apparmor policy for tcpdump does not allow reading of "pcapng" files
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tcpdump (Debian) |
Fix Released
|
Unknown
|
|||
tcpdump (Ubuntu) |
Fix Released
|
Low
|
Andreas Hasenack |
Bug Description
As the title says, the stock apparmor policy for tcpdump does not allow "pcapng" files - such as those produced by wireshark - to be read. This manifests as an opaque "permission denied" message on the terminal and a log like this in dmesg:
`[239871.151443] audit: type=1400 audit(168685001
The stock policy /etc/apparmor.
```
# for -r, -F and -w
/**.[
/**.[cC][aA][pP] rw,
```
Just for fun, I linked my test file to `/tmp/test.pcap` and tcpdump was able to parse it correctly, so the problem was definitely not an invalid format.
I then added a local rule in /etc/apparmor.
```
/**.[pP]
```
System info:
$ lsb_release -rd
Description: Pop!_OS 22.04 LTS
Release: 22.04
$ apt-cache policy tcpdump
tcpdump:
Installed: 4.99.1-3ubuntu0.1
Candidate: 4.99.1-3ubuntu0.1
Version table:
*** 4.99.1-3ubuntu0.1 500
500 http://
100 /var/lib/
4.99.1-3build2 500
500 http://
Changed in tcpdump (Debian): | |
status: | Unknown → New |
Changed in tcpdump (Debian): | |
status: | New → Fix Committed |
Changed in tcpdump (Debian): | |
status: | Fix Committed → Fix Released |
The attachment "Proposed addition to the apparmor policy" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]