We do not pass apparmor_profile from the front-end to the policy.

There is no command line option to specify a profile, it is only
passed from the policy to the front-end.

plugins/sudoers/policy.c

@@ -333,14 +333,6 @@ sudoers_policy_deserialize_info(struct sudoers_context *ctx, void *v,
 		goto oom;
 	    continue;
 	}
-	if (MATCHES(*cur, "apparmor_profile=")) {
-	    CHECK(*cur, "apparmor_profile=");
-	    free(ctx->runas.apparmor_profile);
-	    ctx->runas.apparmor_profile = strdup(*cur + sizeof("apparmor_profile=") - 1);
-	    if (ctx->runas.apparmor_profile == NULL)
-		goto oom;
-	    continue;
-	}
 #ifdef HAVE_BSD_AUTH_H
 	if (MATCHES(*cur, "bsdauth_type=")) {
 	    CHECK(*cur, "bsdauth_type=");

src/parse_args.c

@@ -85,7 +85,6 @@ static struct sudo_settings sudo_settings[] = {
     { "askpass" },
     { "intercept_setid" },
     { "intercept_ptrace" },
-    { "apparmor_profile" },
     { NULL }
 };
 

src/sudo.h

@@ -105,7 +105,6 @@
 #define ARG_ASKPASS		26
 #define ARG_INTERCEPT_SETID	27
 #define ARG_INTERCEPT_PTRACE	28
-#define ARG_APPARMOR_PROFILE	29
 
 /*
  * Flags for tgetpass()