Merge add tshark profile

- add profile for tshark - sub profile for dumpcap - tested with tests from upstream wireshark project,not all test cases passed but failures unrelated to apparmor restriction MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1384 Approved-by: Ryan Lee <rlee287@yahoo.com> Merged-by: John Johansen <john@jjmx.net>
2025-03-04 00:14:44 +01:00 · 2025-02-07 07:32:33 +00:00 · 2025-02-07 07:32:33 +00:00 · da7288c710
commit da7288c710
parent d8a96615d8 594f391502
1 changed files with 68 additions and 0 deletions
--- a/profiles/apparmor.d/tshark
+++ b/profiles/apparmor.d/tshark
@ -0,0 +1,68 @@
+#------------------------------------------------------------------
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    Author: Shishir Subedi (shishir.subedi@canonical.com)
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#------------------------------------------------------------------
+# vim: ft=apparmor
+#
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile tshark /usr/bin/tshark {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/user-tmp>
+
+  capability dac_read_search,
+
+  signal send peer=tshark//dumpcap,
+
+  file Cx /usr/bin/dumpcap -> dumpcap,
+  file mr /usr/bin/tshark,
+  file mrix /usr/lib/@{multiarch}/wireshark/extcap/{,*},
+  file r /usr/share/wireshark/{,**},
+  file r @{PROC}/@{pid}/fd/,
+
+  # for -i sdjournal
+  file r /{var,run}/log/journal/{,**},
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/tshark>
+
+  profile dumpcap {
+    include <abstractions/base>
+    include <abstractions/nameservice>
+    include <abstractions/private-files-strict>
+    include <abstractions/user-tmp>
+    include <abstractions/user-write>
+
+    capability net_admin,
+    capability net_raw,
+
+    network packet,
+    network raw,
+    network stream,
+
+    dbus (eavesdrop receive) bus=system,
+
+    signal receive peer=tshark,
+
+    file r /dev/,
+    file r @{PROC}/@{pid}/net/dev,
+    file r @{sys}/devices/{,**},
+    file rw @{sys}/devices/**/statistics/rx_*,
+
+    file r /**.pcap{,ng}{,.gz},
+    owner rw /**.pcap{,ng}{,.gz},
+
+    owner rw @{run}/dbus/system_bus_socket,
+    file mr /usr/bin/dumpcap,
+
+  }
+}