Merge branch 'cboltz-include' into 'master'

Change `#include` to `include` in profiles and abstractions See merge request apparmor/apparmor!563 Acked-by: Seth Arnold <seth.arnold@canonical.com>
2025-08-30 05:47:59 +00:00 · 2020-06-09 22:12:23 +00:00 · 2020-06-09 22:12:23 +00:00 · e0d061d15a
commit e0d061d15a
parent 9d339deb93 71a730fe39
194 changed files with 849 additions and 849 deletions
--- a/profiles/apparmor.d/abstractions/X
+++ b/profiles/apparmor.d/abstractions/X
@ -12,7 +12,7 @@
  abi <abi/3.0>,
-  #include <abstractions/dri-common>
+  include <abstractions/dri-common>
  # .ICEauthority files required for X authentication, per user
--- a/profiles/apparmor.d/abstractions/apache2-common
+++ b/profiles/apparmor.d/abstractions/apache2-common
@ -4,7 +4,7 @@
  abi <abi/3.0>,
-  #include <abstractions/nameservice>
+  include <abstractions/nameservice>
  # Allow unconfined processes to send us signals by default
  signal (receive) peer=unconfined,
--- a/profiles/apparmor.d/abstractions/apparmor_api/change_profile
+++ b/profiles/apparmor.d/abstractions/apparmor_api/change_profile
@ -8,6 +8,6 @@
 abi <abi/3.0>,
-#include <abstractions/apparmor_api/introspect>
+include <abstractions/apparmor_api/introspect>
@{PROC}/@{tid}/attr/{current,exec} w,
--- a/profiles/apparmor.d/abstractions/apparmor_api/is_enabled
+++ b/profiles/apparmor.d/abstractions/apparmor_api/is_enabled
@ -13,7 +13,7 @@ abi <abi/3.0>,
 # Make sure to include tunables/apparmorfs and tunables/global
 # when using this abstraction
-#include <abstractions/apparmor_api/find_mountpoint>
+include <abstractions/apparmor_api/find_mountpoint>
@{sys}/module/apparmor/parameters/enabled r,
 # TODO: add alternate apparmorfs interface for enabled
--- a/profiles/apparmor.d/abstractions/authentication
+++ b/profiles/apparmor.d/abstractions/authentication
@ -32,25 +32,25 @@
  /{usr/,}lib/@{multiarch}/security/              r,
  # kerberos
-  #include <abstractions/kerberosclient>
+  include <abstractions/kerberosclient>
  # SuSE's pwdutils are different:
  /{usr/,}etc/default/passwd         r,
  /{usr/,}etc/login.defs             r,
  # nis
-  #include <abstractions/nis>
+  include <abstractions/nis>
  # winbind
-  #include <abstractions/winbind>
+  include <abstractions/winbind>
  # likewise
-  #include <abstractions/likewise>
+  include <abstractions/likewise>
  # smbpass
-  #include <abstractions/smbpass>
+  include <abstractions/smbpass>
  # p11-kit (PKCS#11 modules configuration)
-  #include <abstractions/p11-kit>
+  include <abstractions/p11-kit>
  # Include additions to the abstraction
  include if exists <abstractions/authentication.d>
--- a/profiles/apparmor.d/abstractions/dbus
+++ b/profiles/apparmor.d/abstractions/dbus
@ -14,7 +14,7 @@
  # This abstraction grants full system bus access. Consider using the
  # dbus-strict abstraction for fine-grained bus mediation.
-  #include <abstractions/dbus-strict>
+  include <abstractions/dbus-strict>
  dbus bus=system,
  # Include additions to the abstraction
--- a/profiles/apparmor.d/abstractions/dbus-accessibility
+++ b/profiles/apparmor.d/abstractions/dbus-accessibility
@ -14,7 +14,7 @@
  # This abstraction grants full accessibility bus access. Consider using the
  # dbus-accessibility-strict abstraction for fine-grained bus mediation.
-  #include <abstractions/dbus-accessibility-strict>
+  include <abstractions/dbus-accessibility-strict>
  dbus bus=accessibility,
  # Include additions to the abstraction
--- a/profiles/apparmor.d/abstractions/dbus-session
+++ b/profiles/apparmor.d/abstractions/dbus-session
@ -14,7 +14,7 @@
  # This abstraction grants full session bus access. Consider using the
  # dbus-session-strict abstraction for fine-grained bus mediation.
-  #include <abstractions/dbus-session-strict>
+  include <abstractions/dbus-session-strict>
  /usr/bin/dbus-launch ix,
  dbus bus=session,
--- a/profiles/apparmor.d/abstractions/enchant
+++ b/profiles/apparmor.d/abstractions/enchant
@ -17,7 +17,7 @@
  /usr/share/enchant/enchant.ordering              r,
  # aspell
-  #include <abstractions/aspell>
+  include <abstractions/aspell>
  /var/lib/dictionaries-common/aspell/             r,
  /var/lib/dictionaries-common/aspell/*            r,
--- a/profiles/apparmor.d/abstractions/exo-open
+++ b/profiles/apparmor.d/abstractions/exo-open
@ -20,27 +20,27 @@
 #
 # # out-of-line child profile
 # profile foo//exo-open {
-#   #include <abstractions/exo-open>
+#   include <abstractions/exo-open>
 #
 #   # needed for ubuntu-* abstractions
-#   #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
 #
 #   # Only allow to handle http[s]: and mailto: links
-#   #include <abstractions/ubuntu-browsers>
+#   include <abstractions/ubuntu-browsers>
-#   #include <abstractions/ubuntu-email>
+#   include <abstractions/ubuntu-email>
 #
 #   # Add if accesibility access is considered as required
 #   # (for message boxe in case exo-open fails)
-#   #include <abstractions/dbus-accessibility>
+#   include <abstractions/dbus-accessibility>
 #
 #   # < add additional allowed applications here >
 # }
-  #include <abstractions/X>
+  include <abstractions/X>
-  #include <abstractions/audio> # for alert messages
+  include <abstractions/audio> # for alert messages
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/dbus-session-strict>
+  include <abstractions/dbus-session-strict>
-  #include <abstractions/gnome>
+  include <abstractions/gnome>
  # Main executables
--- a/profiles/apparmor.d/abstractions/fcitx
+++ b/profiles/apparmor.d/abstractions/fcitx
@ -11,7 +11,7 @@
  abi <abi/3.0>,
-  #include <abstractions/fcitx-strict>
+  include <abstractions/fcitx-strict>
  dbus bus=fcitx,
  # Include additions to the abstraction
--- a/profiles/apparmor.d/abstractions/fcitx-strict
+++ b/profiles/apparmor.d/abstractions/fcitx-strict
@ -11,7 +11,7 @@
  abi <abi/3.0>,
-  #include <abstractions/dbus-session-strict>
+  include <abstractions/dbus-session-strict>
  dbus send
      bus=fcitx
--- a/profiles/apparmor.d/abstractions/gio-open
+++ b/profiles/apparmor.d/abstractions/gio-open
@ -20,20 +20,20 @@
 #
 # # out-of-line child profile
 # profile foo//gio-open {
-#   #include <abstractions/gio-open>
+#   include <abstractions/gio-open>
 #
 #   # needed for ubuntu-* abstractions
-#   #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
 #
 #   # Only allow to handle http[s]: and mailto: links
-#   #include <abstractions/ubuntu-browsers>
+#   include <abstractions/ubuntu-browsers>
-#   #include <abstractions/ubuntu-email>
+#   include <abstractions/ubuntu-email>
 #
 #   # < add additional allowed applications here >
 # }
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/dbus-session-strict>
+  include <abstractions/dbus-session-strict>
  # Main executables
--- a/profiles/apparmor.d/abstractions/gnome
+++ b/profiles/apparmor.d/abstractions/gnome
@ -12,13 +12,13 @@
  abi <abi/3.0>,
-#include <abstractions/base>
+  include <abstractions/base>
-#include <abstractions/fonts>
+  include <abstractions/fonts>
-#include <abstractions/X>
+  include <abstractions/X>
-#include <abstractions/freedesktop.org>
+  include <abstractions/freedesktop.org>
-#include <abstractions/xdg-desktop>
+  include <abstractions/xdg-desktop>
-#include <abstractions/user-tmp>
+  include <abstractions/user-tmp>
-#include <abstractions/wayland>
+  include <abstractions/wayland>
  # systemwide gtk defaults
  /etc/gnome/gtkrc*               r,
--- a/profiles/apparmor.d/abstractions/gvfs-open
+++ b/profiles/apparmor.d/abstractions/gvfs-open
@ -20,23 +20,23 @@
 #
 # # out-of-line child profile
 # profile foo//gvfs-open {
-#   #include <abstractions/gvfs-open>
+#   include <abstractions/gvfs-open>
 #
 #   # needed for ubuntu-* abstractions
-#   #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
 #
 #   # Only allow to handle http[s]: and mailto: links
-#   #include <abstractions/ubuntu-browsers>
+#   include <abstractions/ubuntu-browsers>
-#   #include <abstractions/ubuntu-email>
+#   include <abstractions/ubuntu-email>
 #
 #   # < add additional allowed applications here >
 # }
 # ```
-  #include <abstractions/base>
+  include <abstractions/base>
  # gvfs-open is deprecated, it launches gio open <uri>
-  #include <abstractions/gio-open>
+  include <abstractions/gio-open>
  # Main executables
--- a/profiles/apparmor.d/abstractions/kde
+++ b/profiles/apparmor.d/abstractions/kde
@ -11,13 +11,13 @@
 abi <abi/3.0>,
-#include <abstractions/base>
+include <abstractions/base>
-#include <abstractions/fonts>
+include <abstractions/fonts>
-#include <abstractions/X>
+include <abstractions/X>
-#include <abstractions/freedesktop.org>
+include <abstractions/freedesktop.org>
-#include <abstractions/xdg-desktop>
+include <abstractions/xdg-desktop>
-#include <abstractions/user-tmp>
+include <abstractions/user-tmp>
-#include <abstractions/qt5>
+include <abstractions/qt5>
 /etc/qt3/kstylerc r,
 /etc/qt3/qt_plugins_3.3rc r,
--- a/profiles/apparmor.d/abstractions/kde-open5
+++ b/profiles/apparmor.d/abstractions/kde-open5
@ -20,18 +20,18 @@
 #
 # # out-of-line child profile
 # profile foo//kde-open5 {
-#   #include <abstractions/kde-open5>
+#   include <abstractions/kde-open5>
 #
 #   # needed for ubuntu-* abstractions
-#   #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
 #
 #   # Only allow to handle http[s]: and mailto: links
-#   #include <abstractions/ubuntu-browsers>
+#   include <abstractions/ubuntu-browsers>
-#   #include <abstractions/ubuntu-email>
+#   include <abstractions/ubuntu-email>
 #
 #   # Add if accesibility access is considered as required
 #   # (for message boxe in case exo-open fails)
-#   #include <abstractions/dbus-accessibility>
+#   include <abstractions/dbus-accessibility>
 #
 #   # Add if audio support for message box is
 #   # considered as required.
@ -41,19 +41,19 @@
 # }
 # ```
-  #include <abstractions/audio> # for alert messages
+  include <abstractions/audio> # for alert messages
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/dbus-accessibility-strict>
+  include <abstractions/dbus-accessibility-strict>
-  #include <abstractions/dbus-network-manager-strict>
+  include <abstractions/dbus-network-manager-strict>
-  #include <abstractions/dbus-session-strict>
+  include <abstractions/dbus-session-strict>
-  #include <abstractions/dbus-strict>
+  include <abstractions/dbus-strict>
-  #include <abstractions/kde-icon-cache-write>
+  include <abstractions/kde-icon-cache-write>
-  #include <abstractions/kde>
+  include <abstractions/kde>
-  #include <abstractions/nameservice> # for IceProcessMessages () from libICE.so (called by libQtCore.so)
+  include <abstractions/nameservice> # for IceProcessMessages () from libICE.so (called by libQtCore.so)
-  #include <abstractions/openssl>
+  include <abstractions/openssl>
-  #include <abstractions/qt5>
+  include <abstractions/qt5>
-  #include <abstractions/recent-documents-write>
+  include <abstractions/recent-documents-write>
-  #include <abstractions/X>
+  include <abstractions/X>
  # Main executables
--- a/profiles/apparmor.d/abstractions/ldapclient
+++ b/profiles/apparmor.d/abstractions/ldapclient
@ -23,7 +23,7 @@
  # local LDAP name service daemon
  @{run}/nslcd/socket  rw,
-  #include <abstractions/ssl_certs>
+  include <abstractions/ssl_certs>
  # Include additions to the abstraction
  include if exists <abstractions/ldapclient.d>
--- a/profiles/apparmor.d/abstractions/libpam-systemd
+++ b/profiles/apparmor.d/abstractions/libpam-systemd
@ -11,7 +11,7 @@
  abi <abi/3.0>,
-#include <abstractions/dbus-strict>
+include <abstractions/dbus-strict>
  # libpam-systemd notifies systemd-logind about session logins/logouts
  dbus send
--- a/profiles/apparmor.d/abstractions/nameservice
+++ b/profiles/apparmor.d/abstractions/nameservice
@ -72,25 +72,25 @@
  /{usr/,}etc/libnl-*/classid r,
  # nis
-  #include <abstractions/nis>
+  include <abstractions/nis>
  # ldap
-  #include <abstractions/ldapclient>
+  include <abstractions/ldapclient>
  # winbind
-  #include <abstractions/winbind>
+  include <abstractions/winbind>
  # likewise
-  #include <abstractions/likewise>
+  include <abstractions/likewise>
  # mdnsd
-  #include <abstractions/mdns>
+  include <abstractions/mdns>
  # kerberos
-  #include <abstractions/kerberosclient>
+  include <abstractions/kerberosclient>
  #libnss-systemd
-  #include <abstractions/nss-systemd>
+  include <abstractions/nss-systemd>
  # Also allow lookups for systemd-exec's DynamicUsers via D-Bus
  #   https://www.freedesktop.org/software/systemd/man/systemd.exec.html
--- a/profiles/apparmor.d/abstractions/opencl
+++ b/profiles/apparmor.d/abstractions/opencl
@ -5,10 +5,10 @@
 # OpenCL access requirements
  # TODO: use conditionals to select allowed implementations
-  #include <abstractions/opencl-intel>
+  include <abstractions/opencl-intel>
-  #include <abstractions/opencl-mesa>
+  include <abstractions/opencl-mesa>
-  #include <abstractions/opencl-nvidia>
+  include <abstractions/opencl-nvidia>
-  #include <abstractions/opencl-pocl>
+  include <abstractions/opencl-pocl>
  # Include additions to the abstraction
--- a/profiles/apparmor.d/abstractions/opencl-intel
+++ b/profiles/apparmor.d/abstractions/opencl-intel
@ -4,13 +4,13 @@
 # OpenCL access requirements for Intel implementation
-  #include <abstractions/opencl-common>
+  include <abstractions/opencl-common>
  # for libcl.so (libOpenCL.so -> beignet/libcl.so calls XOpenDisplay())
-  #include <abstractions/X>
+  include <abstractions/X>
  # for libOpenCL.so -> beignet/libcl.so -> libpciaccess.so
-  #include <abstractions/dri-enumerate>
+  include <abstractions/dri-enumerate>
  # System files
--- a/profiles/apparmor.d/abstractions/opencl-mesa
+++ b/profiles/apparmor.d/abstractions/opencl-mesa
@ -4,7 +4,7 @@
 # OpenCL access requirements for Mesa implementation
-  #include <abstractions/opencl-common>
+  include <abstractions/opencl-common>
  # Additional libraries
--- a/profiles/apparmor.d/abstractions/opencl-nvidia
+++ b/profiles/apparmor.d/abstractions/opencl-nvidia
@ -4,8 +4,8 @@
 # OpenCL access requirements for NVIDIA implementation
-  #include <abstractions/nvidia>
+  include <abstractions/nvidia>
-  #include <abstractions/opencl-common>
+  include <abstractions/opencl-common>
  # Executables
--- a/profiles/apparmor.d/abstractions/opencl-pocl
+++ b/profiles/apparmor.d/abstractions/opencl-pocl
@ -3,7 +3,7 @@
  abi <abi/3.0>,
-  #include <abstractions/opencl-common>
+  include <abstractions/opencl-common>
  # Executables
@ -43,7 +43,7 @@
  # Child profiles
  profile opencl_pocl_ld {
-    #include <abstractions/base>
+    include <abstractions/base>
    # Main executables
@ -56,7 +56,7 @@
  }
  profile opencl_pocl_clang {
-    #include <abstractions/base>
+    include <abstractions/base>
    # Main executables
--- a/profiles/apparmor.d/abstractions/php5
+++ b/profiles/apparmor.d/abstractions/php5
@ -2,7 +2,7 @@
  abi <abi/3.0>,
-#include <abstractions/php>
+  include <abstractions/php>
  # Include additions to the abstraction
  include if exists <abstractions/php5.d>
--- a/profiles/apparmor.d/abstractions/private-files-strict
+++ b/profiles/apparmor.d/abstractions/private-files-strict
@ -4,7 +4,7 @@
  abi <abi/3.0>,
-  #include <abstractions/private-files>
+  include <abstractions/private-files>
  # potentially extremely sensitive files
  audit deny @{HOME}/.aws/{,**} mrwkl,
--- a/profiles/apparmor.d/abstractions/ubuntu-bittorrent-clients
+++ b/profiles/apparmor.d/abstractions/ubuntu-bittorrent-clients
@ -2,9 +2,9 @@
 #
 # abstraction for allowing graphical bittorrent clients in Ubuntu
 #
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
  abi <abi/3.0>,
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers
@ -2,9 +2,9 @@
 #
 # abstraction for allowing access to graphical browsers in Ubuntu
 #
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
  abi <abi/3.0>,
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java
@ -20,14 +20,14 @@
  # unfortunate workarounds of the proprietary Javas, so have a separate
  # profile.
  profile browser_openjdk {
-    #include <abstractions/base>
+    include <abstractions/base>
-    #include <abstractions/fonts>
+    include <abstractions/fonts>
-    #include <abstractions/gnome>
+    include <abstractions/gnome>
-    #include <abstractions/kde>
+    include <abstractions/kde>
-    #include <abstractions/nameservice>
+    include <abstractions/nameservice>
-    #include <abstractions/ssl_certs>
+    include <abstractions/ssl_certs>
-    #include <abstractions/user-tmp>
+    include <abstractions/user-tmp>
-    #include <abstractions/private-files-strict>
+    include <abstractions/private-files-strict>
    network inet stream,
    network inet6 stream,
@ -65,14 +65,14 @@
  # Profile for commercial Javas. These need workarounds to work right (eg
  # Sun's forcing of an executable stack (LP: #535247)).
  profile browser_java {
-    #include <abstractions/base>
+    include <abstractions/base>
-    #include <abstractions/fonts>
+    include <abstractions/fonts>
-    #include <abstractions/gnome>
+    include <abstractions/gnome>
-    #include <abstractions/kde>
+    include <abstractions/kde>
-    #include <abstractions/nameservice>
+    include <abstractions/nameservice>
-    #include <abstractions/ssl_certs>
+    include <abstractions/ssl_certs>
-    #include <abstractions/user-tmp>
+    include <abstractions/user-tmp>
-    #include <abstractions/private-files-strict>
+    include <abstractions/private-files-strict>
    network inet stream,
    network inet6 stream,
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/kde
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/kde
@ -1,9 +1,9 @@
 # vim:syntax=apparmor
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
  abi <abi/3.0>,
-  #include <abstractions/kde>
+  include <abstractions/kde>
  /usr/bin/kde4-config Cx -> sanitized_helper,
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/mailto
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/mailto
@ -3,9 +3,9 @@
  abi <abi/3.0>,
  # for mailto:
-  #include <abstractions/ubuntu-email>
+  include <abstractions/ubuntu-email>
-  #include <abstractions/ubuntu-console-email>
+  include <abstractions/ubuntu-console-email>
  # Terminals for using console applications. These abstractions should ideally
  # have 'ix' to restrct access to what only firefox is allowed to do
-  #include <abstractions/ubuntu-gnome-terminal>
+  include <abstractions/ubuntu-gnome-terminal>
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia
@ -1,11 +1,11 @@
 # vim:syntax=apparmor
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
  abi <abi/3.0>,
-  #include <abstractions/X>
+  include <abstractions/X>
  # Pulseaudio
  /usr/bin/pulseaudio Pixr,
@ -17,7 +17,7 @@
  /usr/bin/digikam Cxr -> sanitized_helper,
  /usr/bin/gwenview Cxr -> sanitized_helper,
-  #include <abstractions/ubuntu-media-players>
+  include <abstractions/ubuntu-media-players>
  owner @{HOME}/.adobe/ w,
  owner @{HOME}/.adobe/** rw,
  owner @{HOME}/.macromedia/ w,
@ -27,7 +27,7 @@
  /usr/bin/lpr Cxr -> sanitized_helper,
  # Bittorrent clients
-  #include <abstractions/ubuntu-bittorrent-clients>
+  include <abstractions/ubuntu-bittorrent-clients>
  # Archivers
  /usr/bin/ark Cxr -> sanitized_helper,
@ -36,10 +36,10 @@
  /usr/local/lib{,32,64}/*.so* mr,
  # News feed readers
-  #include <abstractions/ubuntu-feed-readers>
+  include <abstractions/ubuntu-feed-readers>
  # If we allow the above, nvidia based systems will also need this
-  #include <abstractions/nvidia>
+  include <abstractions/nvidia>
  # Virus scanners
  /usr/bin/clamscan Cx -> sanitized_helper,
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common
@ -15,4 +15,4 @@
  # Since all the ubuntu-browsers.d abstractions need this, just include it
  # here
-  #include <abstractions/ubuntu-helpers>
+  include <abstractions/ubuntu-helpers>
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/productivity
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/productivity
@ -1,7 +1,7 @@
 # vim:syntax=apparmor
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
  abi <abi/3.0>,
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/text-editors
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/text-editors
@ -1,7 +1,7 @@
 # vim:syntax=apparmor
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
  abi <abi/3.0>,
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration
@ -1,7 +1,7 @@
 # vim:syntax=apparmor
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
  abi <abi/3.0>,
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration-xul
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration-xul
@ -3,6 +3,6 @@
  abi <abi/3.0>,
  # firefox-notify
-  #include <abstractions/python>
+  include <abstractions/python>
  /usr/bin/python2.[4567] ix,
  /usr/share/xul-ext/notify/**/download_complete_notify.py ix,
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/user-files
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/user-files
@ -9,7 +9,7 @@
  owner @{HOME}/** w,
  # Do not allow read and/or write to particularly sensitive/problematic files
-  #include <abstractions/private-files>
+  include <abstractions/private-files>
  audit deny @{HOME}/.ssh/{,**} mrwkl,
  audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
  audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
--- a/profiles/apparmor.d/abstractions/ubuntu-console-browsers
+++ b/profiles/apparmor.d/abstractions/ubuntu-console-browsers
@ -4,11 +4,11 @@
 # typically also need a terminal, so when using this abstraction, should also
 # do something like:
 #
-# #include <abstractions/ubuntu-gnome-terminal>
+# include <abstractions/ubuntu-gnome-terminal>
 #
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
  abi <abi/3.0>,
--- a/profiles/apparmor.d/abstractions/ubuntu-console-email
+++ b/profiles/apparmor.d/abstractions/ubuntu-console-email
@ -4,11 +4,11 @@
 # typically also need a terminal, so when using this abstraction, should also
 # do something like:
 #
-# #include <abstractions/ubuntu-gnome-terminal>
+# include <abstractions/ubuntu-gnome-terminal>
 #
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
  abi <abi/3.0>,
--- a/profiles/apparmor.d/abstractions/ubuntu-email
+++ b/profiles/apparmor.d/abstractions/ubuntu-email
@ -2,9 +2,9 @@
 #
 # abstraction for allowing graphical email clients in Ubuntu
 #
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
  abi <abi/3.0>,
--- a/profiles/apparmor.d/abstractions/ubuntu-feed-readers
+++ b/profiles/apparmor.d/abstractions/ubuntu-feed-readers
@ -2,9 +2,9 @@
 #
 # abstraction for allowing graphical news feed readers in Ubuntu
 #
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
  abi <abi/3.0>,
--- a/profiles/apparmor.d/abstractions/ubuntu-gnome-terminal
+++ b/profiles/apparmor.d/abstractions/ubuntu-gnome-terminal
@ -5,7 +5,7 @@
  abi <abi/3.0>,
-  #include <abstractions/gnome>
+  include <abstractions/gnome>
  # do not use ux or PUx here. Use at a minimum ix
  /usr/bin/gnome-terminal ix,
--- a/profiles/apparmor.d/abstractions/ubuntu-helpers
+++ b/profiles/apparmor.d/abstractions/ubuntu-helpers
@ -9,7 +9,7 @@
 #
 # Usage:
 # Because this abstraction defines the sanitized_helper profile, it must only
-# be #included once. Therefore this abstraction should typically not be
+# be included once. Therefore this abstraction should typically not be
 # included in other abstractions so as to avoid parser errors regarding
 # multiple definitions.
 #
@ -34,16 +34,16 @@
  abi <abi/3.0>,
 profile sanitized_helper {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/X>
+  include <abstractions/X>
  # Allow all networking
  network inet,
  network inet6,
  # Allow all DBus communications
-  #include <abstractions/dbus-session-strict>
+  include <abstractions/dbus-session-strict>
-  #include <abstractions/dbus-strict>
+  include <abstractions/dbus-strict>
  dbus,
  # Needed for Google Chrome
--- a/profiles/apparmor.d/abstractions/ubuntu-konsole
+++ b/profiles/apparmor.d/abstractions/ubuntu-konsole
@ -5,8 +5,8 @@
  abi <abi/3.0>,
-  #include <abstractions/consoles>
+  include <abstractions/consoles>
-  #include <abstractions/kde>
+  include <abstractions/kde>
  capability sys_ptrace,
  @{PROC}/@{pid}/status r,
  @{PROC}/@{pid}/stat r,
--- a/profiles/apparmor.d/abstractions/ubuntu-media-players
+++ b/profiles/apparmor.d/abstractions/ubuntu-media-players
@ -2,9 +2,9 @@
 #
 # abstraction for allowing access to media players in Ubuntu
 #
-# Users of this abstraction need to #include the ubuntu-helpers abstraction
+# Users of this abstraction need to include the ubuntu-helpers abstraction
 # in the toplevel profile. Eg:
-# #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
  abi <abi/3.0>,
--- a/profiles/apparmor.d/abstractions/ubuntu-unity7-base
+++ b/profiles/apparmor.d/abstractions/ubuntu-unity7-base
@ -15,10 +15,10 @@
 # Rules common to applications running under Unity 7
 #
-#include <abstractions/gnome>
+include <abstractions/gnome>
-#include <abstractions/dbus-session-strict>
+include <abstractions/dbus-session-strict>
-#include <abstractions/dbus-strict>
+include <abstractions/dbus-strict>
  #
  # Access required for connecting to/communication with Unity HUD
--- a/profiles/apparmor.d/abstractions/ubuntu-xterm
+++ b/profiles/apparmor.d/abstractions/ubuntu-xterm
@ -5,7 +5,7 @@
  abi <abi/3.0>,
-  #include <abstractions/consoles>
+  include <abstractions/consoles>
  /dev/ptmx rw,
  /{,var/}run/utmp r,
  /etc/X11/app-defaults/XTerm r,
--- a/profiles/apparmor.d/abstractions/xdg-open
+++ b/profiles/apparmor.d/abstractions/xdg-open
@ -18,40 +18,40 @@
 #
 # # out-of-line child profile
 # profile foo//xdg-open {
-#   #include <abstractions/xdg-open>
+#   include <abstractions/xdg-open>
 #
 #   # Enable a11y support if considered required by
 #   # profile author for (rare) error message boxes.
-#   #include <abstractions/dbus-accessibility>
+#   include <abstractions/dbus-accessibility>
 #
 #   # Enable gstreamer support if considered required by
 #   # profile author for (rare) error message boxes.
 #   include if exists <abstractions/gstreamer>
 #
 #   # needed for ubuntu-* abstractions
-#   #include <abstractions/ubuntu-helpers>
+#   include <abstractions/ubuntu-helpers>
 #
 #   # Only allow to handle http[s]: and mailto: links
-#   #include <abstractions/ubuntu-browsers>
+#   include <abstractions/ubuntu-browsers>
-#   #include <abstractions/ubuntu-email>
+#   include <abstractions/ubuntu-email>
 #
 #   # < add additional allowed applications here >
 # }
 # ```
-  #include <abstractions/base>
+  include <abstractions/base>
  # for openin with `exo-open`
-  #include <abstractions/exo-open>
+  include <abstractions/exo-open>
  # for opening with `gio open <uri>`
-  #include <abstractions/gio-open>
+  include <abstractions/gio-open>
  # for opening with gvfs-open (deprecated)
-  #include <abstractions/gvfs-open>
+  include <abstractions/gvfs-open>
  # for opening with kde-open5
-  #include <abstractions/kde-open5>
+  include <abstractions/kde-open5>
  # Main executables
--- a/profiles/apparmor.d/apache2.d/phpsysinfo
+++ b/profiles/apparmor.d/apache2.d/phpsysinfo
@ -4,11 +4,11 @@
  abi <abi/3.0>,
  ^phpsysinfo {
-    #include <abstractions/apache2-common>
+    include <abstractions/apache2-common>
-    #include <abstractions/base>
+    include <abstractions/base>
-    #include <abstractions/nameservice>
+    include <abstractions/nameservice>
-    #include <abstractions/php5>
+    include <abstractions/php5>
-    #include <abstractions/python>
+    include <abstractions/python>
    /{,usr/}bin/dash ixr,
    /{,usr/}bin/df ixr,
--- a/profiles/apparmor.d/bin.ping
+++ b/profiles/apparmor.d/bin.ping
@ -11,11 +11,11 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 profile ping /{usr/,}bin/{,iputils-}ping {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/consoles>
-  #include <abstractions/nameservice>
+  include <abstractions/nameservice>
  capability net_raw,
  capability setuid,
--- a/profiles/apparmor.d/local/README
+++ b/profiles/apparmor.d/local/README
@ -12,7 +12,7 @@
 # it is appropriate for your site.
 #
 # For example, if the shipped /etc/apparmor.d/usr.sbin.smbd profile has:
-#   #include <local/usr.sbin.smbd>
+#   include <local/usr.sbin.smbd>
 #
 # then an administrator can adjust /etc/apparmor.d/local/usr.sbin.smbd to
 # contain any additional paths to be allowed, such as:
--- a/profiles/apparmor.d/lsb_release
+++ b/profiles/apparmor.d/lsb_release
@ -6,12 +6,12 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 # Do not attach to /usr/bin/lsb_release by default
 profile lsb_release {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/python>
+  include <abstractions/python>
  owner @{PROC}/@{pid}/fd/ r,
--- a/profiles/apparmor.d/nvidia_modprobe
+++ b/profiles/apparmor.d/nvidia_modprobe
@ -2,10 +2,10 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 profile nvidia_modprobe {
-  #include <abstractions/base>
+  include <abstractions/base>
  # Capabilities
@ -35,7 +35,7 @@ profile nvidia_modprobe {
  # Child profiles
  profile kmod {
-    #include <abstractions/base>
+    include <abstractions/base>
    # Capabilities
--- a/profiles/apparmor.d/sbin.klogd
+++ b/profiles/apparmor.d/sbin.klogd
@ -11,10 +11,10 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 profile klogd /{usr/,}{bin,sbin}/klogd {
-  #include <abstractions/base>
+  include <abstractions/base>
  capability sys_admin, # for backward compatibility with kernel <= 2.6.37
  capability syslog,
--- a/profiles/apparmor.d/sbin.syslog-ng
+++ b/profiles/apparmor.d/sbin.syslog-ng
@ -12,18 +12,18 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 #define this to be where syslog-ng is chrooted
@{CHROOT_BASE}=""
 profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/consoles>
-  #include <abstractions/nameservice>
+  include <abstractions/nameservice>
-  #include <abstractions/mysql>
+  include <abstractions/mysql>
-  #include <abstractions/openssl>
+  include <abstractions/openssl>
-  #include <abstractions/python>
+  include <abstractions/python>
  capability chown,
  capability dac_override,
--- a/profiles/apparmor.d/sbin.syslogd
+++ b/profiles/apparmor.d/sbin.syslogd
@ -11,12 +11,12 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 profile syslogd /{usr/,}{bin,sbin}/syslogd {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/nameservice>
-  #include <abstractions/consoles>
+  include <abstractions/consoles>
  capability sys_tty_config,
  capability dac_override,
--- a/profiles/apparmor.d/tunables/apparmorfs
+++ b/profiles/apparmor.d/tunables/apparmorfs
@ -6,6 +6,6 @@
 #
 # ------------------------------------------------------------------
-#include <tunables/securityfs>
+include <tunables/securityfs>
@{apparmorfs}=@{securityfs}/apparmor/
--- a/profiles/apparmor.d/tunables/global
+++ b/profiles/apparmor.d/tunables/global
@ -12,11 +12,11 @@
 # All the tunables definitions that should be available to every profile
 # should be included here
-#include <tunables/home>
+include <tunables/home>
-#include <tunables/multiarch>
+include <tunables/multiarch>
-#include <tunables/proc>
+include <tunables/proc>
-#include <tunables/alias>
+include <tunables/alias>
-#include <tunables/kernelvars>
+include <tunables/kernelvars>
-#include <tunables/xdg-user-dirs>
+include <tunables/xdg-user-dirs>
-#include <tunables/share>
+include <tunables/share>
-#include <tunables/run>
+include <tunables/run>
--- a/profiles/apparmor.d/tunables/home
+++ b/profiles/apparmor.d/tunables/home
@ -22,4 +22,4 @@
 # Also, include files in tunables/home.d for site-specific adjustments to
 # @{HOMEDIRS}.
-#include <tunables/home.d>
+include <tunables/home.d>
--- a/profiles/apparmor.d/tunables/multiarch
+++ b/profiles/apparmor.d/tunables/multiarch
@ -14,4 +14,4 @@
 # Also, include files in tunables/multiarch.d for site and packaging
 # specific adjustments to @{multiarch}.
-#include <tunables/multiarch.d>
+include <tunables/multiarch.d>
--- a/profiles/apparmor.d/tunables/xdg-user-dirs
+++ b/profiles/apparmor.d/tunables/xdg-user-dirs
@ -21,4 +21,4 @@
 # Also, include files in tunables/xdg-user-dirs.d for site-specific adjustments
 # to the various XDG directories
-#include <tunables/xdg-user-dirs.d>
+include <tunables/xdg-user-dirs.d>
--- a/profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2
+++ b/profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2
@ -2,7 +2,7 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 /usr/lib/apache2/mpm-prefork/apache2 {
  # This profile is completely permissive.
@ -41,8 +41,8 @@ abi <abi/3.0>,
  #    </Directory>
  #
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/nameservice>
  capability chown,
  capability kill,
@ -56,8 +56,8 @@ abi <abi/3.0>,
  ^DEFAULT_URI {
-    #include <abstractions/base>
+    include <abstractions/base>
-    #include <abstractions/nameservice>
+    include <abstractions/nameservice>
    / rw,
    /** mrwlkix,
@ -65,7 +65,7 @@ abi <abi/3.0>,
  }
  ^HANDLING_UNTRUSTED_INPUT {
-    #include <abstractions/nameservice>
+    include <abstractions/nameservice>
    / rw,
    /** mrwlkix,
@ -75,7 +75,7 @@ abi <abi/3.0>,
  # This directory contains web application
  # package-specific apparmor files.
-  #include <apache2.d>
+  include <apache2.d>
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/usr.lib.apache2.mpm-prefork.apache2>
--- a/profiles/apparmor.d/usr.lib.dovecot.anvil
+++ b/profiles/apparmor.d/usr.lib.dovecot.anvil
@ -11,11 +11,11 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 /usr/lib/dovecot/anvil {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/dovecot-common>
+  include <abstractions/dovecot-common>
  capability setuid,
  capability sys_chroot,
--- a/profiles/apparmor.d/usr.lib.dovecot.auth
+++ b/profiles/apparmor.d/usr.lib.dovecot.auth
@ -12,16 +12,16 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 /usr/lib/dovecot/auth {
-  #include <abstractions/authentication>
+  include <abstractions/authentication>
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/mysql>
+  include <abstractions/mysql>
-  #include <abstractions/nameservice>
+  include <abstractions/nameservice>
-  #include <abstractions/openssl>
+  include <abstractions/openssl>
-  #include <abstractions/wutmp>
+  include <abstractions/wutmp>
-  #include <abstractions/dovecot-common>
+  include <abstractions/dovecot-common>
  capability audit_write,
  capability dac_override,
--- a/profiles/apparmor.d/usr.lib.dovecot.config
+++ b/profiles/apparmor.d/usr.lib.dovecot.config
@ -11,13 +11,13 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 /usr/lib/dovecot/config {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/nameservice>
-  #include <abstractions/dovecot-common>
+  include <abstractions/dovecot-common>
-  #include <abstractions/ssl_keys>
+  include <abstractions/ssl_keys>
  capability dac_read_search,
  capability dac_override,
--- a/profiles/apparmor.d/usr.lib.dovecot.deliver
+++ b/profiles/apparmor.d/usr.lib.dovecot.deliver
@ -13,13 +13,13 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
-#include <tunables/dovecot>
+include <tunables/dovecot>
 /usr/lib/dovecot/deliver {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/nameservice>
-  #include <abstractions/dovecot-common>
+  include <abstractions/dovecot-common>
  capability setuid,
--- a/profiles/apparmor.d/usr.lib.dovecot.dict
+++ b/profiles/apparmor.d/usr.lib.dovecot.dict
@ -11,14 +11,14 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 /usr/lib/dovecot/dict {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/mysql>
+  include <abstractions/mysql>
-  #include <abstractions/nameservice>
+  include <abstractions/nameservice>
-  #include <abstractions/openssl>
+  include <abstractions/openssl>
-  #include <abstractions/dovecot-common>
+  include <abstractions/dovecot-common>
  capability setuid,
--- a/profiles/apparmor.d/usr.lib.dovecot.dovecot-auth
+++ b/profiles/apparmor.d/usr.lib.dovecot.dovecot-auth
@ -12,14 +12,14 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 /usr/lib/dovecot/dovecot-auth {
-  #include <abstractions/authentication>
+  include <abstractions/authentication>
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/nameservice>
-  #include <abstractions/wutmp>
+  include <abstractions/wutmp>
-  #include <abstractions/dovecot-common>
+  include <abstractions/dovecot-common>
  capability chown,
  capability dac_override,
--- a/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda
+++ b/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda
@ -11,13 +11,13 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
-#include <tunables/dovecot>
+include <tunables/dovecot>
 /usr/lib/dovecot/dovecot-lda flags=(attach_disconnected) {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/nameservice>
-  #include <abstractions/dovecot-common>
+  include <abstractions/dovecot-common>
  capability setuid,
@ -43,11 +43,11 @@ abi <abi/3.0>,
    # this profile is based on the usr.sbin.sendmail profile in extras
    # and should support both postfix' and sendmail's sendmail binary
-    #include <abstractions/base>
+    include <abstractions/base>
-    #include <abstractions/consoles>
+    include <abstractions/consoles>
-    #include <abstractions/nameservice>
+    include <abstractions/nameservice>
-    #include <abstractions/user-tmp>
+    include <abstractions/user-tmp>
-    #include <abstractions/postfix-common>
+    include <abstractions/postfix-common>
    capability sys_ptrace,
--- a/profiles/apparmor.d/usr.lib.dovecot.imap
+++ b/profiles/apparmor.d/usr.lib.dovecot.imap
@ -12,13 +12,13 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
-#include <tunables/dovecot>
+include <tunables/dovecot>
 /usr/lib/dovecot/imap {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/nameservice>
-  #include <abstractions/dovecot-common>
+  include <abstractions/dovecot-common>
  capability setuid,
  deny capability block_suspend,
--- a/profiles/apparmor.d/usr.lib.dovecot.imap-login
+++ b/profiles/apparmor.d/usr.lib.dovecot.imap-login
@ -12,11 +12,11 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 /usr/lib/dovecot/imap-login {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/dovecot-common>
+  include <abstractions/dovecot-common>
-  #include <abstractions/openssl>
+  include <abstractions/openssl>
  capability setuid,
  capability sys_chroot,
--- a/profiles/apparmor.d/usr.lib.dovecot.lmtp
+++ b/profiles/apparmor.d/usr.lib.dovecot.lmtp
@ -11,16 +11,16 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
-#include <tunables/dovecot>
+include <tunables/dovecot>
 /usr/lib/dovecot/lmtp {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/nameservice>
-  #include <abstractions/dovecot-common>
+  include <abstractions/dovecot-common>
-  #include <abstractions/openssl>
+  include <abstractions/openssl>
-  #include <abstractions/ssl_certs>
+  include <abstractions/ssl_certs>
-  #include <abstractions/ssl_keys>
+  include <abstractions/ssl_keys>
  capability dac_override,
  capability dac_read_search,
--- a/profiles/apparmor.d/usr.lib.dovecot.log
+++ b/profiles/apparmor.d/usr.lib.dovecot.log
@ -11,11 +11,11 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 /usr/lib/dovecot/log flags=(attach_disconnected) {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/dovecot-common>
+  include <abstractions/dovecot-common>
  /usr/lib/dovecot/log mr,
--- a/profiles/apparmor.d/usr.lib.dovecot.managesieve
+++ b/profiles/apparmor.d/usr.lib.dovecot.managesieve
@ -12,12 +12,12 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
-#include <tunables/dovecot>
+include <tunables/dovecot>
 /usr/lib/dovecot/managesieve {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/dovecot-common>
+  include <abstractions/dovecot-common>
  capability setuid,
--- a/profiles/apparmor.d/usr.lib.dovecot.managesieve-login
+++ b/profiles/apparmor.d/usr.lib.dovecot.managesieve-login
@ -14,11 +14,11 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 /usr/lib/dovecot/managesieve-login {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/dovecot-common>
+  include <abstractions/dovecot-common>
-  #include <abstractions/openssl>
+  include <abstractions/openssl>
  capability setuid,
  capability sys_chroot,
--- a/profiles/apparmor.d/usr.lib.dovecot.pop3
+++ b/profiles/apparmor.d/usr.lib.dovecot.pop3
@ -12,13 +12,13 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
-#include <tunables/dovecot>
+include <tunables/dovecot>
 /usr/lib/dovecot/pop3 {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/nameservice>
-  #include <abstractions/dovecot-common>
+  include <abstractions/dovecot-common>
  capability setuid,
--- a/profiles/apparmor.d/usr.lib.dovecot.pop3-login
+++ b/profiles/apparmor.d/usr.lib.dovecot.pop3-login
@ -12,11 +12,11 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 /usr/lib/dovecot/pop3-login {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/dovecot-common>
+  include <abstractions/dovecot-common>
-  #include <abstractions/openssl>
+  include <abstractions/openssl>
  capability setuid,
  capability sys_chroot,
--- a/profiles/apparmor.d/usr.lib.dovecot.ssl-params
+++ b/profiles/apparmor.d/usr.lib.dovecot.ssl-params
@ -11,11 +11,11 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 /usr/lib/dovecot/ssl-params {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/dovecot-common>
+  include <abstractions/dovecot-common>
  @{run}/dovecot/ssl-params rw,
  @{run}/dovecot/login/ssl-params rw,
--- a/profiles/apparmor.d/usr.lib.dovecot.stats
+++ b/profiles/apparmor.d/usr.lib.dovecot.stats
@ -11,11 +11,11 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 /usr/lib/dovecot/stats {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/dovecot-common>
+  include <abstractions/dovecot-common>
  capability setuid,
  capability sys_chroot,
--- a/profiles/apparmor.d/usr.sbin.apache2
+++ b/profiles/apparmor.d/usr.sbin.apache2
@ -2,7 +2,7 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 profile apache2 /usr/{bin,sbin}/apache2 flags=(attach_disconnected) {
  # This profile is completely permissive.
@ -28,7 +28,7 @@ profile apache2 /usr/{bin,sbin}/apache2 flags=(attach_disconnected) {
  #    the "apache2-common" abstraction:
  #
  #    ^example.com {
-  #        #include <abstractions/apache2-common>
+  #        include <abstractions/apache2-common>
  #        /var/www/html/             r,
  #        /var/www/html/**           r,
  #        /var/log/apache2/*.log     w,
@ -69,8 +69,8 @@ profile apache2 /usr/{bin,sbin}/apache2 flags=(attach_disconnected) {
  #    </Location>
  #
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/nameservice>
  # Send signals to all hats.
  signal (send) peer=@{profile_name}//*,
@ -87,15 +87,15 @@ profile apache2 /usr/{bin,sbin}/apache2 flags=(attach_disconnected) {
  ^DEFAULT_URI flags=(attach_disconnected) {
-    #include <abstractions/base>
+    include <abstractions/base>
-    #include <abstractions/apache2-common>
+    include <abstractions/apache2-common>
    / rw,
    /** mrwlkix,
  }
  ^HANDLING_UNTRUSTED_INPUT flags=(attach_disconnected) {
-    #include <abstractions/apache2-common>
+    include <abstractions/apache2-common>
    / rw,
    /** mrwlkix,
@ -104,7 +104,7 @@ profile apache2 /usr/{bin,sbin}/apache2 flags=(attach_disconnected) {
  # This directory contains web application
  # package-specific apparmor files.
-  #include <apache2.d>
+  include <apache2.d>
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/usr.sbin.apache2>
--- a/profiles/apparmor.d/usr.sbin.avahi-daemon
+++ b/profiles/apparmor.d/usr.sbin.avahi-daemon
@ -1,11 +1,11 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 profile avahi-daemon /usr/{bin,sbin}/avahi-daemon {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/consoles>
-  #include <abstractions/dbus>
+  include <abstractions/dbus>
-  #include <abstractions/nameservice>
+  include <abstractions/nameservice>
  capability chown,
  capability dac_override,
--- a/profiles/apparmor.d/usr.sbin.dnsmasq
+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
@ -13,11 +13,11 @@ abi <abi/3.0>,
@{TFTP_DIR}=/var/tftp /srv/tftp /srv/tftpboot
-#include <tunables/global>
+include <tunables/global>
 profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/dbus>
+  include <abstractions/dbus>
-  #include <abstractions/nameservice>
+  include <abstractions/nameservice>
  capability chown,
  capability net_bind_service,
@ -108,7 +108,7 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
  @{run}/NetworkManager/NetworkManager.pid w,
  profile libvirt_leaseshelper {
-    #include <abstractions/base>
+    include <abstractions/base>
    /etc/libnl-3/classid r,
--- a/profiles/apparmor.d/usr.sbin.dovecot
+++ b/profiles/apparmor.d/usr.sbin.dovecot
@ -12,16 +12,16 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) {
-  #include <abstractions/authentication>
+  include <abstractions/authentication>
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/dovecot-common>
+  include <abstractions/dovecot-common>
-  #include <abstractions/mysql>
+  include <abstractions/mysql>
-  #include <abstractions/nameservice>
+  include <abstractions/nameservice>
-  #include <abstractions/ssl_certs>
+  include <abstractions/ssl_certs>
-  #include <abstractions/ssl_keys>
+  include <abstractions/ssl_keys>
  capability chown,
  capability dac_override,
--- a/profiles/apparmor.d/usr.sbin.identd
+++ b/profiles/apparmor.d/usr.sbin.identd
@ -11,11 +11,11 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 profile identd /usr/{bin,sbin}/identd {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/nameservice>
  capability net_bind_service,
  capability setgid,
  capability setuid,
--- a/profiles/apparmor.d/usr.sbin.mdnsd
+++ b/profiles/apparmor.d/usr.sbin.mdnsd
@ -11,12 +11,12 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 profile mdnsd /usr/{bin,sbin}/mdnsd {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/consoles>
-  #include <abstractions/nameservice>
+  include <abstractions/nameservice>
  capability net_bind_service,
  capability setgid,
--- a/profiles/apparmor.d/usr.sbin.nmbd
+++ b/profiles/apparmor.d/usr.sbin.nmbd
@ -1,11 +1,11 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 profile nmbd /usr/{bin,sbin}/nmbd {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/nameservice>
-  #include <abstractions/samba>
+  include <abstractions/samba>
  capability net_bind_service,
--- a/profiles/apparmor.d/usr.sbin.nscd
+++ b/profiles/apparmor.d/usr.sbin.nscd
@ -11,12 +11,12 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 profile nscd /usr/{bin,sbin}/nscd {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/consoles>
-  #include <abstractions/nameservice>
+  include <abstractions/nameservice>
-  #include <abstractions/ssl_certs>
+  include <abstractions/ssl_certs>
  deny capability block_suspend,
  capability net_bind_service,
--- a/profiles/apparmor.d/usr.sbin.ntpd
+++ b/profiles/apparmor.d/usr.sbin.ntpd
@ -11,13 +11,13 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
-#include <tunables/ntpd>
+include <tunables/ntpd>
 profile ntpd /usr/{bin,sbin}/{,open}ntpd flags=(attach_disconnected) {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/nameservice>
-  #include <abstractions/openssl>
+  include <abstractions/openssl>
-  #include <abstractions/xad>
+  include <abstractions/xad>
  capability dac_override,
  capability ipc_lock,
--- a/profiles/apparmor.d/usr.sbin.smbd
+++ b/profiles/apparmor.d/usr.sbin.smbd
@ -1,16 +1,16 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 profile smbd /usr/{bin,sbin}/smbd {
-  #include <abstractions/authentication>
+  include <abstractions/authentication>
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/consoles>
-  #include <abstractions/cups-client>
+  include <abstractions/cups-client>
-  #include <abstractions/nameservice>
+  include <abstractions/nameservice>
-  #include <abstractions/samba>
+  include <abstractions/samba>
-  #include <abstractions/user-tmp>
+  include <abstractions/user-tmp>
-  #include <abstractions/wutmp>
+  include <abstractions/wutmp>
  capability audit_write,
  capability dac_override,
--- a/profiles/apparmor.d/usr.sbin.smbldap-useradd
+++ b/profiles/apparmor.d/usr.sbin.smbldap-useradd
@ -2,13 +2,13 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 profile smbldap-useradd /usr/{bin,sbin}/smbldap-useradd {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/bash>
+  include <abstractions/bash>
-  #include <abstractions/nameservice>
+  include <abstractions/nameservice>
-  #include <abstractions/perl>
+  include <abstractions/perl>
  /dev/tty rw,
  /{,usr/}bin/bash ix,
@ -24,8 +24,8 @@ profile smbldap-useradd /usr/{bin,sbin}/smbldap-useradd {
  include if exists <local/usr.sbin.smbldap-useradd>
  profile /etc/init.d/nscd {
-    #include <abstractions/base>
+    include <abstractions/base>
-    #include <abstractions/nameservice>
+    include <abstractions/nameservice>
    capability sys_ptrace,
--- a/profiles/apparmor.d/usr.sbin.traceroute
+++ b/profiles/apparmor.d/usr.sbin.traceroute
@ -11,11 +11,11 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 profile traceroute /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/traceroute.db} {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/consoles>
-  #include <abstractions/nameservice>
+  include <abstractions/nameservice>
  deny capability net_admin, # noisy setsockopt() calls
  capability net_raw,
--- a/profiles/apparmor.d/usr.sbin.winbindd
+++ b/profiles/apparmor.d/usr.sbin.winbindd
@ -1,11 +1,11 @@
 abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 profile winbindd /usr/{bin,sbin}/winbindd {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/nameservice>
-  #include <abstractions/samba>
+  include <abstractions/samba>
  deny capability block_suspend,
--- a/profiles/apparmor/profiles/extras/bin.netstat
+++ b/profiles/apparmor/profiles/extras/bin.netstat
@ -15,12 +15,12 @@
  abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 profile netstat /{usr/,}bin/netstat {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/consoles>
+  include <abstractions/consoles>
-  #include <abstractions/nameservice>
+  include <abstractions/nameservice>
  capability dac_override,
  capability dac_read_search,
--- a/profiles/apparmor/profiles/extras/etc.cron.daily.logrotate
+++ b/profiles/apparmor/profiles/extras/etc.cron.daily.logrotate
@ -13,12 +13,12 @@
  abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 /etc/cron.daily/logrotate {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/bash>
+  include <abstractions/bash>
-  #include <abstractions/nameservice>
+  include <abstractions/nameservice>
  capability chown,
  capability dac_override,
--- a/profiles/apparmor/profiles/extras/etc.cron.daily.slocate.cron
+++ b/profiles/apparmor/profiles/extras/etc.cron.daily.slocate.cron
@ -14,10 +14,10 @@
  abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 /etc/cron.daily/slocate.cron {
-  #include <abstractions/base>
+  include <abstractions/base>
  /{usr/,}bin/bash                 mixr,
  /dev/tty                         wr  ,
  /etc/cron.daily/slocate.cron     r   ,
--- a/profiles/apparmor/profiles/extras/etc.cron.daily.tmpwatch
+++ b/profiles/apparmor/profiles/extras/etc.cron.daily.tmpwatch
@ -10,10 +10,10 @@
  abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 /etc/cron.daily/tmpwatch {
-  #include <abstractions/base>
+  include <abstractions/base>
  /etc/cron.daily/tmpwatch  r,
  /tmp                      r,
  /tmp/**                   rwl,
--- a/profiles/apparmor/profiles/extras/postfix.anvil
+++ b/profiles/apparmor/profiles/extras/postfix.anvil
@ -11,12 +11,12 @@
  abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 profile postfix-anvil /usr/lib/postfix/{bin/,sbin/,}anvil {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/nameservice>
-  #include <abstractions/postfix-common>
+  include <abstractions/postfix-common>
  /usr/lib/postfix/{bin/,sbin/,}anvil         mrix,
--- a/profiles/apparmor/profiles/extras/postfix.bounce
+++ b/profiles/apparmor/profiles/extras/postfix.bounce
@ -12,12 +12,12 @@
  abi <abi/3.0>,
-#include <tunables/global>
+include <tunables/global>
 profile postfix-bounce /usr/lib/postfix/{bin/,sbin/,}bounce {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/nameservice>
-  #include <abstractions/postfix-common>
+  include <abstractions/postfix-common>
  /usr/lib/postfix/{bin/,sbin/,}bounce                             mrix,
--- a/Show More
+++ b/Show More