Package: tcpdump Version: 4.99.1-3ubuntu0.1 I originally reported this as an Ubuntu bug and was redirected here. https://bugs.launchpad.net/ubuntu/+source/tcpdump/+bug/2024017
As the title says, the stock apparmor policy for tcpdump does not allow "pcapng" files - such as those produced by wireshark - to be read. This manifests as an opaque "permission denied" message on the terminal and a log like this in dmesg when doing something like `tcpdump -nr /tmp/test.pcapng`: `[239871.151443] audit: type=1400 audit(1686850017.603:206): apparmor="DENIED" operation="open" class="file" profile="tcpdump" name="/tmp/test.pcapng" pid=515786 comm="tcpdump" requested_mask="r" denied_mask="r" fsuid=0 ouid=0` The stock policy /etc/apparmor.d/usr.bin.tcpdump contains these rules (note the lack of pcapng): ``` # for -r, -F and -w /**.[pP][cC][aA][pP] rw, /**.[cC][aA][pP] rw, ``` Just for fun, I linked my test file to `/tmp/test.pcap` and tcpdump was able to parse it correctly, so the problem was definitely not an invalid format. I then added a local rule in /etc/apparmor.d/local/usr.bin/tcpdump which allowed tcpdump to read it: ``` /**.[pP][cC][aA][pP][nN][gG] rw, ``` Please find attached a diff with this change for https://salsa.debian.org/rfrancoise/tcpdump/-/blob/master/debian/usr.bin.tcpdump System info: $ lsb_release -rd Description: Pop!_OS 22.04 LTS Release: 22.04 $ uname -a Linux laptop 6.2.6-76060206-generic #202303130630~1685473338~22.04~995127e SMP PREEMPT_DYNAMIC Tue M x86_64 x86_64 x86_64 GNU/Linux $ apt-cache policy tcpdump tcpdump: Installed: 4.99.1-3ubuntu0.1 Candidate: 4.99.1-3ubuntu0.1 Version table: *** 4.99.1-3ubuntu0.1 500 500 http://apt.pop-os.org/ubuntu jammy-updates/main amd64 Packages 100 /var/lib/dpkg/status 4.99.1-3build2 500 500 http://apt.pop-os.org/ubuntu jammy/main amd64 Packages $ tcpdump --version tcpdump version 4.99.1 libpcap version 1.10.1 (with TPACKET_V3) OpenSSL 3.0.2 15 Mar 2022 -- GDB has a 'break' feature; why doesn't it have 'fix' too?
--- usr.bin.tcpdump.orig 2023-06-15 11:01:20.472474816 -0700 +++ usr.bin.tcpdump 2023-06-15 11:01:44.680377905 -0700 @@ -54,6 +54,7 @@ # for -r, -F and -w /**.[pP][cC][aA][pP] rw, + /**.[pP][cC][aA][pP][nN][gG] rw, /**.[cC][aA][pP] rw, # for convenience with -r (ie, read pcap files from other sources)