# vim:syntax=apparmor

abi <abi/4.0>,

include <tunables/global>

/usr/bin/dumpcap {
  include <abstractions/base>
  include <abstractions/nameservice>

  capability net_admin,
  capability net_raw,

  signal (receive) peer=/usr/bin/wireshark,

  # TCP/UDP network access
  network inet  stream,
  network inet6 stream,
  network inet  dgram,
  network inet6 dgram,

  network raw,
  network packet,

  # for finding an interface
  @{PROC}/@{pid}/net/dev r,
  @{PROC}/sys/net/core/bpf_jit_enable rw,
  /sys/bus/usb/devices/ r,
  /sys/class/net/ r,
  /sys/devices/**/net/* r,

  /usr/bin/dumpcap mr,

  /usr/share/GeoIP/ r,
  /usr/share/GeoIP/** r,

  @{PROC}/@{pid}/net/psched r,

  owner /tmp/*pcap{,ng} rw,
  owner @{HOME}/**pcap{,ng} rw,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/usr.bin.dumpcap>
}