# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = /{usr/,}bin/dumpcap
profile dumpcap @{exec_path} {
  include <abstractions/base>

  # To capture packekts
  capability net_raw,
  capability net_admin,

  signal (receive) peer=wireshark,

  network inet dgram,
  network inet6 dgram,
  network netlink raw,
  network packet dgram,
  network packet raw,
  network bluetooth raw,

  @{exec_path} mr,

  @{sys}/class/net/ r,
  @{sys}/bus/usb/devices/ r,
  @{sys}/devices/virtual/net/*/type r,
  @{sys}/devices/pci[0-9]*/**/net/*/type r,
  @{sys}/devices/virtual/net/*/statistics/* r,

  @{PROC}/@{pid}/net/dev r,
  @{PROC}/@{pid}/net/psched r,

  /dev/ r,

  # Traffic log files
  owner /tmp/wireshark_*.pcapng rw,
  owner /tmp/*.pcap rw,

  # file_inherit
  owner @{HOME}/.xsession-errors w,
  /usr/share/GeoIP/* r,
  /dev/dri/card[0-9] rw,

  include if exists <local/dumpcap>
}