Merge socat: add profile

Add AA profile for `socat`. This profile has been tested on the latest oracular socat version `1.8.0.0-4build3` and the latest upstream version `1.8.0.1`. I raised the PR and this profile has already been merged on the `roddhjav/apparmor.d` repo, [here](https://github.com/roddhjav/apparmor.d/pull/454). For now, I have added this profile in "extra", but let me know if you think otherwise, any feedback is welcome. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1319 Approved-by: Ryan Lee <rlee287@yahoo.com> Merged-by: John Johansen <john@jjmx.net>
2025-03-04 00:14:44 +01:00 · 2025-02-07 07:22:48 +00:00 · 2025-02-07 07:22:48 +00:00 · 54fc2c2ba1
commit 54fc2c2ba1
parent d01373a748 fda39282bd
1 changed files with 55 additions and 0 deletions
--- a/profiles/apparmor/profiles/extras/socat
+++ b/profiles/apparmor/profiles/extras/socat
@ -0,0 +1,55 @@
+#------------------------------------------------------------------
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    Author: Nishit Majithia (0xnishit)
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile socat /usr/bin/socat {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+  include <abstractions/consoles>
+
+  capability dac_read_search,
+  capability dac_override,
+  capability net_raw,
+  capability net_admin,
+  capability sys_module,
+  capability sys_admin,
+  capability fsetid,
+  capability chown,
+  capability net_bind_service,
+  capability sys_resource,
+
+  # Allow creation of network sockets and `socat` uses dccp for some
+  # fuctionalities that is why it is necessary to allow whole `network`
+  network,
+
+  # Allow executable mapping and read for the binary
+  file mr /usr/bin/socat,
+
+  # Enable /dev/ptmx access for testsuite
+  # file rw /dev/ptmx,
+
+  # TUN/TAP device
+  file rw /dev/net/tun,
+
+  # Process-specific access
+  file rw @{PROC}/@{pid}/fdinfo/[0-9]*,
+  file r @{PROC}/@{pid}/stat,
+
+  # For bi-directional communication between vms and host/hypervisor
+  file r /dev/vsock,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/socat>
+}