maybe chmod 0644 'apparmor.d/local/usr.lib.telepathy'
maybe chmod 0644 'apparmor.d/local/usr.sbin.cups-browsed'
maybe chmod 0644 'apparmor.d/local/usr.sbin.cupsd'
+maybe chmod 0644 'apparmor.d/local/usr.sbin.gpsd'
maybe chmod 0644 'apparmor.d/local/usr.sbin.ippusbxd'
maybe chmod 0644 'apparmor.d/local/usr.sbin.ntpd'
maybe chmod 0644 'apparmor.d/local/usr.sbin.rsyslogd'
maybe chmod 0644 'apparmor.d/usr.lib.telepathy'
maybe chmod 0644 'apparmor.d/usr.sbin.cups-browsed'
maybe chmod 0644 'apparmor.d/usr.sbin.cupsd'
+maybe chmod 0644 'apparmor.d/usr.sbin.gpsd'
maybe chmod 0644 'apparmor.d/usr.sbin.ippusbxd'
maybe chmod 0644 'apparmor.d/usr.sbin.mysqld'
maybe chmod 0644 'apparmor.d/usr.sbin.ntpd'
maybe chmod 0644 'default/dump1090-mutability'
maybe chmod 0644 'default/fwlogwatch'
maybe chmod 0644 'default/google-chrome'
+maybe chmod 0644 'default/gpsd'
maybe chmod 0644 'default/grub'
maybe chmod 0755 'default/grub.d'
maybe chmod 0644 'default/grub.d/init-select.cfg'
--- /dev/null
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2018 Canonical Ltd.
+#
+# This software is distributed under a BSD-style license. See the
+# file "COPYING" in the top-level directory of the distribution for details.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/usr/sbin/gpsd flags=(attach_disconnected) {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+
+ capability ipc_lock,
+ capability net_bind_service,
+ capability sys_nice,
+ capability fsetid,
+ capability setgid,
+ capability setuid,
+ capability sys_resource,
+
+ # for all the remote connection options
+ network dgram,
+ network stream,
+
+ # own binary
+ /usr/sbin/gpsd rmix,
+
+ # common serial paths to GPS devices
+ /dev/tty{,S,USB,AMA,ACM}[0-9]* rw,
+ /sys/dev/char r,
+ /sys/dev/char/** r,
+
+ # pps related devices
+ /dev/pps[0-9]* rw,
+ /sys/devices/virtual/pps r,
+ /sys/devices/virtual/pps/** r,
+
+ # gpsd device to share
+ /dev/gpsd[0-9] rw,
+
+ # libusb device access to GPS devices
+ /proc/ r,
+ /dev/ r,
+ /sys/class/ r,
+ /sys/bus/ r,
+ /dev/bus/usb/ r,
+ /sys/bus/usb/devices/ r,
+ /sys/devices/pci[0-9]*/**/{uevent,busnum,devnum,speed,descriptors} r,
+ /run/udev/data/+usb* r,
+ /run/udev/data/c189* r,
+
+ # common config path (by default unused)
+ /etc/gpsd/* r,
+ # gpsd will call this on device attach/detach allowing for custom handlers
+ /bin/dash rix,
+ /bin/bash rix,
+ /etc/gpsd/device-hook ix,
+
+ # control socket e.g. for gpsdctl
+ /{,var/}run/gpsd.sock rw,
+
+ # enumerate own FDs
+ @{PROC}/@{pid}/fd/ r,
+
+ # default paths feeding GPS data into chrony
+ /{,var/}run/chrony.tty{,S,USB,AMA}[0-9]*.sock rw,
+ /tmp/chrony.tty{,S,USB,AMA}[0-9]*.sock rw,
+
+ # logging
+ /{,var/}run/systemd/journal/dev-log w,
+
+ # required for pps initialization
+ capability sys_time,
+ /sys/devices/virtual/pps/ r,
+
+ # to submit data to chrony
+ ptrace read peer=/usr/sbin/chronyd,
+
+ # for libusb in case USB based GPS devices are used
+ /sys/devices/**/usb[0-9]*/** r,
+
+ # triggered on fusercount, not strictly required and unsafe to allow
+ # adding an explicit denial rule silences the warnings
+ deny ptrace read peer=unconfined,
+ deny capability sys_ptrace,
+ deny capability dac_read_search,
+ deny capability dac_override,
+
+ # gpsd tries to load pps_ldisc directly, but gpsd doesn't need
+ # the general power of cap 'sys_module', pps_ldisc is auto-loaded
+ # by the kernel when gpsd is creating the pps device
+ deny capability sys_module,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.gpsd>
+}
projects / zenbook / commitdiff