine containers if you have apparmor, and not if not.
[03:32:17 PM] <peb> my previous tests shown otherwise, but maybe I missed something
[03:32:47 PM] <peb> i'll redo some tests during the weekend