d/control[.in}, d/rules, d/usr.sbin.gpsd, d/gpsd.install: add apparmor profile for gpsd

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2 years ago · 911decd674
--- a/debian/control
+++ b/debian/control
@@ -24,6 +24,7 @@ Build-Depends: debhelper (>= 11),
 scons (>= 2.0.1), chrpath,
 dh-buildinfo,
 dh-python,
 dh-apparmor,
 pps-tools (>= 0.20120406+g0deb9c7e-2~) [linux-any],
 pkg-config
 Standards-Version: 4.2.1
@@ -41,7 +42,7 @@ Depends: netbase | systemd-sysv, lsb-base (>= 3.2-13),
 libgps23 (= ${binary:Version})
 Recommends: udev [linux-any], ${python:Depends}, python
 Breaks: ${gpsd:Breaks}
 Suggests: gpsd-clients, dbus
 Suggests: gpsd-clients, dbus, apparmor
 Conflicts: fso-gpsd
 Multi-Arch: foreign
 Description: Global Positioning System - daemon
--- a/debian/control.in
+++ b/debian/control.in
@@ -24,6 +24,7 @@ Build-Depends: debhelper (>= 11),
 scons (>= 2.0.1), chrpath,
 dh-buildinfo,
 dh-python,
 dh-apparmor,
 pps-tools (>= 0.20120406+g0deb9c7e-2~) [linux-any],
 pkg-config
 Standards-Version: 4.2.1
@@ -41,7 +42,7 @@ Depends: netbase | systemd-sysv, lsb-base (>= 3.2-13),
 libgpsLIBGPSSONAME (= ${binary:Version})
 Recommends: udev [linux-any], ${python:Depends}, python
 Breaks: ${gpsd:Breaks}
 Suggests: gpsd-clients, dbus
 Suggests: gpsd-clients, dbus, apparmor
 Conflicts: fso-gpsd
 Multi-Arch: foreign
 Description: Global Positioning System - daemon
--- a/debian/gpsd.install
+++ b/debian/gpsd.install
@@ -2,3 +2,4 @@ usr/sbin/*
 usr/share/man/man8/*
 lib/systemd/system/*
 usr/bin/ppscheck
 debian/usr.sbin.gpsd /etc/apparmor.d/
--- a/debian/rules
+++ b/debian/rules
@@ -195,6 +195,7 @@ binary: install-stamp
 	dh_installman
 	dh_installmenu
 	dh_systemd_enable -pgpsd
 	dh_apparmor --profile-name=usr.sbin.gpsd -pgpsd
 	dh_installinit
 	dh_systemd_start -pgpsd --restart-after-upgrade
 	dh_installexamples
--- a/debian/usr.sbin.gpsd
+++ b/debian/usr.sbin.gpsd
@@ -0,0 +1,70 @@
 # vim:syntax=apparmor
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2018 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
 #    License published by the Free Software Foundation.
 #
 # ------------------------------------------------------------------

 #include <tunables/global>

 /usr/sbin/gpsd {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  capability ipc_lock,
  capability net_bind_service,
  capability sys_nice,
  capability fsetid,
  capability setgid,
  capability setuid,
  capability sys_resource,

  # for all the remote connection options
  network dgram,
  network stream,

  # common serial paths to GPS devices
  /dev/tty{,S,USB,AMA}[0-9]*    rw,
  /dev/ACM[0-9]*    rw,
  /sys/dev/char     r,
  /sys/dev/char/**  r,

  # pps related devices
  /dev/pps[0-9]*              rw,
  /sys/devices/virtual/pps    r,
  /sys/devices/virtual/pps/** r,

  # gpsd device to share
  /dev/gpsd[0-9] rw,

  # libusb device access to GPS devices
  /proc/      r,
  /dev/       r,
  /sys/class/ r,
  /sys/bus/   r,
  /dev/bus/usb/ r,
  /sys/bus/usb/devices/ r,
  /sys/devices/pci[0-9]*/**/{uevent,busnum,devnum,speed,descriptors} r,
  /run/udev/data/+usb* r,
  /run/udev/data/c189* r,

  # common config path (by default unused)
  /etc/gpsd/* r,

  # enumerate own FDs
  @{PROC}/@{pid}/fd/ r,

  # default paths feeding GPS data into chrony
  /{,var/}run/chrony.tty{,S,USB,AMA}[0-9]*.sock rw,
  /tmp/chrony.tty{,S,USB,AMA}[0-9]*.sock rw,

  # logging
  /{,var/}run/systemd/journal/dev-log w,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.gpsd>
 }