[Bug 1553797] Re: Provide a way to Update AppArmor rules for click tests only once

Martin Pitt martin.pitt at ubuntu.com
Fri Mar 11 15:06:13 UTC 2016 

> My previous comment came as I had inspecting that aa-clickhook was
called after temporary debs were installed in /tmp/adt-run.XXXX
directory.

Right, that's necessary as otherwise we don't know the precise file
paths, and the on-demand added AA profile tries minimize extra
privileges. But the blanket "/tmp/adt-run.**" rule allows all of them.
Thus it's less safe/robust, but can be applied once right after
installing the phone, and then never again.

I committed the adt_testbed.py logic update, which is certainly the more urgent part:
http://anonscm.debian.org/cgit/autopkgtest/autopkgtest.git/commit/?id=3a596b638

The bit I don't understand about your apparmor-rules-update-lite script
is why you'd want to call aa-clickhook at all if the file already exists
-- that should be a no-op then (without --force)?

My initial idea was to have this literal script:

---------- 8< -----------------
cat <<EOF > /var/cache/apparmor/click-ap.rules
dbus (receive, send) bus=session path=/com/canonical/Autopilot/**,
/tmp/adt-run.** r,
EOF
aa-clickhook --force --include=/var/cache/apparmor/click-ap.rules
---------- 8< -----------------

You could run this script after you flash the phone, or the first time
you run a test on that device, and then never again. If you always want
to specify it in --setup-commands, it could also exit right away if
/var/cache/apparmor/click-ap.rules already exists.

I might still not understand something here, of course.

** Changed in: autopkgtest (Ubuntu)
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to autopkgtest in Ubuntu.
https://bugs.launchpad.net/bugs/1553797

Title:
  Provide a way to Update AppArmor rules for click tests only once

Status in autopkgtest package in Ubuntu:
  In Progress

Bug description:
  We use autopkgtest in ubuntu-system-tests project to run those tests
  on the touch device. While developing the tests, it becomes a bit of a
  challenge to run the tests as it takes a few moment to update AppArmor
  rules for click.

  As part of profiling for ubuntu-system-tests, we found it takes more
  than a minute each time to update AppArmor rules. So we probably need
  some kind of parameter to adt-run to not delete the
  /var/cache/apparmor/click-ap.rules file after running tests.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/autopkgtest/+bug/1553797/+subscriptions

More information about the foundations-bugs mailing list