many: move notify.SysPath to apparmor.NotifySocketPath

Move the definition of the notify socket path from the notify package into the apparmor package. This means that the apparmor package no longer needs to import the notify package, so the notify package can import the apparmor package in the future without a circular import. Signed-off-by: Oliver Calder <[email protected]>
canonical · Feb 28, 2025 · ea2bf42 · ea2bf42
1 parent d086b44
commit ea2bf42
Show file tree

Hide file tree

Showing 10 changed files with 41 additions and 65 deletions.
diff --git a/overlord/configstate/configcore/prompting_test.go b/overlord/configstate/configcore/prompting_test.go
@@ -48,7 +48,6 @@ import (
 	"github.com/snapcore/snapd/overlord/state"
 	"github.com/snapcore/snapd/release"
 	"github.com/snapcore/snapd/sandbox/apparmor"
-	"github.com/snapcore/snapd/sandbox/apparmor/notify"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/snap/snaptest"
 )
@@ -70,7 +69,7 @@ func (s *promptingSuite) SetUpTest(c *C) {
 		[]string{"prompt"}, nil,
 	))
 	// mock the presence of the notification socket
-	os.MkdirAll(notify.SysPath, 0o755)
+	os.MkdirAll(apparmor.NotifySocketPath, 0o755)
 	// mock the presence of permstable32_version with supported version
 	s.AddCleanup(apparmor.MockFsRootPath(dirs.GlobalRootDir))
 	os.MkdirAll(filepath.Join(dirs.GlobalRootDir, "sys/kernel/security/apparmor/features/policy"), 0o755)

diff --git a/sandbox/apparmor/apparmor.go b/sandbox/apparmor/apparmor.go
@@ -35,7 +35,6 @@ import (
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/osutil"
-	"github.com/snapcore/snapd/sandbox/apparmor/notify"
 	"github.com/snapcore/snapd/snapdtool"
 	"github.com/snapcore/snapd/strutil"
 )
@@ -305,6 +304,14 @@ const (
 	Full
 )
 
+var (
+	ConfDir                string
+	CacheDir               string
+	SystemCacheDir         string
+	SnapConfineAppArmorDir string
+	NotifySocketPath       string
+)
+
 func setupConfCacheDirs(newrootdir string) {
 	ConfDir = filepath.Join(newrootdir, "/etc/apparmor.d")
 	CacheDir = filepath.Join(newrootdir, "/var/cache/apparmor")
@@ -329,17 +336,17 @@ func setupConfCacheDirs(newrootdir string) {
 	SnapConfineAppArmorDir = filepath.Join(dirs.SnapdStateDir(newrootdir), "apparmor", snapConfineDir)
 }
 
+func setupNotifySocketPath(newrootdir string) {
+	NotifySocketPath = filepath.Join(newrootdir, "/sys/kernel/security/apparmor/.notify")
+}
+
 func init() {
 	dirs.AddRootDirCallback(setupConfCacheDirs)
 	setupConfCacheDirs(dirs.GlobalRootDir)
-}
 
-var (
-	ConfDir                string
-	CacheDir               string
-	SystemCacheDir         string
-	SnapConfineAppArmorDir string
-)
+	dirs.AddRootDirCallback(setupNotifySocketPath)
+	setupNotifySocketPath(dirs.GlobalRootDir)
+}
 
 func (level LevelType) String() string {
 	switch level {
@@ -464,7 +471,7 @@ func PromptingSupportedByFeatures(apparmorFeatures *FeaturesSupported) (bool, st
 			return false, "apparmor kernel features do not support prompting for file access"
 		}
 	}
-	if !notify.SupportAvailable() {
+	if !osutil.FileExists(NotifySocketPath) {
 		return false, "apparmor kernel notification socket required by prompting listener is not present"
 	}
 	version, err := probeKernelFeaturesPermstable32Version()

diff --git a/sandbox/apparmor/apparmor_test.go b/sandbox/apparmor/apparmor_test.go
@@ -34,7 +34,6 @@ import (
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/osutil"
 	"github.com/snapcore/snapd/sandbox/apparmor"
-	"github.com/snapcore/snapd/sandbox/apparmor/notify"
 	"github.com/snapcore/snapd/snapdtool"
 	"github.com/snapcore/snapd/testutil"
 )
@@ -765,7 +764,7 @@ func (s *apparmorSuite) TestPromptingSupported(c *C) {
 
 	// Create a file at the notify path, doesn't matter what kind of file.
 	// The actual file is a socket, but a directory will do here for convenience.
-	c.Assert(os.MkdirAll(notify.SysPath, 0o755), IsNil)
+	c.Assert(os.MkdirAll(apparmor.NotifySocketPath, 0o755), IsNil)
 	restore = apparmor.MockFeatures(goodKernelFeatures, nil, goodParserFeatures, nil)
 	defer restore()
 
@@ -902,6 +901,11 @@ func (s *apparmorSuite) TestSetupConfCacheDirsWithInternalApparmor(c *C) {
 	c.Check(apparmor.SnapConfineAppArmorDir, Equals, "/newdir/var/lib/snapd/apparmor/snap-confine.internal")
 }
 
+func (s *apparmorSuite) TestSetupNotifySocketPath(c *C) {
+	apparmor.SetupNotifySocketPath("/newdir")
+	c.Check(apparmor.NotifySocketPath, Equals, "/newdir/sys/kernel/security/apparmor/.notify")
+}
+
 func (s *apparmorSuite) TestSystemAppArmorLoadsSnapPolicyErr(c *C) {
 	fakeroot := c.MkDir()
 	dirs.SetRootDir(fakeroot)

diff --git a/sandbox/apparmor/export_test.go b/sandbox/apparmor/export_test.go
@@ -28,8 +28,9 @@ import (
 )
 
 var (
-	NumberOfJobsParam  = numberOfJobsParam
-	SetupConfCacheDirs = setupConfCacheDirs
+	NumberOfJobsParam     = numberOfJobsParam
+	SetupConfCacheDirs    = setupConfCacheDirs
+	SetupNotifySocketPath = setupNotifySocketPath
 )
 
 func MockRuntimeNumCPU(new func() int) (restore func()) {

diff --git a/sandbox/apparmor/notify/listener/export_test.go b/sandbox/apparmor/notify/listener/export_test.go
@@ -25,6 +25,7 @@ import (
 	"golang.org/x/sys/unix"
 
 	"github.com/snapcore/snapd/osutil/epoll"
+	"github.com/snapcore/snapd/sandbox/apparmor"
 	"github.com/snapcore/snapd/sandbox/apparmor/notify"
 	"github.com/snapcore/snapd/testutil"
 )
@@ -56,7 +57,7 @@ func MockOsOpenWithSocket() (restore func()) {
 		if err != nil {
 			return nil, err
 		}
-		notifyFile := os.NewFile(uintptr(socket), notify.SysPath)
+		notifyFile := os.NewFile(uintptr(socket), apparmor.NotifySocketPath)
 		return notifyFile, nil
 	}
 	restore = MockOsOpen(f)

diff --git a/sandbox/apparmor/notify/listener/listener.go b/sandbox/apparmor/notify/listener/listener.go
@@ -32,6 +32,7 @@ import (
 
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/osutil/epoll"
+	"github.com/snapcore/snapd/sandbox/apparmor"
 	"github.com/snapcore/snapd/sandbox/apparmor/notify"
 )
 
@@ -186,7 +187,7 @@ const (
 //
 // If the kernel does not support the notification mechanism the error is ErrNotSupported.
 func Register() (listener *Listener, err error) {
-	path := notify.SysPath
+	path := apparmor.NotifySocketPath
 	if override := os.Getenv("PROMPT_NOTIFY_PATH"); override != "" {
 		path = override
 	}

diff --git a/sandbox/apparmor/notify/listener/listener_test.go b/sandbox/apparmor/notify/listener/listener_test.go
@@ -37,6 +37,7 @@ import (
 	"github.com/snapcore/snapd/arch"
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/osutil/epoll"
+	"github.com/snapcore/snapd/sandbox/apparmor"
 	"github.com/snapcore/snapd/sandbox/apparmor/notify"
 	"github.com/snapcore/snapd/sandbox/apparmor/notify/listener"
 	"github.com/snapcore/snapd/testutil"
@@ -150,7 +151,7 @@ func (*listenerSuite) TestRegisterOverridePath(c *C) {
 	l, err := listener.Register()
 	c.Assert(err, IsNil)
 
-	c.Assert(outputOverridePath, Equals, notify.SysPath)
+	c.Assert(outputOverridePath, Equals, apparmor.NotifySocketPath)
 
 	err = l.Close()
 	c.Assert(err, IsNil)
@@ -191,7 +192,7 @@ func (*listenerSuite) TestRegisterErrors(c *C) {
 
 	l, err = listener.Register()
 	c.Assert(l, IsNil)
-	c.Assert(err, ErrorMatches, fmt.Sprintf("cannot open %q: %v", notify.SysPath, customError))
+	c.Assert(err, ErrorMatches, fmt.Sprintf("cannot open %q: %v", apparmor.NotifySocketPath, customError))
 
 	restoreOpen = listener.MockOsOpen(func(name string) (*os.File, error) {
 		placeholderSocket, err := unix.Socket(unix.AF_UNIX, unix.SOCK_STREAM, 0)
@@ -230,7 +231,7 @@ func (*listenerSuite) TestRegisterErrors(c *C) {
 
 	l, err = listener.Register()
 	c.Assert(l, IsNil)
-	c.Assert(err, ErrorMatches, fmt.Sprintf("cannot register epoll on %q: bad file descriptor", notify.SysPath))
+	c.Assert(err, ErrorMatches, fmt.Sprintf("cannot register epoll on %q: bad file descriptor", apparmor.NotifySocketPath))
 }
 
 // An expedient abstraction over notify.MsgNotificationFile to allow defining
@@ -449,11 +450,11 @@ func (*listenerSuite) TestRunMultipleRequestsInBuffer(c *C) {
 func (*listenerSuite) TestRunEpoll(c *C) {
 	sockets, err := unix.Socketpair(unix.AF_UNIX, unix.SOCK_STREAM, 0)
 	c.Assert(err, IsNil)
-	notifyFile := os.NewFile(uintptr(sockets[0]), notify.SysPath)
+	notifyFile := os.NewFile(uintptr(sockets[0]), apparmor.NotifySocketPath)
 	kernelSocket := sockets[1]
 
 	restoreOpen := listener.MockOsOpen(func(name string) (*os.File, error) {
-		c.Assert(name, Equals, notify.SysPath)
+		c.Assert(name, Equals, apparmor.NotifySocketPath)
 		return notifyFile, nil
 	})
 	defer restoreOpen()

diff --git a/sandbox/apparmor/notify/notify.go b/sandbox/apparmor/notify/notify.go
@@ -4,22 +4,10 @@ package notify
 import (
 	"errors"
 	"fmt"
-	"path/filepath"
 
 	"golang.org/x/sys/unix"
-
-	"github.com/snapcore/snapd/dirs"
-	"github.com/snapcore/snapd/osutil"
 )
 
-var SysPath string
-
-// SupportAvailable returns true if SysPath exists, indicating that apparmor
-// prompting messages may be received from SysPath.
-func SupportAvailable() bool {
-	return osutil.FileExists(SysPath)
-}
-
 var doIoctl = Ioctl
 
 // RegisterFileDescriptor registers a notification socket using the given file
@@ -56,12 +44,3 @@ func RegisterFileDescriptor(fd uintptr) (ProtocolVersion, error) {
 		return protocolVersion, nil
 	}
 }
-
-func setupSysPath(newrootdir string) {
-	SysPath = filepath.Join(newrootdir, "/sys/kernel/security/apparmor/.notify")
-}
-
-func init() {
-	dirs.AddRootDirCallback(setupSysPath)
-	setupSysPath(dirs.GlobalRootDir)
-}
diff --git a/sandbox/apparmor/notify/notify_test.go b/sandbox/apparmor/notify/notify_test.go
@@ -2,8 +2,6 @@ package notify_test
 
 import (
 	"fmt"
-	"os"
-	"path/filepath"
 	"testing"
 
 	. "gopkg.in/check.v1"
@@ -30,25 +28,6 @@ func (s *notifySuite) SetUpTest(c *C) {
 	s.AddCleanup(func() { dirs.SetRootDir("") })
 }
 
-func (*notifySuite) TestSysPathBehavior(c *C) {
-	newRoot := c.MkDir()
-	newSysPath := filepath.Join(newRoot, "/sys/kernel/security/apparmor/.notify")
-	dirs.SetRootDir(newRoot)
-	c.Assert(notify.SysPath, Equals, newSysPath)
-}
-
-func (*notifySuite) TestSupportAvailable(c *C) {
-	newRoot := c.MkDir()
-	dirs.SetRootDir(newRoot)
-	c.Assert(notify.SupportAvailable(), Equals, false)
-	err := os.MkdirAll(filepath.Dir(notify.SysPath), 0755)
-	c.Assert(err, IsNil)
-	c.Assert(notify.SupportAvailable(), Equals, false)
-	_, err = os.Create(notify.SysPath)
-	c.Assert(err, IsNil)
-	c.Assert(notify.SupportAvailable(), Equals, true)
-}
-
 var fakeNotifyVersions = []notify.VersionAndCheck{
 	{
 		Version: 2,

diff --git a/sandbox/apparmor/notify/version.go b/sandbox/apparmor/notify/version.go
@@ -41,7 +41,11 @@ var (
 	// on the notify socket with that version, in which case we'll need to try
 	// the next version in the list.
 	versionLikelySupportedChecks = map[ProtocolVersion]func() bool{
-		3: SupportAvailable,
+		3: func() bool {
+			// If prompting is supported, version 3 is always assumed to be
+			// supported.
+			return true
+		},
 	}
 
 	// versionKnown returns true if the given protocol version is known by