system-files can be used to specify a directory, in which case everything under it will be allowed.
Eg, consider:
/foo
/foo/bar
/foo/baz
/foo/corge/norf
For read-only access, you might use:
plugs:
foo:
interface: system-files
read:
- /foo
which gives the following AppArmor rule under the hood:
"/foo{,/,/**}" rk,
granting read access to the file /foo, the directory /foo/ and all files and directories under /foo such that the above example file hierarchy is allowed.