From 39bb6606a89d411641cafb9b8d44578d64f3fd85 Mon Sep 17 00:00:00 2001
From: Nishit Majithia <nishit.nm@gmail.com>
Date: Sun, 1 Sep 2024 09:42:50 +0530
Subject: [PATCH 1/2] socat: add profile

Signed-off-by: Nishit Majithia <nishit.nm@gmail.com>
---
 profiles/apparmor/profiles/extras/socat | 55 +++++++++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 profiles/apparmor/profiles/extras/socat

diff --git a/profiles/apparmor/profiles/extras/socat b/profiles/apparmor/profiles/extras/socat
new file mode 100644
index 000000000..a2fe55a9f
--- /dev/null
+++ b/profiles/apparmor/profiles/extras/socat
@@ -0,0 +1,55 @@
+#------------------------------------------------------------------
+#    Copyright (C) 2024 Canonical Ltd.
+#
+#    Author: Nishit Majithia (0xnishit)
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile socat /usr/bin/socat {
+  include <abstractions/base>
+  include <abstractions/strict-nameservice>
+  include <abstractions/ssl_certs>
+  include <abstractions/consoles>
+
+  capability dac_read_search,
+  capability dac_override,
+  capability net_raw,
+  capability net_admin,
+  capability sys_module,
+  capability sys_admin,
+  capability fsetid,
+  capability chown,
+  capability net_bind_service,
+  capability sys_resource,
+
+  # Allow creation of network sockets and `socat` uses dccp for some
+  # fuctionalities that is why it is necessary to allow whole `network`
+  network,
+
+  # Allow executable mapping and read for the binary
+  file mr /usr/bin/socat,
+
+  # Enale /dev/ptmx access for testsuite
+  # file rw /dev/ptmx,
+
+  # TUN/TAP device
+  file rw /dev/net/tun,
+
+  # Process-specific access
+  file rw @{PROC}/@{pid}/fdinfo/[0-9]*,
+  file r @{PROC}/@{pid}/stat,
+
+  # For bi-directional communication between vms and host/hypervisor
+  file r /dev/vsock,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/socat>
+}

From fda39282bdd9a2305edd3fff52a9ad1ad1b3a123 Mon Sep 17 00:00:00 2001
From: Nishit Majithia <nishit.nm@gmail.com>
Date: Mon, 14 Oct 2024 12:28:24 +0530
Subject: [PATCH 2/2] socat: use upstream nameservice-strict

Signed-off-by: Nishit Majithia <nishit.nm@gmail.com>
---
 profiles/apparmor/profiles/extras/socat | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/profiles/apparmor/profiles/extras/socat b/profiles/apparmor/profiles/extras/socat
index a2fe55a9f..85c579dad 100644
--- a/profiles/apparmor/profiles/extras/socat
+++ b/profiles/apparmor/profiles/extras/socat
@@ -15,7 +15,7 @@ include <tunables/global>
 
 profile socat /usr/bin/socat {
   include <abstractions/base>
-  include <abstractions/strict-nameservice>
+  include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
   include <abstractions/consoles>
 
@@ -37,7 +37,7 @@ profile socat /usr/bin/socat {
   # Allow executable mapping and read for the binary
   file mr /usr/bin/socat,
 
-  # Enale /dev/ptmx access for testsuite
+  # Enable /dev/ptmx access for testsuite
   # file rw /dev/ptmx,
 
   # TUN/TAP device