The dmesg output looks like the following:
[112720.972130] audit: type=1400 audit(1585144947.600:71): apparmor="DENIED" operation="exec" profile="/usr/sbin/gpsd" name="/bin/dash" pid=353559 comm="gpsd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 [112720.973971] audit: type=1400 audit(1585144947.602:72): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/gpsd" pid=353555 comm="gpsd" requested_mask="read" denied_mask="read" peer="unconfined" [112720.973976] audit: type=1400 audit(1585144947.602:73): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/gpsd" pid=353555 comm="gpsd" requested_mask="read" denied_mask="read" peer="unconfined" [112720.973978] audit: type=1400 audit(1585144947.602:74): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/gpsd" pid=353555 comm="gpsd" requested_mask="read" denied_mask="read" peer="unconfined" [112720.973980] audit: type=1400 audit(1585144947.602:75): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/gpsd" pid=353555 comm="gpsd" requested_mask="read" denied_mask="read" peer="unconfined" [112720.973983] audit: type=1400 audit(1585144947.602:76): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/gpsd" pid=353555 comm="gpsd" requested_mask="read" denied_mask="read" peer="unconfined" [112720.973985] audit: type=1400 audit(1585144947.602:77): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/gpsd" pid=353555 comm="gpsd" requested_mask="read" denied_mask="read" peer="unconfined" [112720.973987] audit: type=1400 audit(1585144947.602:78): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/gpsd" pid=353555 comm="gpsd" requested_mask="read" denied_mask="read" peer="unconfined" [112720.973989] audit: type=1400 audit(1585144947.602:79): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/gpsd" pid=353555 comm="gpsd" requested_mask="read" denied_mask="read" peer="unconfined" [112720.973991] audit: type=1400 audit(1585144947.602:80): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/gpsd" pid=353555 comm="gpsd" requested_mask="read" denied_mask="read" peer="unconfined"
Note that in my case, /etc/gpsd/device-hook is a shell script, starting with
#!/bin/sh
and it would appear that the exec permission gpsd needs is tied to the shell rather than /etc/gpsd/device-hook?
The dmesg output looks like the following:
[112720.972130] audit: type=1400 audit(158514494 7.600:71) : apparmor="DENIED" operation="exec" profile= "/usr/sbin/ gpsd" name="/bin/dash" pid=353559 comm="gpsd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 7.602:72) : apparmor="DENIED" operation="ptrace" profile= "/usr/sbin/ gpsd" pid=353555 comm="gpsd" requested_ mask="read" denied_mask="read" peer="unconfined" 7.602:73) : apparmor="DENIED" operation="ptrace" profile= "/usr/sbin/ gpsd" pid=353555 comm="gpsd" requested_ mask="read" denied_mask="read" peer="unconfined" 7.602:74) : apparmor="DENIED" operation="ptrace" profile= "/usr/sbin/ gpsd" pid=353555 comm="gpsd" requested_ mask="read" denied_mask="read" peer="unconfined" 7.602:75) : apparmor="DENIED" operation="ptrace" profile= "/usr/sbin/ gpsd" pid=353555 comm="gpsd" requested_ mask="read" denied_mask="read" peer="unconfined" 7.602:76) : apparmor="DENIED" operation="ptrace" profile= "/usr/sbin/ gpsd" pid=353555 comm="gpsd" requested_ mask="read" denied_mask="read" peer="unconfined" 7.602:77) : apparmor="DENIED" operation="ptrace" profile= "/usr/sbin/ gpsd" pid=353555 comm="gpsd" requested_ mask="read" denied_mask="read" peer="unconfined" 7.602:78) : apparmor="DENIED" operation="ptrace" profile= "/usr/sbin/ gpsd" pid=353555 comm="gpsd" requested_ mask="read" denied_mask="read" peer="unconfined" 7.602:79) : apparmor="DENIED" operation="ptrace" profile= "/usr/sbin/ gpsd" pid=353555 comm="gpsd" requested_ mask="read" denied_mask="read" peer="unconfined" 7.602:80) : apparmor="DENIED" operation="ptrace" profile= "/usr/sbin/ gpsd" pid=353555 comm="gpsd" requested_ mask="read" denied_mask="read" peer="unconfined"
[112720.973971] audit: type=1400 audit(158514494
[112720.973976] audit: type=1400 audit(158514494
[112720.973978] audit: type=1400 audit(158514494
[112720.973980] audit: type=1400 audit(158514494
[112720.973983] audit: type=1400 audit(158514494
[112720.973985] audit: type=1400 audit(158514494
[112720.973987] audit: type=1400 audit(158514494
[112720.973989] audit: type=1400 audit(158514494
[112720.973991] audit: type=1400 audit(158514494
Note that in my case, /etc/gpsd/ device- hook is a shell script, starting with
#!/bin/sh
and it would appear that the exec permission gpsd needs is tied to the shell rather than /etc/gpsd/ device- hook?