Move AppArmor aliases to a dedicated file, and include it.

This will avoid maintaining these settings as a patch.

config/chroot_local-includes/etc/apparmor.d/tunables/alias.d/tails

+alias / -> /lib/live/mount/overlay/,
+alias / -> /lib/live/mount/rootfs/*.squashfs/,
+

config/chroot_local-patches/apparmor-alias-dot-d.diff

+--- a/etc/apparmor.d.orig/tunables/alias	2016-12-17 11:25:27.000000000 +0000
++++ b/etc/apparmor.d/tunables/alias	2017-01-02 20:47:35.987919057 +0000
+@@ -14,3 +14,5 @@
+ #
+ # Or if mysql databases are stored in /home:
+ # alias /var/lib/mysql/ -> /home/mysql/,
++
++#include <tunables/alias.d>
+

config/chroot_local-patches/apparmor-aliases.diff

@@ -50,15 +50,3 @@ diff -Naur '--exclude=cache' /etc/apparmor.d.orig/abstractions/ubuntu-helpers /e
  
    # Dangerous files
    audit deny owner /**/* m,              # compiled libraries
-diff -Naur '--exclude=cache' /etc/apparmor.d.orig/tunables/alias /etc/apparmor.d/tunables/alias
---- a/etc/apparmor.d.orig/tunables/alias	2013-07-10 22:05:57.000000000 +0000
-+++ b/etc/apparmor.d/tunables/alias	2015-06-03 18:12:46.426380000 +0000
-@@ -14,3 +14,7 @@
- #
- # Or if mysql databases are stored in /home:
- # alias /var/lib/mysql/ -> /home/mysql/,
-+
-+alias / -> /lib/live/mount/overlay/,
-+alias / -> /lib/live/mount/rootfs/*.squashfs/,
-+
-

wiki/src/contribute/design/application_isolation.mdwn

@@ -69,7 +69,10 @@ subsequent problems with overlapping rules, and to mitigate the
 increased policy compilation time (see details below), we also patch
 some some very broad rules to make them _not_ apply to `/lib/live/*`.
 All these changes live in
-[[!tails_gitweb config/chroot_local-patches/apparmor-aliases.diff]].
+[[!tails_gitweb config/chroot_local-patches/apparmor-aliases.diff]],
+[[!tails_gitweb config/chroot_local-patches/apparmor-alias-dot-d.diff]]
+and
+[[!tails_gitweb config/chroot_local-includes/etc/apparmor.d/tunables/alias.d/tails]].
 
 Second, few more targeted adjustments are also applied: