Package notify implements high-level notify interface to a subset of AppArmor features.

AppArmorParser returns an exec.Cmd for the apparmor_parser binary, and a boolean to indicate whether this is internal to snapd (ie is provided by snapd).

GenerateAAREExclusionPatterns generates a series of valid AppArmor regular expression negation rules such that anything except the specific excludePatterns will match with the specified prefix and suffix rules.

InsertAAREExclusionPatterns replaces a ###EXCL{<pref>,<suf>}### snippet with matching prefix and comma separated suffixes with a set of rules generated by GenerateAAREExclusionPatterns.

KernelFeatures returns a sorted list of apparmor features like []string{"dbus", "network"}.

LoadedProfiles interrogates the kernel and returns a list of loaded apparmor profiles.

MockAppArmorFeatures makes the system believe it has certain kernel and parser features.

MockAppArmorLevel makes the system believe it has certain level of apparmor support.

ParserFeatures returns a sorted list of apparmor parser features like []string{"unsafe", ...}.

ParserMtime returns the mtime of the AppArmor parser, else 0.

ProbedLevel quantifies how well apparmor is supported on the current kernel.

PromptingSupported returns true if prompting is supported by the system.

PromptingSupportedByFeatures returns whether prompting is supported by the given AppArmor kernel and parser features, and by the presence of the kernel notification socket.

ReloadAllSnapProfiles reload the AppArmor profiles of all installed snaps, as well as that of snap-confine.

Remove any of the AppArmor profiles in names from the AppArmor cache in cacheDir.

RemoveSnapConfineSnippets clears out any previously written apparmor snippets for snap-confine.

SetupSnapConfineSnippets inspects the system and sets up local apparmor policy for snap-confine.

Summary describes how well apparmor is supported on the current kernel.

UpdateHomedirsTunable sets the AppArmor HOMEDIRS tunable to the list of the specified directories.

ValidateNoAppArmorRegexp will check that the given string does not contain AppArmor regular expressions (AARE), double quotes or \0.

ConserveCPU tells apparmor_parser to spare up to two CPUs on multi-core systems to reduce load when processing many profiles at once.

Full indicates that all features are supported.

Partial indicates that apparmor is enabled but some features are missing.

SkipKernelLoad tells apparmor_parser not to load profiles into the kernel.

SkipReadCache causes apparmor_parser to be invoked with --skip-read-cache.

Unknown indicates that apparmor was not probed yet.

Unsupported indicates that apparmor is not enabled.

Unusable indicates that apparmor is enabled but cannot be used.

CacheDir is the path to the cache directory for AppArmor.

ConfDir is the path to the directory holding AppArmor configuration.

LoadProfiles loads apparmor profiles from the given files.

NotifySocketPath is the path to the socket over which listeners can communicate with AppArmor in the kernel.

OverlayRootSnippet contains the extra permissions necessary for snap and snap-confine to operate on systems where '/' is a writable overlay fs.

RemoteFSSnippet contains extra permissions necessary for snaps and snap-confine to operate when remote file system, like nfs, is used.

SnapConfineAppArmorDir is the path to the AppArmor snap confine directory.

SnapConfineDistroProfilePath returns the path to the AppArmor profile of the snap-confine binary shipped by the distribution package.

SystemCacheDir is the path to the system cache directory for AppArmor, which may or may not be different from CacheDir.

FeaturesSupported contains information about supported AppArmor kernel and parser features.

LevelType encodes the kind of support for apparmor found on this system.