diff --git a/sandbox/apparmor/apparmor.go b/sandbox/apparmor/apparmor.go
index 7148a901042..4adc82b1170 100644
--- a/sandbox/apparmor/apparmor.go
+++ b/sandbox/apparmor/apparmor.go
@@ -305,11 +305,19 @@ const (
 )
 
 var (
-	ConfDir                string
-	CacheDir               string
-	SystemCacheDir         string
+	// ConfDir is the path to the directory holding AppArmor configuration.
+	ConfDir string
+	// CacheDir is the path to the cache directory for AppArmor.
+	CacheDir string
+	// SystemCacheDir is the path to the system cache directory for AppArmor,
+	// which may or may not be different from CacheDir.
+	SystemCacheDir string
+	// SnapConfineAppArmorDir is the path to the AppArmor snap confine
+	// directory.
 	SnapConfineAppArmorDir string
-	NotifySocketPath       string
+	// NotifySocketPath is the path to the socket over which listeners can
+	// communicate with AppArmor in the kernel.
+	NotifySocketPath string
 )
 
 func setupConfCacheDirs(newrootdir string) {
diff --git a/sandbox/apparmor/apparmor_test.go b/sandbox/apparmor/apparmor_test.go
index b8b9d0c54e6..78c465518cb 100644
--- a/sandbox/apparmor/apparmor_test.go
+++ b/sandbox/apparmor/apparmor_test.go
@@ -904,6 +904,10 @@ func (s *apparmorSuite) TestSetupConfCacheDirsWithInternalApparmor(c *C) {
 func (s *apparmorSuite) TestSetupNotifySocketPath(c *C) {
 	apparmor.SetupNotifySocketPath("/newdir")
 	c.Check(apparmor.NotifySocketPath, Equals, "/newdir/sys/kernel/security/apparmor/.notify")
+
+	newRoot := c.MkDir()
+	dirs.SetRootDir(newRoot)
+	c.Check(apparmor.NotifySocketPath, Equals, filepath.Join(newRoot, "/sys/kernel/security/apparmor/.notify"))
 }
 
 func (s *apparmorSuite) TestSystemAppArmorLoadsSnapPolicyErr(c *C) {