AIUI this is not a bug in click-apparmor but click itself. While the
hook is being run, click isn't updating the timestamps on the click hook
symlink. Ie:

Install the old click:
$ cd old
$ sudo click install --force-missing-framework --user=$USER ./*0.7_all.click 
--allow-unauthenticated
...
$ stat /var/lib/apparmor/clicks/*_0.7.json 
...
Access: (0777/lrwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2016-03-08 16:31:16.352376489 -0600
Modify: 2016-03-08 16:31:16.288376439 -0600
Change: 2016-03-08 16:31:16.288376439 -0600
...
$ cat /var/lib/apparmor/clicks/*_0.7.json
{
  "template": "ubuntu-webapp",
  "policy_groups": [
    "audio",
    "location",
    "networking",
    "video"
  ],
  "policy_version": 1.0
}


Install a click with an updated security manifest but same version:
$ cd ../new
$ sudo click install --force-missing-framework --user=$USER ./*0.7_all.click 
--allow-unauthenticated
...
$ stat /var/lib/apparmor/clicks/*_0.7.json 
...
Access: (0777/lrwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2016-03-08 16:31:16.352376489 -0600
Modify: 2016-03-08 16:31:16.288376439 -0600
Change: 2016-03-08 16:31:16.288376439 -0600
...

$ cat /var/lib/apparmor/clicks/*_0.7.json
{
  "template": "ubuntu-webapp",
  "policy_groups": [
    "audio",
    "location",
    "networking",
    "video",
    "camera"
  ],
  "policy_version": 1.0
}

Notice that will the contents of the security manifest is updated, the mtime of 
the symlink was not. click-apparmor currently requires that the mtime be 
updated. This is due to install_link() in lib/click/hooks.vala:
    if (is_symlink (link) && FileUtils.read_link (link) == target)
            return;

One way to achieve this would be to recreate the symlink on install if
the symlink exists. Alternatively, click-apparmor could also consider
the ctime of the target file compared to the symlink's mtime. While it
seems like a fix in click is the right choice, I believe only click-
apparmor cares about these sorts of things, and a change there would be
localized to only click-apparmor and therefore less risky.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1549369

Title:
  Updating the apparmor manifest and deploying the new code without
  increasing app version does not trigger apparmor profile update on the
  device.

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-developer-experience/+bug/1549369/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to