File: usr.sbin.gpsd

package info (click to toggle)
gpsd 3.22-4
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 27,508 kB
  • sloc: ansic: 57,097; xml: 15,491; python: 12,716; cpp: 836; sh: 699; php: 210; makefile: 188; perl: 111; javascript: 26
file content (129 lines) | stat: -rw-r--r-- 3,937 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
# ------------------------------------------------------------------
#
# Copyright (C) 2018 Canonical Ltd.
# This file is Copyright 2020 by the GPSD project
# SPDX-License-Identifier: BSD-2-clause
#
# This software is distributed under a BSD-style license. See the
# file "COPYING" in the top-level directory of the distribution for details.
#
# Apparmor profiles are meant to cover and allow for the most common use
# cases and that is what this profile tries to cover. Due to the nature of
# the program there are various different use-cases and if you trigger
# apparmor denies (see dmesg and journal) it is recommended to add matching
# local overrides for your use-case. See:
# gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor.d/local/README
# This way your changes do not conflict with further updates of the program.
#
# If you consider this use case common please report a bug upstream so that
# the rule can be added to the default profile.
#
# If instead you are just frustrated and want to get it silenced it is
# recommended to set it to complain mode:
#  $ sudo aa-complain usr.sbin.gpsd
# That way nothing will be blocked anymore, but you will be able to see and
# report the denials of your use case. That way there is a chance to update
# the default profile for it.
# ------------------------------------------------------------------

#include <tunables/global>

/usr/sbin/gpsd flags=(attach_disconnected) {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  # For shmctl()
  capability ipc_lock,
  capability net_bind_service,
  capability sys_nice,
  capability fsetid,
  capability setgid,
  capability setuid,
  capability sys_resource,

  # for all the remote connection options
  network dgram,
  network stream,
  network bluetooth,
  network can raw,

  # own binary
  /usr/sbin/gpsd rmix,

  # common serial paths to GPS devices
  /dev/tty{,S,USB,AMA,ACM}[0-9]*    rw,
  /sys/dev/char     r,
  /sys/dev/char/**  r,

  # Bluetooth devices, for Bluetooth GNSS receivers
  /dev/rfcomm* rw,
  owner /dev/rfcomm* w,

  # pps related devices
  /dev/pps[0-9]*              rw,
  /sys/devices/virtual/pps    r,
  /sys/devices/virtual/pps/** r,

  # gpsd device to share
  /dev/gpsd[0-9] rw,

  # libusb device access to GPS devices
  /proc/      r,
  /dev/       r,
  /sys/class/ r,
  /sys/bus/   r,
  /dev/bus/usb/ r,
  /sys/bus/usb/devices/ r,
  /sys/devices/pci[0-9]*/**/{uevent,busnum,devnum,speed,descriptors} r,
  /run/udev/data/+usb* r,
  /run/udev/data/c189* r,

  # common config path (by default unused)
  /etc/gpsd/* r,
  # gpsd will call this on device attach/detach allowing for custom handlers
  /bin/dash rix,
  /bin/bash rix,
  /etc/gpsd/device-hook ix,

  # control socket e.g. for gpsdctl
  /{,var/}run/gpsd.sock rw,

  # enumerate own FDs
  @{PROC}/@{pid}/fd/ r,

  # default paths feeding GPS data into chrony
  /{,var/}run/chrony.tty{,S,USB,AMA}[0-9]*.sock rw,
  /tmp/chrony.tty{,S,USB,AMA}[0-9]*.sock rw,

  # for gpsfake:
  /tmp/gpsfake-*.sock rw,

  # logging
  /{,var/}run/systemd/journal/dev-log w,

  # required for pps initialization
  capability sys_time,
  /sys/devices/virtual/pps/ r,

  # to submit data to chrony
  ptrace read peer=/usr/sbin/chronyd,

  # for libusb in case USB based GPS devices are used
  /sys/devices/**/usb[0-9]*/** r,

  # triggered on fusercount, not strictly required and unsafe to allow
  # adding an explicit denial rule silences the warnings
  deny ptrace read peer=unconfined,
  deny capability sys_ptrace,
  deny capability dac_read_search,
  deny capability dac_override,

  # gpsd tries to load pps_ldisc directly, but gpsd doesn't need
  # the general power of cap 'sys_module', pps_ldisc is auto-loaded
  # by the kernel when gpsd is creating the pps device
  deny capability sys_module,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.gpsd>
}
# vim:syntax=apparmor