AIUI this is not a bug in click-apparmor but click itself. While the hook is being run, click isn't updating the timestamps on the click hook symlink. Ie:
Install the old click: $ cd old $ sudo click install --force-missing-framework --user=$USER ./*0.7_all.click --allow-unauthenticated ... $ stat /var/lib/apparmor/clicks/*_0.7.json ... Access: (0777/lrwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2016-03-08 16:31:16.352376489 -0600 Modify: 2016-03-08 16:31:16.288376439 -0600 Change: 2016-03-08 16:31:16.288376439 -0600 ... $ cat /var/lib/apparmor/clicks/*_0.7.json { "template": "ubuntu-webapp", "policy_groups": [ "audio", "location", "networking", "video" ], "policy_version": 1.0 } Install a click with an updated security manifest but same version: $ cd ../new $ sudo click install --force-missing-framework --user=$USER ./*0.7_all.click --allow-unauthenticated ... $ stat /var/lib/apparmor/clicks/*_0.7.json ... Access: (0777/lrwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2016-03-08 16:31:16.352376489 -0600 Modify: 2016-03-08 16:31:16.288376439 -0600 Change: 2016-03-08 16:31:16.288376439 -0600 ... $ cat /var/lib/apparmor/clicks/*_0.7.json { "template": "ubuntu-webapp", "policy_groups": [ "audio", "location", "networking", "video", "camera" ], "policy_version": 1.0 } Notice that will the contents of the security manifest is updated, the mtime of the symlink was not. click-apparmor currently requires that the mtime be updated. This is due to install_link() in lib/click/hooks.vala: if (is_symlink (link) && FileUtils.read_link (link) == target) return; One way to achieve this would be to recreate the symlink on install if the symlink exists. Alternatively, click-apparmor could also consider the ctime of the target file compared to the symlink's mtime. While it seems like a fix in click is the right choice, I believe only click- apparmor cares about these sorts of things, and a change there would be localized to only click-apparmor and therefore less risky. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to click-apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1549369 Title: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device. Status in Client Developer Experience: New Status in Canonical System Image: Confirmed Status in click-apparmor package in Ubuntu: Confirmed Bug description: On Krillin, as of rc-proposed r264, modifying the application apparmor manifest and then deploying the application to the device *without* increasing the app version will not trigger the apparmor profile update. As a consequence, the developer is left confused because the app is still complaining about apparmor denials even after he modified the apparmo manifest and deployed the new .click package. Deploying changes to an application without updating its version number is a quite common practice, especially while in development phase. That is why I believe we should fix this bug as soon as possible, to make life of developers easier. Reference of a similar bug, which was however more Snappy specific: https://bugs.launchpad.net/ubuntu/+source/click-apparmor/+bug/1422744 To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-developer-experience/+bug/1549369/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp