The binary the wrapper script executes would have to be whitelisted. We can’t just whitelist the wrapper.
We could probably make a list of programs to use hardened_malloc with and whitelist them but then that would also allow any malicious LD_PRELOAD tricks on those programs.
Or, maybe we can make an issue on the apparmor gitlab repo about adding specific variables that can be whitelisted when using environment scrubbing if that’s even possible.
e.g.
/bin/bash Pix allow_var="LD_PRELOAD=/usr/lib/libhardened_malloc.so",
So this would only allow preloading hardened_malloc and nothing else.