[config-package-dev] possible solution to the config-package-dev vs AppArmor issue

[Patrick Schleizer]

Hi!

Related to your ticket 'Upstream AppArmor should be configurable to
follow symlinks':
https://debathena.mit.edu/trac/ticket/166

And as a late follow up for the mailing list thread 'config-package-dev
clashes with AppArmor profiles':
http://mailman.mit.edu/pipermail/config-package-dev/2013-July/000008.html

I explictily requested AppArmor symlink from upstream. Won't come:
https://bugs.launchpad.net/apparmor/+bug/1485055

However, Christian Boltz made a good suggestion.

Christian Boltz:
> You can use alias rules for directory symlinks - add them to /etc/apparmor.d/tunables/alias. This avoids the need to modify all profiles.
> 
> For example, my /tmp/ is a symlink to /home/sys-tmp/, and the alias rule for it is
>     alias /tmp/ -> /home/sys-tmp/,
> 
> Another possible solution is using mount --bind instead of symlinks.

The tunables/alias method helped a similar problem of mine a lot. [1]

My original problem back then was something like this:

> /etc/resolv.conf is a symlink to /etc/resolv.conf.anondist

> And the AppArmor profile only allows read access to /etc/resolv.conf,
not /etc/resolv.conf.anondist.

Thanks to tunables/alias, we could away with it by auto generating a
file /etc/apparmor.d/tunables/home.d/anon-gw-dns-config.anondist with
the following content:

alias /etc/resolv.conf -> /etc/resolv.conf.anondist,

That's it. [Or with as many entries as diversions and a comment that
it's an auto generated file that should not be edited by hand because
changes would get lost.]

config-package-dev could even automate this. What do you think?

Remarks:

- I haven't tested yet if the file extension .anondist in the tunables
folder would be allowed.
- Not tested yet, but since a similar problem of mine was solved, I am
positive this could work.

Cheers,
Patrick

[1] https://phabricator.whonix.org/T396