AIUI this is not a bug in click-apparmor but click itself. While the hook is being run, click isn't updating the timestamps on the click hook symlink. Ie:
Install the old click: $ cd old $ sudo click install --force-missing-framework --user=$USER ./*0.7_all.click --allow-unauthenticated ... $ stat /var/lib/apparmor/clicks/*_0.7.json ... Access: (0777/lrwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2016-03-08 16:31:16.352376489 -0600 Modify: 2016-03-08 16:31:16.288376439 -0600 Change: 2016-03-08 16:31:16.288376439 -0600 ... $ cat /var/lib/apparmor/clicks/*_0.7.json { "template": "ubuntu-webapp", "policy_groups": [ "audio", "location", "networking", "video" ], "policy_version": 1.0 } Install a click with an updated security manifest but same version: $ cd ../new $ sudo click install --force-missing-framework --user=$USER ./*0.7_all.click --allow-unauthenticated ... $ stat /var/lib/apparmor/clicks/*_0.7.json ... Access: (0777/lrwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2016-03-08 16:31:16.352376489 -0600 Modify: 2016-03-08 16:31:16.288376439 -0600 Change: 2016-03-08 16:31:16.288376439 -0600 ... $ cat /var/lib/apparmor/clicks/*_0.7.json { "template": "ubuntu-webapp", "policy_groups": [ "audio", "location", "networking", "video", "camera" ], "policy_version": 1.0 } Notice that will the contents of the security manifest is updated, the mtime of the symlink was not. click-apparmor currently requires that the mtime be updated. This is due to install_link() in lib/click/hooks.vala: if (is_symlink (link) && FileUtils.read_link (link) == target) return; One way to achieve this would be to recreate the symlink on install if the symlink exists. Alternatively, click-apparmor could also consider the ctime of the target file compared to the symlink's mtime. While it seems like a fix in click is the right choice, I believe only click- apparmor cares about these sorts of things, and a change there would be localized to only click-apparmor and therefore less risky. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1549369 Title: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device. To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-developer-experience/+bug/1549369/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs