> My previous comment came as I had inspecting that aa-clickhook was called after temporary debs were installed in /tmp/adt-run.XXXX directory.
Right, that's necessary as otherwise we don't know the precise file paths, and the on-demand added AA profile tries minimize extra privileges. But the blanket "/tmp/adt-run.**" rule allows all of them. Thus it's less safe/robust, but can be applied once right after installing the phone, and then never again. I committed the adt_testbed.py logic update, which is certainly the more urgent part: http://anonscm.debian.org/cgit/autopkgtest/autopkgtest.git/commit/?id=3a596b638 The bit I don't understand about your apparmor-rules-update-lite script is why you'd want to call aa-clickhook at all if the file already exists -- that should be a no-op then (without --force)? My initial idea was to have this literal script: ---------- 8< ----------------- cat <<EOF > /var/cache/apparmor/click-ap.rules dbus (receive, send) bus=session path=/com/canonical/Autopilot/**, /tmp/adt-run.** r, EOF aa-clickhook --force --include=/var/cache/apparmor/click-ap.rules ---------- 8< ----------------- You could run this script after you flash the phone, or the first time you run a test on that device, and then never again. If you always want to specify it in --setup-commands, it could also exit right away if /var/cache/apparmor/click-ap.rules already exists. I might still not understand something here, of course. ** Changed in: autopkgtest (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1553797 Title: Provide a way to Update AppArmor rules for click tests only once To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/autopkgtest/+bug/1553797/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
