Comment 7 for bug 1337253

The aa-clickhook command works within the click system hook system and as such will generate profiles apparmor for any click packages that have a security manifest defined but do not have an apparmor profile generated for the manifest. It will regenerate apparmor profiles if the mtime on the symlink to the security manifest in /var/lib/apparmor/clicks is newer than the mtime of the apparmor profile. aa-clickhook -f unconditionally regenerates all the profiles.

In thinking about this, you can leverage this behavior like so:
1. phablet-config $ADBOPTS autopilot --dbus-probe enable
2. install list of clicks
3. touch -h /var/lib/apparmor/clicks/<list of profiles>.json
4. aa-clickhook --include=/usr/share/autopilot-touch/apparmor/click.rules

I verified this works as intended-- only those clicks whose security manifest was touched get the profile regenerated. I will update the man page for aa-clickhook for all of this.