tunables/etc: Improve comments which variable to use

The description of @{etc_ro} and @{etc_rw} were not good enough in explaining which directories they should contain, and when to use which of the variables in a profile.
2025-03-04 08:24:42 +01:00 · 2023-03-29 14:21:17 +02:00 · 2023-03-29 14:21:17 +02:00 · e8e6476487
commit e8e6476487
parent 05595eccda
1 changed files with 5 additions and 1 deletions
--- a/profiles/apparmor.d/tunables/etc
+++ b/profiles/apparmor.d/tunables/etc
@ -13,11 +13,15 @@
 # with the goal of having only user-modified config files in /etc/, directories
 # like /usr/etc/ get introduced for storing the default config.

-# @{etc_ro} contains read-only directories with configuration files.
+# @{etc_ro} contains directories with configuration files, including read-only directories.
 # Do not use @{etc_ro} in rules that allow write access.
@{etc_ro}=/etc/ /usr/etc/

 # @{etc_rw} contains directories where writing to configuration files is allowed.
+# @{etc_rw} should always be a subset of @{etc_ro}.
+#
+# Only use @{etc_rw} if the profile allows writing to a configuration file.
+# For rules that only allows read access, use @{etc_ro}.
@{etc_rw}=/etc/

 # Also, include files in tunables/etc.d/ for site-specific adjustments to