[apparmor] [Merge] lp:~sdeziel/apparmor/wireshark-refresh into lp:apparmor

Wed, 13 Apr 2016 13:58:16 -0700 

Simon Déziel has proposed merging lp:~sdeziel/apparmor/wireshark-refresh into 
lp:apparmor.

Requested reviews:
  AppArmor Developers (apparmor-dev)

For more details, see:
https://code.launchpad.net/~sdeziel/apparmor/wireshark-refresh/+merge/291820

This refreshed profile was tested with Wireshark 2.0.2 (from Xenial). I only 
tested reading from pcaps. No capture testing was done because I feel this is 
best done with tcpdump that is well protected by Apparmor anyways.
-- 
Your team AppArmor Developers is requested to review the proposed merge of 
lp:~sdeziel/apparmor/wireshark-refresh into lp:apparmor.

=== modified file 'profiles/apparmor/profiles/extras/usr.bin.wireshark'
--- profiles/apparmor/profiles/extras/usr.bin.wireshark	2010-12-20 20:29:10 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.wireshark	2016-04-13 20:56:30 +0000
@@ -16,29 +16,66 @@
   #include <abstractions/base>
   #include <abstractions/bash>
   #include <abstractions/consoles>
+  #include <abstractions/dconf>
+  #include <abstractions/dbus-session-strict>
+  #include <abstractions/ibus>
   #include <abstractions/kde>
   #include <abstractions/nameservice>
   #include <abstractions/gnome>
   #include <abstractions/user-write>
   #include <abstractions/X>
 
+  #include <abstractions/dbus-accessibility-strict>
+  dbus (send)
+       bus=session
+       peer=(name=org.a11y.Bus),
+  dbus (receive)
+       bus=session
+       interface=org.a11y.atspi**,
+  dbus (receive, send)
+       bus=accessibility,
+
   capability net_raw,
 
+  # From abstractions/evince
+  deny /run/udev/data/** r,
+
   /etc/ethers r,
-
-  @{HOME}/.wireshark/* rw,
-  @{HOME}/.fonts.cache-* r,
+  /etc/udev/udev.conf r,
+  /etc/wireshark/** r,
+
+  owner @{HOME}/.wireshark/* rw,
+  owner @{HOME}/.config/wireshark/* rw,
+  owner @{HOME}/.config/QtProject.conf rw,
+  owner @{HOME}/.config/QtProject.conf.lock rw,
+  owner @{HOME}/.fonts.cache-* r,
+
+  owner @{HOME}/.config/dconf/user w,
+  owner /{,var/}run/user/*/dconf/user w,
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/fd/ r,
+  @{PROC}/@{pid}/net/dev r,
+  /sys/devices/pci[0-9]*/**/uevent r,
 
   /etc/pango/pango.modules r,
   /usr/lib/gtk-*/*/loaders/* mr,
-  /usr/share/* r,
-  /usr/share/icons/** r,
+  /usr/share/icons/   r,
+  /usr/share/icons/** rk,
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/mime/* r,
   /usr/lib/firefox/firefox.sh rPx,
   /usr/bin/wireshark mixr,
-  /usr/share/icons r,
   /usr/share/mime/* r,
   /usr/share/snmp/mibs r,
   /usr/share/snmp/mibs/* r,
   /usr/share/snmp/mibs/.index rw,
+  /usr/share/wireshark/** r,
+  /usr/share/GeoIP/ r,
+  /usr/share/GeoIP/** r,
+  /usr/lib/@{multiarch}/wireshark/extcap/* ix,
+  /usr/lib/@{multiarch}/wireshark/plugins/**/   r,
+  /usr/lib/@{multiarch}/wireshark/plugins/**.so mr,
+
+  # for reading pcaps
+  /**.pcap r,
 }


-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to