# apparmor.d - Full set of apparmor profiles # Copyright (C) 2002-2005 Novell/SUSE # 2018-2021 Mikhail Morfikov # SPDX-License-Identifier: GPL-2.0-only abi , include # pcap pcapng @{wireshark_ext} = [pP][cC][aA][pP]{,[nN][gG]} @{exec_path} = @{bin}/wireshark profile wireshark @{exec_path} { include include include include include include include include include include include include include include include include include signal (send) peer=dumpcap, @{exec_path} mr, @{bin}/dumpcap rPx, @{bin}/xdg-open rCx -> open, # For reading pcaps / r, /tmp/ r, /home/ r, owner @{HOME}/ r, owner @{HOME}/**/ r, @{MOUNTS}/ r, owner @{MOUNTS}/**/ r, owner /{tmp,home,media}/**.@{wireshark_ext}{,.gz} rw, # Wireshark files /usr/share/wireshark/** r, @{lib}/@{multiarch}/wireshark/extcap/* rix, @{lib}/@{multiarch}/wireshark/plugins/*/{codecs,epan,wiretap}/*.so mr, /etc/wireshark/init.lua r, # Wireshark home files owner @{HOME}/.wireshark/{,**} rw, owner @{user_config_dirs}/wireshark/{,**} rw, # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration owner @{user_config_dirs}/qt5ct/{,**} r, /usr/share/qt5ct/** r, /usr/share/qt5/translations/*.qm r, deny @{PROC}/sys/kernel/random/boot_id r, deny owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/comm r, @{PROC}/@{pid}/net/dev r, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, /etc/fstab r, /usr/share/hwdata/pnp.ids r, /usr/share/GeoIP/{,**} r, /dev/shm/#@{int} rw, owner /tmp/wireshark_extcap_ciscodump_[0-9]*_* rw, # Allowed apps to open @{lib}/firefox/firefox rPUx, # file_inherit owner /dev/tty@{int} rw, profile open { include include @{bin}/xdg-open mr, @{bin}/{,ba,da}sh rix, @{bin}/{m,g,}awk rix, @{bin}/readlink rix, @{bin}/basename rix, owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, # Allowed apps to open @{lib}/firefox/firefox rPUx, # file_inherit owner @{HOME}/.xsession-errors w, include if exists } include if exists }