This is something what didn’t allow me to sleep π Finally I’ve figured out how to make apparmor profile to encapsulate closed source Skype application in Ubuntu Linux.
You have to create usr.bin.skype file in /etc/apparmor.d/ directory… and then copy&paste following content in this file.
At the end do: sudo aa-enforce skype
That’s it π
——————————————————-
#include <tunables/global>
/usr/bin/skype {
#include <abstractions/base>
#include <abstractions/user-tmp>
#include <abstractions/audio>
#include <abstractions/nameservice>
#include <abstractions/ssl_certs>
#include <abstractions/fonts>
#include <abstractions/X>
#include <abstractions/freedesktop.org>
#include <abstractions/kde>
/usr/bin/skype mr,
/opt/skype/skype pix,
/opt/skype/** kmr,
/usr/share/fonts/X11/** m,
@{PROC}/*/net/arp r,
@{PROC}/sys/kernel/ostype r,
@{PROC}/sys/kernel/osrelease r,
/dev/ r,
/dev/tty rw,
/dev/snd/* mrw,
/dev/shm/ r,
/dev/shm/pulse-shm-* mrw,
/etc/pulse/client.conf r,
/dev/pts/* rw,
/dev/video* mrw,
@{HOME}/.Skype/ rw,
@{HOME}/.Skype/** krw,
/usr/share/skype/** kmr,
/usr/share/skype/sounds/*.wav kr,
deny @{HOME}/.mozilla/ r,
deny @{PROC}/[0-9]*/fd/ r,
deny @{PROC}/[0-9]*/task/ r,
deny @{PROC}/[0-9]*/task/** r,
}
————————
For me this apparmor profile works perfectly in Ubuntu 11.10 with latest Skype 2.2.0.35
Reason for writting this post is because I was searching whole internet but i didnt find profile that would work with skype… so i’ve created it by myself with mixture of other profiles.
Is also good to know that with this profile you won’t be able to receive or send files by Skype as profile doesn’t allow read/write access.
Eternal Walkabout 
This isn’t working with Skype4. π¦ I have tried myself configuring one but no success.
I haven’t try skype 4 yet… but you could try to configure your apparmor profile by yourself…
First aa-complain skype and you will see if it’s working… at the same time check kernel log or system log file for messages and notice what kind of things does skype needs to work… change your profile and aa-enforce skype … sure you know already all this otherwise you wouldnt bother with apparmor π
Anyway.. i will update my profile because with old profile i’ve had problems with pulseaudio … when skype was running i wasnt able to hear sound from skype if any other app was using pulseaudio at same time.. well.. now it’s fixed π
cheers
I’ve managed to do this profile:
http://pastebin.com/b1dicunW
I’ve checked it and I think it’s good. Does it work also for Skype 4 ?
Maybe would be good to open discussion about that on ubuntu forums. Long ago I saw that somebody have been asking about skype apparmor profile but nobody replied. If I would find this post I would reply there.
I’ve tried my old apparmor profile with new skype 4 from ubuntu repository. it works same as before without issues. thing is that skype hasn’t change that much and its obvious that old profile should work.
My Skype crashed seconds after I logged in into it using the old profile.
I’m not using Ubuntu, but it works for Skype4 in ArchLinux. If you can link me the thread, I’ll post the link to the profile there.
Well then… it could be also posted to archlinux forum .. Google will find it anyway π
For example here is wiki page for apparmor skype for archlinux … can you post it here please? https://wiki.archlinux.org/index.php/Skype
For skype 4 in ubuntu 12.04
#include
/usr/bin/skype {
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
deny /etc/group m,
deny /etc/passwd r,
deny /proc/sys/kernel/osrelease r,
deny /proc/sys/kernel/ostype r,
deny @{HOME}/.mozilla/ r,
deny @{HOME}/.mozilla/*/ r,
deny @{HOME}/.mozilla/*/*/ r,
deny @{HOME}/.mozilla/*/*/bookmarkbackups/ r,
deny @{HOME}/.mozilla/*/*/chrome/ r,
deny @{HOME}/.mozilla/*/*/extensions/ r,
deny @{HOME}/.mozilla/*/*/prefs.js r,
/dev/ r,
/dev/shm/pulse* mrw,
/dev/video* mrw,
/etc/ssl/certs/ r,
/etc/ssl/certs/** r,
/etc/xdg/Trolltech.conf rk,
/proc/*/cmdline r,
/proc/*/fd/ r,
/proc/*/net/arp r,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/** r,
# /usr/bin/pulseaudio px -> usr.bin.skype,
/usr/bin/pulseaudio mrw,
/usr/bin/skype mr,
/usr/lib/pango/*.so mr,
/usr/lib{,32,64}/** mr,
/usr/share/ca-certificates/** mr,
/usr/share/fonts/** mr,
/usr/share/skype/** mrk,
/usr/share/skype/sounds/*.wav rk,
/var/cache/libx11/compose/* r,
owner /{run,dev}/shm/pulse-shm* rwk,
/{run,dev}/shm/pulse-shm* m,
@{HOME}/.Skype/ rw,
@{HOME}/.Skype/** rwk,
@{HOME}/.config/* rk,
@{HOME}/.kde/share/config/kioslaverc r,
}