Provided by: click-apparmor_0.3.18_amd64 bug

NAME

       aa-clickhook - click system hook for AppArmor

DESCRIPTION

       When  a click package is installed, click will run system and user hooks. The click AppArmor system hook converts the security manifest in the click package into an AppArmor profile, then loads the profile into the
       kernel. On Ubuntu, the click AppArmor hook maps click frameworks to appropriate policy versions to ensure correct AppArmor policy is generated.

       By default, symlinks to the click security manifests are stored in /var/lib/apparmor/clicks. The generated AppArmor profiles are stored in /var/lib/apparmor/profiles with the corresponding profile caches stored  in
       /var/cache/apparmor/apparmor.

       When  aa-clickhook  is  run  without  arguments,  it  will  generate  missing AppArmor profiles for the security manifests. In addition, aa-clickhook will check the mtime of the symlink of the security manifest and
       regenerate any AppArmor profiles with an mtime older than the corresponding security manifest.

USAGE

       aa-clickhook [OPTIONS]

OPTIONS

       -h     show program's help

       -f | --force | --force-regenerate
              Force regeneration of all click profiles

       --include=PATH
              Add '#include "PATH"' to generated profiles

OVERRIDES AND ADDITIONAL ACCESS

       click-apparmor supports overriding the policy specified in the click security manifest. Overrides are optional and are specified in the same directory as the click security manifest, but with ".override"  appended.
       They  use  the  same json format and structure as their corresponding click security manifests, but use only the manifest keys related to AppArmor policy. Overrides may be specified for abstractions, policy_groups,
       read_path and write_path. Overrides only subtract from policy and cannot be used to provide additional access.

       Similarly, click-apparmor supports adding access to the policy specified in the click security manifest. This additional access is specified  in  the  same  directory  as  the  click  security  manifest,  but  with
       ".additional"  appended. This uses the same json format and structure as their corresponding click security manifests, but uses only the manifest keys related to AppArmor policy.  Additional access may be specified
       for abstractions, policy_groups, read_path and write_path. Specifying additional access in this manner must be done with care since the additional access could allow escaping confinement.

       After creating or updating an override or additional access, you must run aa-clickhook to put the changes into effect. To unapply an override or additional access, remove the  file,  update  the  timestamp  on  the
       security manifest (see below), then run aa-clickhook.

NOTES

       aa-clickhook will skip generating AppArmor policy if the framework is missing, if the specified policy version doesn't match the expected version for the framework, or otherwise improperly formatted click packages.

       When reinstalling a click with the same version, it may be useful to regenerate the AppArmor profile like so:

         # touch -h /var/lib/apparmor/clicks/<click security>.json
         # aa-clickhook

       or if need to regenerate with an include file (eg, for autopilot):

         # touch -h /var/lib/apparmor/clicks/<click security>.json
         # aa-clickhook \
           --include=/usr/share/autopilot-touch/apparmor/click.rules

SEE ALSO

       apparmor(7) click(1)