AIUI this is not a bug in click-apparmor but click itself. While the hook is being run, click isn't updating the timestamps on the click hook symlink. Ie:
Notice that will the contents of the security manifest is updated, the mtime of the symlink was not. click-apparmor currently requires that the mtime be updated. This is due to install_link() in lib/click/hooks.vala:
if (is_symlink (link) && FileUtils.read_link (link) == target)
return;
One way to achieve this would be to recreate the symlink on install if the symlink exists. Alternatively, click-apparmor could also consider the ctime of the target file compared to the symlink's mtime. While it seems like a fix in click is the right choice, I believe only click-apparmor cares about these sorts of things, and a change there would be localized to only click-apparmor and therefore less risky.
AIUI this is not a bug in click-apparmor but click itself. While the hook is being run, click isn't updating the timestamps on the click hook symlink. Ie:
Install the old click: missing- framework --user=$USER ./*0.7_all.click --allow- unauthenticated apparmor/ clicks/ *_0.7.json apparmor/ clicks/ *_0.7.json
$ cd old
$ sudo click install --force-
...
$ stat /var/lib/
...
Access: (0777/lrwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2016-03-08 16:31:16.352376489 -0600
Modify: 2016-03-08 16:31:16.288376439 -0600
Change: 2016-03-08 16:31:16.288376439 -0600
...
$ cat /var/lib/
{
"template": "ubuntu-webapp",
"policy_groups": [
"audio",
"location",
"networking",
"video"
],
"policy_version": 1.0
}
Install a click with an updated security manifest but same version: missing- framework --user=$USER ./*0.7_all.click --allow- unauthenticated apparmor/ clicks/ *_0.7.json
$ cd ../new
$ sudo click install --force-
...
$ stat /var/lib/
...
Access: (0777/lrwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2016-03-08 16:31:16.352376489 -0600
Modify: 2016-03-08 16:31:16.288376439 -0600
Change: 2016-03-08 16:31:16.288376439 -0600
...
$ cat /var/lib/ apparmor/ clicks/ *_0.7.json
{
"template": "ubuntu-webapp",
"policy_groups": [
"audio",
"location",
"networking",
"video",
"camera"
],
"policy_version": 1.0
}
Notice that will the contents of the security manifest is updated, the mtime of the symlink was not. click-apparmor currently requires that the mtime be updated. This is due to install_link() in lib/click/ hooks.vala:
if (is_symlink (link) && FileUtils.read_link (link) == target)
return;
One way to achieve this would be to recreate the symlink on install if the symlink exists. Alternatively, click-apparmor could also consider the ctime of the target file compared to the symlink's mtime. While it seems like a fix in click is the right choice, I believe only click-apparmor cares about these sorts of things, and a change there would be localized to only click-apparmor and therefore less risky.