many: move notify.SysPath to apparmor.NotifySocketPath

overlord/configstate/configcore/prompting_test.go

@@ -48,7 +48,6 @@ import (
 	"github.com/snapcore/snapd/overlord/state"
 	"github.com/snapcore/snapd/release"
 	"github.com/snapcore/snapd/sandbox/apparmor"
-	"github.com/snapcore/snapd/sandbox/apparmor/notify"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/snap/snaptest"
 )
@@ -70,7 +69,7 @@ func (s *promptingSuite) SetUpTest(c *C) {
 		[]string{"prompt"}, nil,
 	))
 	// mock the presence of the notification socket
-	os.MkdirAll(notify.SysPath, 0o755)
+	os.MkdirAll(apparmor.NotifySocketPath, 0o755)
 	// mock the presence of permstable32_version with supported version
 	s.AddCleanup(apparmor.MockFsRootPath(dirs.GlobalRootDir))
 	os.MkdirAll(filepath.Join(dirs.GlobalRootDir, "sys/kernel/security/apparmor/features/policy"), 0o755)

sandbox/apparmor/apparmor.go

@@ -35,7 +35,6 @@ import (
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/osutil"
-	"github.com/snapcore/snapd/sandbox/apparmor/notify"
 	"github.com/snapcore/snapd/snapdtool"
 	"github.com/snapcore/snapd/strutil"
 )
@@ -305,6 +304,22 @@ const (
 	Full
 )
 
+var (
+	// ConfDir is the path to the directory holding AppArmor configuration.
+	ConfDir string
+	// CacheDir is the path to the cache directory for AppArmor.
+	CacheDir string
+	// SystemCacheDir is the path to the system cache directory for AppArmor,
+	// which may or may not be different from CacheDir.
+	SystemCacheDir string
+	// SnapConfineAppArmorDir is the path to the AppArmor snap confine
+	// directory.
+	SnapConfineAppArmorDir string
+	// NotifySocketPath is the path to the socket over which listeners can
+	// communicate with AppArmor in the kernel.
+	NotifySocketPath string
+)
+
 func setupConfCacheDirs(newrootdir string) {
 	ConfDir = filepath.Join(newrootdir, "/etc/apparmor.d")
 	CacheDir = filepath.Join(newrootdir, "/var/cache/apparmor")
@@ -329,17 +344,17 @@ func setupConfCacheDirs(newrootdir string) {
 	SnapConfineAppArmorDir = filepath.Join(dirs.SnapdStateDir(newrootdir), "apparmor", snapConfineDir)
 }
 
+func setupNotifySocketPath(newrootdir string) {
+	NotifySocketPath = filepath.Join(newrootdir, "/sys/kernel/security/apparmor/.notify")
+}
+
 func init() {
 	dirs.AddRootDirCallback(setupConfCacheDirs)
 	setupConfCacheDirs(dirs.GlobalRootDir)
-}
 
-var (
-	ConfDir                string
-	CacheDir               string
-	SystemCacheDir         string
-	SnapConfineAppArmorDir string
-)
+	dirs.AddRootDirCallback(setupNotifySocketPath)
+	setupNotifySocketPath(dirs.GlobalRootDir)
+}
 
 func (level LevelType) String() string {
 	switch level {
@@ -464,7 +479,7 @@ func PromptingSupportedByFeatures(apparmorFeatures *FeaturesSupported) (bool, st
 			return false, "apparmor kernel features do not support prompting for file access"
 		}
 	}
-	if !notify.SupportAvailable() {
+	if !osutil.FileExists(NotifySocketPath) {
 		return false, "apparmor kernel notification socket required by prompting listener is not present"
 	}
 	version, err := probeKernelFeaturesPermstable32Version()

sandbox/apparmor/apparmor_test.go

@@ -34,7 +34,6 @@ import (
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/osutil"
 	"github.com/snapcore/snapd/sandbox/apparmor"
-	"github.com/snapcore/snapd/sandbox/apparmor/notify"
 	"github.com/snapcore/snapd/snapdtool"
 	"github.com/snapcore/snapd/testutil"
 )
@@ -765,7 +764,7 @@ func (s *apparmorSuite) TestPromptingSupported(c *C) {
 
 	// Create a file at the notify path, doesn't matter what kind of file.
 	// The actual file is a socket, but a directory will do here for convenience.
-	c.Assert(os.MkdirAll(notify.SysPath, 0o755), IsNil)
+	c.Assert(os.MkdirAll(apparmor.NotifySocketPath, 0o755), IsNil)
 	restore = apparmor.MockFeatures(goodKernelFeatures, nil, goodParserFeatures, nil)
 	defer restore()
 
@@ -902,6 +901,15 @@ func (s *apparmorSuite) TestSetupConfCacheDirsWithInternalApparmor(c *C) {
 	c.Check(apparmor.SnapConfineAppArmorDir, Equals, "/newdir/var/lib/snapd/apparmor/snap-confine.internal")
 }
 
+func (s *apparmorSuite) TestSetupNotifySocketPath(c *C) {
+	apparmor.SetupNotifySocketPath("/newdir")
+	c.Check(apparmor.NotifySocketPath, Equals, "/newdir/sys/kernel/security/apparmor/.notify")
+
+	newRoot := c.MkDir()
+	dirs.SetRootDir(newRoot)
+	c.Check(apparmor.NotifySocketPath, Equals, filepath.Join(newRoot, "/sys/kernel/security/apparmor/.notify"))
+}
+
 func (s *apparmorSuite) TestSystemAppArmorLoadsSnapPolicyErr(c *C) {
 	fakeroot := c.MkDir()
 	dirs.SetRootDir(fakeroot)

sandbox/apparmor/export_test.go

@@ -28,8 +28,9 @@ import (
 )
 
 var (
-	NumberOfJobsParam  = numberOfJobsParam
-	SetupConfCacheDirs = setupConfCacheDirs
+	NumberOfJobsParam     = numberOfJobsParam
+	SetupConfCacheDirs    = setupConfCacheDirs
+	SetupNotifySocketPath = setupNotifySocketPath
 )
 
 func MockRuntimeNumCPU(new func() int) (restore func()) {

sandbox/apparmor/notify/listener/export_test.go

@@ -25,6 +25,7 @@ import (
 	"golang.org/x/sys/unix"
 
 	"github.com/snapcore/snapd/osutil/epoll"
+	"github.com/snapcore/snapd/sandbox/apparmor"
 	"github.com/snapcore/snapd/sandbox/apparmor/notify"
 	"github.com/snapcore/snapd/testutil"
 )
@@ -56,7 +57,7 @@ func MockOsOpenWithSocket() (restore func()) {
 		if err != nil {
 			return nil, err
 		}
-		notifyFile := os.NewFile(uintptr(socket), notify.SysPath)
+		notifyFile := os.NewFile(uintptr(socket), apparmor.NotifySocketPath)
 		return notifyFile, nil
 	}
 	restore = MockOsOpen(f)

sandbox/apparmor/notify/listener/listener.go

@@ -32,6 +32,7 @@ import (
 
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/osutil/epoll"
+	"github.com/snapcore/snapd/sandbox/apparmor"
 	"github.com/snapcore/snapd/sandbox/apparmor/notify"
 )
 
@@ -186,7 +187,7 @@ const (
 //
 // If the kernel does not support the notification mechanism the error is ErrNotSupported.
 func Register() (listener *Listener, err error) {
-	path := notify.SysPath
+	path := apparmor.NotifySocketPath
 	if override := os.Getenv("PROMPT_NOTIFY_PATH"); override != "" {
 		path = override
 	}

sandbox/apparmor/notify/listener/listener_test.go

@@ -37,6 +37,7 @@ import (
 	"github.com/snapcore/snapd/arch"
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/osutil/epoll"
+	"github.com/snapcore/snapd/sandbox/apparmor"
 	"github.com/snapcore/snapd/sandbox/apparmor/notify"
 	"github.com/snapcore/snapd/sandbox/apparmor/notify/listener"
 	"github.com/snapcore/snapd/testutil"
@@ -150,7 +151,7 @@ func (*listenerSuite) TestRegisterOverridePath(c *C) {
 	l, err := listener.Register()
 	c.Assert(err, IsNil)
 
-	c.Assert(outputOverridePath, Equals, notify.SysPath)
+	c.Assert(outputOverridePath, Equals, apparmor.NotifySocketPath)
 
 	err = l.Close()
 	c.Assert(err, IsNil)
@@ -191,7 +192,7 @@ func (*listenerSuite) TestRegisterErrors(c *C) {
 
 	l, err = listener.Register()
 	c.Assert(l, IsNil)
-	c.Assert(err, ErrorMatches, fmt.Sprintf("cannot open %q: %v", notify.SysPath, customError))
+	c.Assert(err, ErrorMatches, fmt.Sprintf("cannot open %q: %v", apparmor.NotifySocketPath, customError))
 
 	restoreOpen = listener.MockOsOpen(func(name string) (*os.File, error) {
 		placeholderSocket, err := unix.Socket(unix.AF_UNIX, unix.SOCK_STREAM, 0)
@@ -230,7 +231,7 @@ func (*listenerSuite) TestRegisterErrors(c *C) {
 
 	l, err = listener.Register()
 	c.Assert(l, IsNil)
-	c.Assert(err, ErrorMatches, fmt.Sprintf("cannot register epoll on %q: bad file descriptor", notify.SysPath))
+	c.Assert(err, ErrorMatches, fmt.Sprintf("cannot register epoll on %q: bad file descriptor", apparmor.NotifySocketPath))
 }
 
 // An expedient abstraction over notify.MsgNotificationFile to allow defining
@@ -449,11 +450,11 @@ func (*listenerSuite) TestRunMultipleRequestsInBuffer(c *C) {
 func (*listenerSuite) TestRunEpoll(c *C) {
 	sockets, err := unix.Socketpair(unix.AF_UNIX, unix.SOCK_STREAM, 0)
 	c.Assert(err, IsNil)
-	notifyFile := os.NewFile(uintptr(sockets[0]), notify.SysPath)
+	notifyFile := os.NewFile(uintptr(sockets[0]), apparmor.NotifySocketPath)
 	kernelSocket := sockets[1]
 
 	restoreOpen := listener.MockOsOpen(func(name string) (*os.File, error) {
-		c.Assert(name, Equals, notify.SysPath)
+		c.Assert(name, Equals, apparmor.NotifySocketPath)
 		return notifyFile, nil
 	})
 	defer restoreOpen()

sandbox/apparmor/notify/notify.go

@@ -4,22 +4,10 @@ package notify
 import (
 	"errors"
 	"fmt"
-	"path/filepath"
 
 	"golang.org/x/sys/unix"
-
-	"github.com/snapcore/snapd/dirs"
-	"github.com/snapcore/snapd/osutil"
 )
 
-var SysPath string
-
-// SupportAvailable returns true if SysPath exists, indicating that apparmor
-// prompting messages may be received from SysPath.
-func SupportAvailable() bool {
-	return osutil.FileExists(SysPath)
-}
-
 var doIoctl = Ioctl
 
 // RegisterFileDescriptor registers a notification socket using the given file
@@ -56,12 +44,3 @@ func RegisterFileDescriptor(fd uintptr) (ProtocolVersion, error) {
 		return protocolVersion, nil
 	}
 }
-
-func setupSysPath(newrootdir string) {
-	SysPath = filepath.Join(newrootdir, "/sys/kernel/security/apparmor/.notify")
-}
-
-func init() {
-	dirs.AddRootDirCallback(setupSysPath)
-	setupSysPath(dirs.GlobalRootDir)
-}

sandbox/apparmor/notify/notify_test.go

@@ -2,8 +2,6 @@ package notify_test
 
 import (
 	"fmt"
-	"os"
-	"path/filepath"
 	"testing"
 
 	. "gopkg.in/check.v1"
@@ -30,25 +28,6 @@ func (s *notifySuite) SetUpTest(c *C) {
 	s.AddCleanup(func() { dirs.SetRootDir("") })
 }
 
-func (*notifySuite) TestSysPathBehavior(c *C) {
-	newRoot := c.MkDir()
-	newSysPath := filepath.Join(newRoot, "/sys/kernel/security/apparmor/.notify")
-	dirs.SetRootDir(newRoot)
-	c.Assert(notify.SysPath, Equals, newSysPath)
-}
-
-func (*notifySuite) TestSupportAvailable(c *C) {
-	newRoot := c.MkDir()
-	dirs.SetRootDir(newRoot)
-	c.Assert(notify.SupportAvailable(), Equals, false)
-	err := os.MkdirAll(filepath.Dir(notify.SysPath), 0755)
-	c.Assert(err, IsNil)
-	c.Assert(notify.SupportAvailable(), Equals, false)
-	_, err = os.Create(notify.SysPath)
-	c.Assert(err, IsNil)
-	c.Assert(notify.SupportAvailable(), Equals, true)
-}
-
 var fakeNotifyVersions = []notify.VersionAndCheck{
 	{
 		Version: 2,

sandbox/apparmor/notify/version.go

@@ -41,7 +41,11 @@
 	// on the notify socket with that version, in which case we'll need to try
 	// the next version in the list.
 	versionLikelySupportedChecks = map[ProtocolVersion]func() bool{
-		3: SupportAvailable,
+		3: func() bool {
+			// If prompting is supported, version 3 is always assumed to be
+			// supported.
+			return true
+		},
 	}
 
 	// versionKnown returns true if the given protocol version is known by