Add include if exists <tunables/$FILE.d> to all tunables

(except the deprecated tunables/sys) This allows users to extend variables without editing the main tunables files. It also allows to cleanly introduce new tunable files (via tunables/global.d) and new aliases (via tunables/alias.d). Note: some files already had `include <tunables/$FILE.d>`. These get changed to `include if exists`, and the comments for these includes get unified. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/347
2025-03-04 08:24:42 +01:00 · 2023-07-30 00:47:34 +02:00 · 2023-07-30 00:47:34 +02:00 · 5657799dc7
commit 5657799dc7
parent 17a521ff50
14 changed files with 35 additions and 10 deletions
--- a/profiles/apparmor.d/tunables/alias
+++ b/profiles/apparmor.d/tunables/alias
@ -14,3 +14,6 @@
 #
 # Or if mysql databases are stored in /home:
 # alias /var/lib/mysql/ -> /home/mysql/,
+
+# Also, include files in tunables/alias.d for site-specific adjustments
+include if exists <tunables/alias.d>
--- a/profiles/apparmor.d/tunables/apparmorfs
+++ b/profiles/apparmor.d/tunables/apparmorfs
@ -9,3 +9,6 @@
 include <tunables/securityfs>

@{apparmorfs}=@{securityfs}/apparmor/
+
+# Also, include files in tunables/apparmorfs.d for site-specific adjustments
+include if exists <tunables/apparmorfs.d>
--- a/profiles/apparmor.d/tunables/dovecot
+++ b/profiles/apparmor.d/tunables/dovecot
@ -18,3 +18,5 @@

@{DOVECOT_MAILSTORE}=@{HOME}/Maildir/ @{HOME}/mail/ @{HOME}/Mail/ /var/vmail/ /var/mail/ /var/spool/mail/

+# Also, include files in tunables/dovecot.d for site-specific adjustments
+include if exists <tunables/dovecot.d>
--- a/profiles/apparmor.d/tunables/etc
+++ b/profiles/apparmor.d/tunables/etc
@ -24,6 +24,5 @@
 # For rules that only allows read access, use @{etc_ro}.
@{etc_rw}=/etc/

-# Also, include files in tunables/etc.d/ for site-specific adjustments to
-# @{etc_ro} and @{etc_rw}.
+# Also, include files in tunables/etc.d for site-specific adjustments
 include if exists <tunables/etc.d>
--- a/profiles/apparmor.d/tunables/global
+++ b/profiles/apparmor.d/tunables/global
@ -21,3 +21,6 @@ include <tunables/xdg-user-dirs>
 include <tunables/share>
 include <tunables/etc>
 include <tunables/run>
+
+# Also, include files in tunables/global.d for site-specific adjustments
+include if exists <tunables/global.d>
--- a/profiles/apparmor.d/tunables/home
+++ b/profiles/apparmor.d/tunables/home
@ -20,6 +20,5 @@
 # refer to a specific home directory
@{HOME}=@{HOMEDIRS}/*/ /root/

-# Also, include files in tunables/home.d for site-specific adjustments to
-# @{HOMEDIRS}.
-include <tunables/home.d>
+# Also, include files in tunables/home.d for site-specific adjustments
+include if exists <tunables/home.d>
--- a/profiles/apparmor.d/tunables/kernelvars
+++ b/profiles/apparmor.d/tunables/kernelvars
@ -31,3 +31,6 @@

 # until kernel var is implemented
@{sys}=/sys/
+
+# Also, include files in tunables/kernelvars.d for site-specific adjustments
+include if exists <tunables/kernelvars.d>
--- a/profiles/apparmor.d/tunables/multiarch
+++ b/profiles/apparmor.d/tunables/multiarch
@ -12,6 +12,5 @@
 # install prefixes.
@{multiarch}=*-linux-gnu*

-# Also, include files in tunables/multiarch.d for site and packaging
-# specific adjustments to @{multiarch}.
-include <tunables/multiarch.d>
+# Also, include files in tunables/multiarch.d for site-specific adjustments
+include if exists <tunables/multiarch.d>
--- a/profiles/apparmor.d/tunables/ntpd
+++ b/profiles/apparmor.d/tunables/ntpd
@ -12,3 +12,6 @@
 #Add your ntpd devices here eg. if you have a DCF clock
 # @{NTPD_DEVICE}=/dev/ttyS*
@{NTPD_DEVICE}="/dev/tty10"
+
+# Also, include files in tunables/ntpd.d for site-specific adjustments
+include if exists <tunables/ntpd.d>
--- a/profiles/apparmor.d/tunables/proc
+++ b/profiles/apparmor.d/tunables/proc
@ -10,3 +10,6 @@

 # @{PROC} is the location where procfs is mounted.
@{PROC}=/proc/
+
+# Also, include files in tunables/proc.d for site-specific adjustments
+include if exists <tunables/proc.d>
--- a/profiles/apparmor.d/tunables/run
+++ b/profiles/apparmor.d/tunables/run
@ -1 +1,4 @@
@{run}=/run/ /var/run/
+
+# Also, include files in tunables/run.d for site-specific adjustments
+include if exists <tunables/run.d>
--- a/profiles/apparmor.d/tunables/securityfs
+++ b/profiles/apparmor.d/tunables/securityfs
@ -8,3 +8,6 @@

 # @{securityfs} is the location where securityfs is mounted.
@{securityfs}=@{sys}/kernel/security/
+
+# Also, include files in tunables/securityfs.d for site-specific adjustments
+include if exists <tunables/securityfs.d>
--- a/profiles/apparmor.d/tunables/share
+++ b/profiles/apparmor.d/tunables/share
@ -13,3 +13,6 @@
 # XDG_DATA_DIRS or XDG_DATA_HOME, and are the parent directory
 # for the same subdirectories as @{system_share_dirs}
@{user_share_dirs} = @{HOME}/.local{,/share/@{flatpak_exports_root}}/share
+
+# Also, include files in tunables/share.d for site-specific adjustments
+include if exists <tunables/share.d>
--- a/profiles/apparmor.d/tunables/xdg-user-dirs
+++ b/profiles/apparmor.d/tunables/xdg-user-dirs
@ -20,5 +20,4 @@
@{XDG_VIDEOS_DIR}="Videos"

 # Also, include files in tunables/xdg-user-dirs.d for site-specific adjustments
-# to the various XDG directories
-include <tunables/xdg-user-dirs.d>
+include if exists <tunables/xdg-user-dirs.d>