# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2017 Christian Boltz
# Copyright (C) 2018-2022 Mikhail Morfikov
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/netstat
@{att} = ""
profile netstat /{,usr/}bin/netstat flags=(complain) {
  include <abstractions/base-strict>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>

  capability dac_read_search,
  capability sys_ptrace,
  capability syslog,

  network inet dgram,
  network inet stream,
  network inet6 dgram,
  network inet6 stream,
  network netlink raw,

  ptrace (trace,read),

  @{exec_path} rmix,

  /etc/networks r,

        @{PROC} r,
        @{PROC}/@{pids}/cmdline r,
        @{PROC}/@{pids}/fd/ r,
        @{PROC}/@{pids}/net/dev r,
        @{PROC}/@{pids}/net/netstat r,
        @{PROC}/@{pids}/net/raw r,
        @{PROC}/@{pids}/net/raw6 r,
        @{PROC}/@{pids}/net/snmp r,
        @{PROC}/@{pids}/net/tcp r,
        @{PROC}/@{pids}/net/tcp6 r,
        @{PROC}/@{pids}/net/udp r,
        @{PROC}/@{pids}/net/udp6 r,
        @{PROC}/@{pids}/net/udplite r,
        @{PROC}/@{pids}/net/udplite6 r,
        @{PROC}/@{pids}/net/unix r,
        @{PROC}/net r,
        @{PROC}/net/* r,
        @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
  owner @{PROC}/@{pid}/attr/current r,

  include if exists <local/netstat>
}

# vim:syntax=apparmor
