Comment 8 for bug 1553797

> My previous comment came as I had inspecting that aa-clickhook was called after temporary debs were installed in /tmp/adt-run.XXXX directory.

Right, that's necessary as otherwise we don't know the precise file paths, and the on-demand added AA profile tries minimize extra privileges. But the blanket "/tmp/adt-run.**" rule allows all of them. Thus it's less safe/robust, but can be applied once right after installing the phone, and then never again.

I committed the adt_testbed.py logic update, which is certainly the more urgent part:
http://anonscm.debian.org/cgit/autopkgtest/autopkgtest.git/commit/?id=3a596b638

The bit I don't understand about your apparmor-rules-update-lite script is why you'd want to call aa-clickhook at all if the file already exists -- that should be a no-op then (without --force)?

My initial idea was to have this literal script:

---------- 8< -----------------
cat <<EOF > /var/cache/apparmor/click-ap.rules
dbus (receive, send) bus=session path=/com/canonical/Autopilot/**,
/tmp/adt-run.** r,
EOF
aa-clickhook --force --include=/var/cache/apparmor/click-ap.rules
---------- 8< -----------------

You could run this script after you flash the phone, or the first time you run a test on that device, and then never again. If you always want to specify it in --setup-commands, it could also exit right away if /var/cache/apparmor/click-ap.rules already exists.

I might still not understand something here, of course.