Tunables
Tunables are global variables used to adjust AppArmor policies to match the local system environment without modifying the core profiles themselves (e.g., globally defining the @{HOME} directory path).
This project and the official apparmor-profiles project provide a large selection of tunables to be included in profiles. They should always be used as they target wide compatibility across hardware and distributions while only allowing the bare minimum access.
Example
For instance, to allow download directory access instead of read and write permissions:
You should write:
-
Default tunables from the upstream apparmor project. They are available by any profile even without using apparmor.d as a dependency.
-
All new tunables provided by the apparmor.d project.