update profiles for apparmor3

apparmor.d/tunables/apparmorfs

@@ -6,6 +6,6 @@
 #
 # ------------------------------------------------------------------
 
-#include <tunables/securityfs>
+include <tunables/securityfs>
 
 @{apparmorfs}=@{securityfs}/apparmor/

apparmor.d/tunables/etc

@@ -0,0 +1,25 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2020 Christian Boltz
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+# @{etc_ro} contains a space-separated list of the system configuration directories.
+# Traditionally this means /etc/, but when using a read-only / filesystem and/or
+# with the goal of having only user-modified config files in /etc/, directories
+# like /usr/etc/ get introduced for storing the default config.
+
+# @{etc_ro} contains read-only directories with configuration files.
+# Do not use @{etc_ro} in rules that allow write access.
+@{etc_ro}=/etc/ /usr/etc/
+
+# @{etc_rw} contains directories where writing to configuration files is allowed.
+@{etc_rw}=/etc/
+
+# Also, include files in tunables/etc.d/ for site-specific adjustments to
+# @{etc_ro} and @{etc_rw}.
+include if exists <tunables/etc.d>

apparmor.d/tunables/global

@@ -12,11 +12,12 @@
 # All the tunables definitions that should be available to every profile
 # should be included here
 
-#include <tunables/home>
-#include <tunables/multiarch>
-#include <tunables/proc>
-#include <tunables/alias>
-#include <tunables/kernelvars>
-#include <tunables/xdg-user-dirs>
-#include <tunables/share>
-#include <tunables/run>
+include <tunables/home>
+include <tunables/multiarch>
+include <tunables/proc>
+include <tunables/alias>
+include <tunables/kernelvars>
+include <tunables/xdg-user-dirs>
+include <tunables/share>
+include <tunables/etc>
+include <tunables/run>

apparmor.d/tunables/home

@@ -22,4 +22,4 @@
 
 # Also, include files in tunables/home.d for site-specific adjustments to
 # @{HOMEDIRS}.
-#include <tunables/home.d>
+include <tunables/home.d>

apparmor.d/tunables/multiarch

@@ -14,4 +14,4 @@
 
 # Also, include files in tunables/multiarch.d for site and packaging
 # specific adjustments to @{multiarch}.
-#include <tunables/multiarch.d>
+include <tunables/multiarch.d>

apparmor.d/tunables/xdg-user-dirs

@@ -21,4 +21,4 @@
 
 # Also, include files in tunables/xdg-user-dirs.d for site-specific adjustments
 # to the various XDG directories
-#include <tunables/xdg-user-dirs.d>
+include <tunables/xdg-user-dirs.d>