Usually apparmor profiles (changes) are activated during postinst and don’t require reboot. For example
if aa-enabled --quiet 2>/dev/null; then
apparmor_parser -r -T -W "$APP_PROFILE" || true
I am certain that apparmor profile activation and apparmor profile changes are activated after package upgrades. Did this many, many times already during testing apparmor fixes. Trying apparmor fixes (modifying profile files) doesn’t require me to reboot after each change. (Often I get it wrong and don’t (fully) fix the issue. Have to edit the file more. And run aa-enforce again and again until I got it right.)
Any postinst script in the source code has this:
true "INFO: debhelper beginning here."
true "INFO: Done with debhelper."
It is possible to place code after the auto generated debhelper code. Root can always run
sudo aa-enforce /etc/apparmor.d/profile-name
It is possible to update the rules which existing profiles have already load or to load entirely new profiles. No reboot required. The only thing that I wouldn’t know how to do is completely unloading profiles - that may require reboot indeed. As a workaround/attack it may be possible to make a profile all permissive and then run aa-enforce.