Devuan fork of gpsd
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

103 lines
2.7 KiB

  1. # vim:syntax=apparmor
  2. # ------------------------------------------------------------------
  3. #
  4. # Copyright (C) 2018 Canonical Ltd.
  5. #
  6. # This software is distributed under a BSD-style license. See the
  7. # file "COPYING" in the top-level directory of the distribution for details.
  8. #
  9. # ------------------------------------------------------------------
  10. #include <tunables/global>
  11. /usr/sbin/gpsd flags=(attach_disconnected) {
  12. #include <abstractions/base>
  13. #include <abstractions/nameservice>
  14. capability ipc_lock,
  15. capability net_bind_service,
  16. capability sys_nice,
  17. capability fsetid,
  18. capability setgid,
  19. capability setuid,
  20. capability sys_resource,
  21. # for all the remote connection options
  22. network dgram,
  23. network stream,
  24. # own binary
  25. /usr/sbin/gpsd rmix,
  26. # common serial paths to GPS devices
  27. /dev/tty{,S,USB,AMA,ACM}[0-9]* rw,
  28. /sys/dev/char r,
  29. /sys/dev/char/** r,
  30. # pps related devices
  31. /dev/pps[0-9]* rw,
  32. /sys/devices/virtual/pps r,
  33. /sys/devices/virtual/pps/** r,
  34. # gpsd device to share
  35. /dev/gpsd[0-9] rw,
  36. # libusb device access to GPS devices
  37. /proc/ r,
  38. /dev/ r,
  39. /sys/class/ r,
  40. /sys/bus/ r,
  41. /dev/bus/usb/ r,
  42. /sys/bus/usb/devices/ r,
  43. /sys/devices/pci[0-9]*/**/{uevent,busnum,devnum,speed,descriptors} r,
  44. /run/udev/data/+usb* r,
  45. /run/udev/data/c189* r,
  46. # common config path (by default unused)
  47. /etc/gpsd/* r,
  48. # gpsd will call this on device attach/detach allowing for custom handlers
  49. /bin/dash rix,
  50. /bin/bash rix,
  51. /etc/gpsd/device-hook ix,
  52. # control socket e.g. for gpsdctl
  53. /{,var/}run/{,gpsd/}gpsd.sock rw,
  54. # pid file
  55. /{,var/}run/{,gpsd/}gpsd.pid rw,
  56. # enumerate own FDs
  57. @{PROC}/@{pid}/fd/ r,
  58. # default paths feeding GPS data into chrony
  59. /{,var/}run/chrony.tty{,S,USB,AMA}[0-9]*.sock rw,
  60. /tmp/chrony.tty{,S,USB,AMA}[0-9]*.sock rw,
  61. # logging
  62. /{,var/}run/systemd/journal/dev-log w,
  63. # required for pps initialization
  64. capability sys_time,
  65. /sys/devices/virtual/pps/ r,
  66. # to submit data to chrony
  67. ptrace read peer=/usr/sbin/chronyd,
  68. # for libusb in case USB based GPS devices are used
  69. /sys/devices/**/usb[0-9]*/** r,
  70. # triggered on fusercount, not strictly required and unsafe to allow
  71. # adding an explicit denial rule silences the warnings
  72. deny ptrace read peer=unconfined,
  73. deny capability sys_ptrace,
  74. deny capability dac_read_search,
  75. deny capability dac_override,
  76. # gpsd tries to load pps_ldisc directly, but gpsd doesn't need
  77. # the general power of cap 'sys_module', pps_ldisc is auto-loaded
  78. # by the kernel when gpsd is creating the pps device
  79. deny capability sys_module,
  80. # Site-specific additions and overrides. See local/README for details.
  81. #include <local/usr.sbin.gpsd>
  82. }