s/apparmor: improve testing and documentation of NotifySocketPath

Signed-off-by: Oliver Calder <[email protected]>
canonical · Feb 28, 2025 · ba6dff8 · ba6dff8
1 parent ea2bf42
commit ba6dff8
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 4 deletions.
diff --git a/sandbox/apparmor/apparmor.go b/sandbox/apparmor/apparmor.go
@@ -305,11 +305,19 @@ const (
 )
 
 var (
-	ConfDir                string
-	CacheDir               string
-	SystemCacheDir         string
+	// ConfDir is the path to the directory holding AppArmor configuration.
+	ConfDir string
+	// CacheDir is the path to the cache directory for AppArmor.
+	CacheDir string
+	// SystemCacheDir is the path to the system cache directory for AppArmor,
+	// which may or may not be different from CacheDir.
+	SystemCacheDir string
+	// SnapConfineAppArmorDir is the path to the AppArmor snap confine
+	// directory.
 	SnapConfineAppArmorDir string
-	NotifySocketPath       string
+	// NotifySocketPath is the path to the socket over which listeners can
+	// communicate with AppArmor in the kernel.
+	NotifySocketPath string
 )
 
 func setupConfCacheDirs(newrootdir string) {

diff --git a/sandbox/apparmor/apparmor_test.go b/sandbox/apparmor/apparmor_test.go
@@ -904,6 +904,10 @@ func (s *apparmorSuite) TestSetupConfCacheDirsWithInternalApparmor(c *C) {
 func (s *apparmorSuite) TestSetupNotifySocketPath(c *C) {
 	apparmor.SetupNotifySocketPath("/newdir")
 	c.Check(apparmor.NotifySocketPath, Equals, "/newdir/sys/kernel/security/apparmor/.notify")
+
+	newRoot := c.MkDir()
+	dirs.SetRootDir(newRoot)
+	c.Check(apparmor.NotifySocketPath, Equals, filepath.Join(newRoot, "/sys/kernel/security/apparmor/.notify"))
 }
 
 func (s *apparmorSuite) TestSystemAppArmorLoadsSnapPolicyErr(c *C) {