File: //proc/self/root/usr/share/apparmor/extra-profiles/bin.netstat
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2017 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# evolution, amongst other things, calls this program. I didn't want to
# give evolution access to significant chunks of /proc
#
abi <abi/3.0>,
include <tunables/global>
profile netstat /{usr/,}bin/netstat {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice>
capability dac_override,
capability dac_read_search,
capability sys_ptrace,
ptrace (read),
/{usr/,}bin/netstat rmix,
/etc/networks r,
@{PROC} r,
@{PROC}/@{pids}/cmdline r,
@{PROC}/net r,
@{PROC}/net/* r,
@{PROC}/@{pids}/fd/ r,
@{PROC}/@{pid}/net/netstat r,
@{PROC}/@{pid}/net/raw r,
@{PROC}/@{pid}/net/snmp r,
@{PROC}/@{pid}/net/raw6 r,
@{PROC}/@{pid}/net/tcp r,
@{PROC}/@{pid}/net/tcp6 r,
@{PROC}/@{pid}/net/udp r,
@{PROC}/@{pid}/net/udp6 r,
@{PROC}/@{pid}/net/udplite r,
@{PROC}/@{pid}/net/udplit6 r,
@{PROC}/@{pid}/net/unix r,
}