The AppArmor hardlink stuff is actually a *feature*; you can hardlink binaries to different names to change the security policy applicable to them, and constrain apps which should not be allowed to do such things so that they can't create links from directories containing binaries controlled by AppArmor policies.
Regarding multiple namespaces, well, I'd be more scared of that if *any* distribution used them for anything except chroot(). Right now, they don't, and even though multiple namespace support has been in Linux for five years or so they've shown no sign of being used for much (a shame, as they're a neat idea). Right now AppArmor-policy-covered apps simply can't call chroot(), mount() and friends; this could be changed in the future but will take some thought.
AppArmor has no problem with symlinks at all.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds