NAME

       aa-clickhook - click system hook for AppArmor

DESCRIPTION

       When  a  click package is installed, click will run system and user hooks. The click AppArmor system hook
       converts the security manifest in the click package into an AppArmor profile, then loads the profile into
       the  kernel.  On  Ubuntu, the click AppArmor hook maps click frameworks to appropriate policy versions to
       ensure correct AppArmor policy is generated.

       By default, symlinks to  the  click  security  manifests  are  stored  in  /var/lib/apparmor/clicks.  The
       generated  AppArmor  profiles  are  stored  in  /var/lib/apparmor/profiles with the corresponding profile
       caches stored in /var/cache/apparmor/apparmor.

       When aa-clickhook is run without arguments, it will generate missing AppArmor profiles for  the  security
       manifests.  In  addition,  aa-clickhook  will check the mtime of the symlink of the security manifest and
       regenerate any AppArmor profiles with an mtime older than the corresponding security manifest.

USAGE

       aa-clickhook [OPTIONS]

OPTIONS

       -h     show program's help

       -f | --force | --force-regenerate
              Force regeneration of all click profiles

       --include=PATH
              Add '#include "PATH"' to generated profiles

OVERRIDES AND ADDITIONAL ACCESS

       click-apparmor supports overriding the policy specified in the click  security  manifest.  Overrides  are
       optional  and  are  specified  in the same directory as the click security manifest, but with ".override"
       appended. They use the same json format and structure as their corresponding  click  security  manifests,
       but  use  only the manifest keys related to AppArmor policy. Overrides may be specified for abstractions,
       policy_groups, read_path and write_path. Overrides only subtract  from  policy  and  cannot  be  used  to
       provide additional access.

       Similarly,  click-apparmor supports adding access to the policy specified in the click security manifest.
       This additional access is specified in the same directory  as  the  click  security  manifest,  but  with
       ".additional"  appended.  This  uses  the  same  json  format  and structure as their corresponding click
       security manifests, but uses only the manifest keys related to AppArmor policy.  Additional access may be
       specified for abstractions, policy_groups, read_path and write_path. Specifying additional access in this
       manner must be done with care since the additional access could allow escaping confinement.

       After creating or updating an override or additional access, you must run aa-clickhook to put the changes
       into  effect.  To  unapply an override or additional access, remove the file, update the timestamp on the
       security manifest (see below), then run aa-clickhook.

NOTES

       aa-clickhook will skip generating AppArmor policy if the framework is missing, if  the  specified  policy
       version  doesn't  match  the  expected version for the framework, or otherwise improperly formatted click
       packages.

       When reinstalling a click with the same version, it may be useful to regenerate the AppArmor profile like
       so:

         # touch -h /var/lib/apparmor/clicks/<click security>.json
         # aa-clickhook

       or if need to regenerate with an include file (eg, for autopilot):

         # touch -h /var/lib/apparmor/clicks/<click security>.json
         # aa-clickhook \
           --include=/usr/share/autopilot-touch/apparmor/click.rules

SEE ALSO

       apparmor(7) click(1)