Merge tunables/etc: Improve comments which variable to use

The description of @{etc_ro} and @{etc_rw} were not good enough in explaining which directories they should contain, and when to use which of the variables in a profile. I propose this patch for all branches. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1000 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>
2025-08-31 22:35:35 +00:00 · 2023-04-01 03:17:28 +00:00
parent cf6539b217 e8e6476487
commit 7fa20770db
1 changed files with 5 additions and 1 deletions
--- a/profiles/apparmor.d/tunables/etc
+++ b/profiles/apparmor.d/tunables/etc
@@ -13,11 +13,15 @@
 # with the goal of having only user-modified config files in /etc/, directories
 # like /usr/etc/ get introduced for storing the default config.

-# @{etc_ro} contains read-only directories with configuration files.
+# @{etc_ro} contains directories with configuration files, including read-only directories.
 # Do not use @{etc_ro} in rules that allow write access.
@{etc_ro}=/etc/ /usr/etc/

 # @{etc_rw} contains directories where writing to configuration files is allowed.
+# @{etc_rw} should always be a subset of @{etc_ro}.
+#
+# Only use @{etc_rw} if the profile allows writing to a configuration file.
+# For rules that only allows read access, use @{etc_ro}.
@{etc_rw}=/etc/

 # Also, include files in tunables/etc.d/ for site-specific adjustments to