Package: tcpdump Version: 4.9.0-2 Severity: wishlist Tags: patch User: pkg-apparmor-t...@lists.alioth.debian.org Usertags: new-profile
Hi, the attached (Git) patch series imports the AppArmor profile from Ubuntu; they have been shipping it since 2009, so it's rather mature :) We (the Debian pkg-apparmor team) have been shipping this AppArmor profile in Debian in the apparmor-profiles-extra package so far: it was part of the Jessie and Stretch releases. But this -extra package was always meant to be temporary: once we're confident some AppArmor policy is mature enough, we prefer it to be included with the software it confines. Please note the versioned Breaks/Replaces against apparmor-profiles-extra: the version in these fields should be the first one that does not ship /etc/apparmor.d/usr.sbin.tcpdump anymore. So whenever you choose to upload tcpdump with these patches applied, please set the version to $current_version_in_sid + 1, or just ask me and I'll provide updated patches :) And once you've uploaded, I'll remove usr.sbin.tcpdump from apparmor-profiles-extra and will upload with the same version as the one in your Breaks/Replaces field. Once the attached patches are applied, if you ever receive bug reports about this AppArmor policy, we're ready to help you: * you can email us: pkg-apparmor-t...@lists.alioth.debian.org * or you can set the relevant usertag on the corresponding bug: https://wiki.debian.org/AppArmor/Reportbug#Usertags … and we'll get an email notification about it :) And if you want to test the attached profile yourself, great! Then these instructions should be helpful: https://wiki.debian.org/AppArmor/HowToUse Let me know if you have any question. Cheers, -- intrigeri
>From 4aeef2a074b6cebc5a5e7dfe67d71d4849bd1c57 Mon Sep 17 00:00:00 2001 From: intrigeri <intrig...@debian.org> Date: Fri, 30 Jun 2017 20:22:33 +0000 Subject: [PATCH 1/2] Install AppArmor profile. Taken from Ubuntu's tcpdump (4.9.0-2ubuntu2), used to be shipped in Debian in apparmor-profiles-extra <= 1.11. --- debian/README.Debian | 11 +++++++ debian/control | 4 +++ debian/install | 1 + debian/patches/man-apparmor.diff | 31 +++++++++++++++++++ debian/patches/series | 1 + debian/rules | 4 +++ debian/usr.sbin.tcpdump | 66 ++++++++++++++++++++++++++++++++++++++++ 7 files changed, 118 insertions(+) create mode 100644 debian/README.Debian create mode 100644 debian/install create mode 100644 debian/patches/man-apparmor.diff create mode 100644 debian/usr.sbin.tcpdump diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 0000000..7b18ed7 --- /dev/null +++ b/debian/README.Debian @@ -0,0 +1,11 @@ +Apparmor Profile +---------------- + +If your system uses AppArmor, note that the shipped enforcing profile +works with the default installation, and changes in your configuration may +require changes to the installed AppArmor profile. Before filing a bug against +this package, please see: + + * https://wiki.debian.org/AppArmor/Debug + * https://wiki.ubuntu.com/DebuggingApparmor + diff --git a/debian/control b/debian/control index 18a5683..d5a0201 100644 --- a/debian/control +++ b/debian/control @@ -3,6 +3,7 @@ Section: net Priority: optional Maintainer: Romain Francoise <rfranco...@debian.org> Build-Depends: debhelper (>= 8.9.4~), + dh-apparmor, dh-autoreconf, dpkg-dev (>= 1.16.1~), libpcap0.8-dev (>= 1.8), @@ -16,6 +17,9 @@ Package: tcpdump Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends} +Breaks: apparmor-profiles-extra (<< 1.12~) +Replaces: apparmor-profiles-extra (<< 1.12~) +Suggests: apparmor (>= 2.3) Multi-Arch: foreign Description: command-line network traffic analyzer This program allows you to dump the traffic on a network. tcpdump diff --git a/debian/install b/debian/install new file mode 100644 index 0000000..dd7dd24 --- /dev/null +++ b/debian/install @@ -0,0 +1 @@ +debian/usr.sbin.tcpdump etc/apparmor.d diff --git a/debian/patches/man-apparmor.diff b/debian/patches/man-apparmor.diff new file mode 100644 index 0000000..c06a371 --- /dev/null +++ b/debian/patches/man-apparmor.diff @@ -0,0 +1,31 @@ +Author: Jamie Strandboge <ja...@canonical.com> +Description: Update man page to make AppArmor confinement more discoverable +Forwarded: no (Ubuntu-specific) + +=== modified file 'tcpdump.1.in' +Index: tcpdump-4.8.1/tcpdump.1.in +=================================================================== +--- tcpdump-4.8.1.orig/tcpdump.1.in ++++ tcpdump-4.8.1/tcpdump.1.in +@@ -153,7 +153,11 @@ + analysis, and/or with the + .B \-r + flag, which causes it to read from a saved packet file rather than to +-read packets from a network interface. It can also be run with the ++read packets from a network interface (please note \fItcpdump\fP is ++protected via an enforcing ++.BR apparmor (7) ++profile in Ubuntu which limits the files \fItcpdump\fP may access). ++It can also be run with the + .B \-V + flag, which causes it to read a list of saved packet files. In all cases, + only packets that match +@@ -1888,7 +1892,7 @@ + applied a time stamp to the packet. + .SH "SEE ALSO" + stty(1), pcap(3PCAP), bpf(4), nit(4P), pcap-savefile(@MAN_FILE_FORMATS@), +-pcap-filter(@MAN_MISC_INFO@), pcap-tstamp(@MAN_MISC_INFO@) ++pcap-filter(@MAN_MISC_INFO@), pcap-tstamp(@MAN_MISC_INFO@), apparmor(7) + .LP + .RS + .I http://www.iana.org/assignments/media-types/application/vnd.tcpdump.pcap diff --git a/debian/patches/series b/debian/patches/series index 5594bf0..38d6ecc 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ install.diff man-section.diff platform-quirks.diff +man-apparmor.diff diff --git a/debian/rules b/debian/rules index 52c43a1..ba0a71c 100755 --- a/debian/rules +++ b/debian/rules @@ -8,3 +8,7 @@ export DEB_CFLAGS_MAINT_APPEND = -D_FILE_OFFSET_BITS=64 override_dh_auto_configure: dh_auto_configure -- --with-crypto=yes + +override_dh_installdeb: + dh_apparmor --profile-name=usr.sbin.tcpdump -ptcpdump + dh_installdeb diff --git a/debian/usr.sbin.tcpdump b/debian/usr.sbin.tcpdump new file mode 100644 index 0000000..ca2a115 --- /dev/null +++ b/debian/usr.sbin.tcpdump @@ -0,0 +1,66 @@ +# vim:syntax=apparmor +# Last Modified: Wed Feb 3 07:58:30 2009 +# Author: Jamie Strandboge <ja...@canonical.com> +#include <tunables/global> + +/usr/sbin/tcpdump { + #include <abstractions/base> + #include <abstractions/nameservice> + #include <abstractions/user-tmp> + + capability net_raw, + capability setuid, + capability setgid, + capability dac_override, + network raw, + network packet, + + # for -D + capability sys_module, + @{PROC}/bus/usb/ r, + @{PROC}/bus/usb/** r, + + # for finding an interface + @{PROC}/[0-9]*/net/dev r, + /sys/bus/usb/devices/ r, + /sys/class/net/ r, + /sys/devices/**/net/* r, + + # for -j + capability net_admin, + + # for tracing USB bus, which libpcap supports + /dev/usbmon* r, + /dev/bus/usb/ r, + /dev/bus/usb/** r, + + # for init_etherarray(), with -e + /etc/ethers r, + + # for USB probing (see libpcap-1.1.x/pcap-usb-linux.c:probe_devices()) + /dev/bus/usb/**/[0-9]* w, + + # for -z + /{usr/,}bin/gzip ixr, + /{usr/,}bin/bzip2 ixr, + + # for -F and -w + audit deny @{HOME}/.* mrwkl, + audit deny @{HOME}/.*/ rw, + audit deny @{HOME}/.*/** mrwkl, + audit deny @{HOME}/bin/ rw, + audit deny @{HOME}/bin/** mrwkl, + owner @{HOME}/ r, + owner @{HOME}/** rw, + + # for -r, -F and -w + /**.[pP][cC][aA][pP] rw, + + # for convenience with -r (ie, read pcap files from other sources) + /var/log/snort/*log* r, + + /usr/sbin/tcpdump mr, + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.sbin.tcpdump> +} -- 2.13.2
>From c95e3b514b1786dc1151444917ecef957c70a7e3 Mon Sep 17 00:00:00 2001 From: intrigeri <intrig...@debian.org> Date: Fri, 30 Jun 2017 20:26:59 +0000 Subject: [PATCH 2/2] Update debian/changelog --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index 50468e3..e149be8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +tcpdump (4.9.0-3) UNRELEASED; urgency=medium + + * Install AppArmor profile. + + -- intrigeri <intrig...@debian.org> Fri, 30 Jun 2017 20:26:39 +0000 + tcpdump (4.9.0-2) unstable; urgency=medium * Re-enable crypto support, targeting OpenSSL 1.0 as upstream still -- 2.13.2
