1 files changed, 71 insertions, 0 deletions

diff --git a/debian/usr.bin.tcpdump b/debian/usr.bin.tcpdump
new file mode 100644
index 0000000..510a5ad
--- /dev/null
+++ b/debian/usr.bin.tcpdump
@@ -0,0 +1,71 @@
+# vim:syntax=apparmor
+#include <tunables/global>
+
+profile tcpdump /usr/bin/tcpdump {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/user-tmp>
+
+  capability net_raw,
+  capability setuid,
+  capability setgid,
+  capability dac_override,
+  capability chown,
+  network raw,
+  network packet,
+
+  # for -D
+  @{PROC}/bus/usb/ r,
+  @{PROC}/bus/usb/** r,
+
+  # for finding an interface
+  /dev/ r,
+  @{PROC}/[0-9]*/net/dev r,
+  /sys/bus/usb/devices/ r,
+  /sys/class/net/ r,
+  /sys/devices/**/net/** r,
+
+  # for -j
+  capability net_admin,
+
+  # for tracing USB bus, which libpcap supports
+  /dev/usbmon* r,
+  /dev/bus/usb/ r,
+  /dev/bus/usb/** r,
+
+  # for init_etherarray(), with -e
+  /etc/ethers r,
+
+  # for USB probing (see libpcap-1.1.x/pcap-usb-linux.c:probe_devices())
+  /dev/bus/usb/**/[0-9]* w,
+
+  # for -z
+  /{usr/,}bin/gzip ixr,
+  /{usr/,}bin/bzip2 ixr,
+
+  # for -F and -w
+  audit deny @{HOME}/.* mrwkl,
+  audit deny @{HOME}/.*/ rw,
+  audit deny @{HOME}/.*/** mrwkl,
+  audit deny @{HOME}/bin/ rw,
+  audit deny @{HOME}/bin/** mrwkl,
+  owner @{HOME}/ r,
+  owner @{HOME}/** rw,
+
+  # for -r, -F and -w
+  /**.[pP][cC][aA][pP] rw,
+  /**.[pP][cC][aA][pP][nN][gG] rw,
+  /**.[cC][aA][pP] rw,
+  # -W adds a numerical suffix
+  /**.[pP][cC][aA][pP][0-9]* rw,
+  /**.[pP][cC][aA][pP][nN][gG][0-9]* rw,
+  /**.[cC][aA][pP][0-9]* rw,
+
+  # for convenience with -r (ie, read pcap files from other sources)
+  /var/log/snort/*log* r,
+
+  /usr/bin/tcpdump mr,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.bin.tcpdump>
+}