Comment 4 for bug 1553797

Summary from IRC discussion:

This isn't sufficient yet as it will still need to regenerate the profiles at the beginning, due to the changing /tmp/adt-run.XXXX paths. It's also a bit ugly as this is supposed to be an internal implementation detail which I wouldn't like to expose for eternity in a command line option.

Alternative proposal:

 (1) apparmor_click() should become a no-op if /var/cache/apparmor/click-ap.rules already exists (http://paste.ubuntu.com/15335183/)
 (2) apparmor_restore_click() is already a no-op if apparmor_click() didn't do anything (no change needed)
 (3) add a setup script which sets a blanket /tmp/adt-run.*/** in the AppArmor policy, so that it works for any run

This would keep the current "correct, but slow" behavior, avoids exposing the internals as CLI args, but if you choose to use the setup script once (either manually after you (re)install the phone, or via adt-run --setup-commands) then adt-run will not touch the apparmor profiles at all, and things should be fast.

The script should look like this:

---------- 8< -----------------
cat <<EOF > /var/cache/apparmor/click-ap.rules
dbus (receive, send) bus=session path=/com/canonical/Autopilot/**,
/tmp/adt-run.** r,
---------- 8< -----------------

Omer, could you test the above patch and that setup script and make sure it DTRT?