Make @{sys} available by default

Move @{sys} into tunables/kernelvars to make it readily available for
all profiles by default. In order to avoid duplicate variable
declaration, other tunable includes where modified accordingly.
Additionally, apparmor_api/is_enable has updated comment with regards to
@{sys} availability. tunables/sys is now marked as deprecated and should
not be used as it is noop, left only for backwards compatibility.

This is preparation for fixing bug:
https://bugs.launchpad.net/apparmor/+bug/1728551

Thanks to Christian Boltz for original idea to implement this in
non-breaking manner.

profiles/apparmor.d/abstractions/apparmor_api/is_enabled

@@ -8,8 +8,8 @@
 
 # permissions needed for aa_is_enabled
 
-# Make sure to include at least tunables/sys and tunables/apparmorfs
+# Make sure to include tunables/apparmorfs and tunables/global
-# when using this abstraction, if not tunables/global.
+# when using this abstraction
 
 #include <abstractions/apparmor_api/find_mountpoint>
 @{sys}/module/apparmor/parameters/enabled r,

profiles/apparmor.d/tunables/kernelvars

@@ -28,3 +28,6 @@
 
 #same pattern as @{uid} for now
 @{uids}=@{uid}
+
+# until kernel var is implemented
+@{sys}=/sys/

profiles/apparmor.d/tunables/securityfs

@@ -6,7 +6,5 @@
 #
 # ------------------------------------------------------------------
 
-#include <tunables/sys>
-
 # @{securityfs} is the location where securityfs is mounted.
 @{securityfs}=@{sys}/kernel/security/

profiles/apparmor.d/tunables/sys

@@ -6,5 +6,4 @@
 #
 # ------------------------------------------------------------------
 
-# @{sys} is the location where sysfs is mounted.
+#This file is DEPRECATED! @{sys} is defined in tunables/kernelvars now.
-@{sys}=/sys/