I’ve used my old apparmor profile because it works and added few lines to allow reading and writting to Downloads folder… now i can reaceive and send files but skype is still not allowed to read and write to other folders in the home tree folder structure.
One suggestion… first run skype without apparmor and set up downloading files to the Download foder and make a shortcut to it …because later when you run apparmor profile you wont be able to browse nothing in your home folder unless you’ve set up the thing before and made a shortcut.
#include <tunables/global>
/usr/bin/skype {
#include <abstractions/base>
#include <abstractions/user-tmp>
#include <abstractions/audio>
#include <abstractions/nameservice>
#include <abstractions/ssl_certs>
#include <abstractions/fonts>
#include <abstractions/X>
#include <abstractions/freedesktop.org>
#include <abstractions/kde>
/usr/bin/skype mr,
/opt/skype/skype pix,
/opt/skype/** kmr,
/usr/share/fonts/X11/** m,
@{PROC}/*/net/arp r,
@{PROC}/sys/kernel/ostype r,
@{PROC}/sys/kernel/osrelease r,
/dev/ r,
/dev/tty rw,
/dev/snd/* mrw,
/dev/shm/ r,
/dev/shm/pulse-shm-* mrw,
/etc/pulse/client.conf r,
/dev/pts/* rw,
/dev/video* mrw,
/var/lib/dbus/machine-id r,
@{HOME}/Downloads/* krw,
@{HOME}/Downloads/ krw,
/etc/xdg/Trolltech.conf rk,
/usr/share/locale-langpack/* mr,
/usr/share/glib-2.0/schemas/gschemas.compiled rm,
/sys/devices/system/cpu/cpu0/cpufreq/* r,
@{HOME}/.Skype/ rw,
@{HOME}/.Skype/** krw,
/usr/share/skype/** kmr,
/usr/share/skype/sounds/*.wav kr,
deny @{HOME}/.mozilla/ r, # no idea what it needs there
deny @{PROC}/[0-9]*/fd/ r,
deny @{PROC}/[0-9]*/task/ r,
deny @{PROC}/[0-9]*/task/** r,
}
Eternal Walkabout 
Thanks for this great post!
I tried to adapt your additional security rules to the rules shipped with the apparmor-profiles ubuntu package. But as the rules were different, I’m not sure if I did everything correct, meaning if it is secure like intended without breaking functions.
I would be really interested if you could take the rules of the apparmor-profiles package and show how to customize them to fit the needs in terms of security.
But how can I do that? Where to begin?
Maybe you can just take the rules from the package and then comment out every line you think shouldn’t be in there and add lines you feel missing. Some explanations why you do the changes you do, would be great too. 🙂
Sure this wouldnt take me so much time but I’m not active in Ubuntu community the way i would know where to find these packages and submit changes. I’m pretty busy lately and this would take me too much time just to find what you are talking about. Why you think i’ve created this blog 🙂 Because was more easy for me and I’ve believed that uncle Google will do it’s job 🙂
I’m complicating.. rigth? 😀
Well, as you had such a lot of ubuntu postings, I assumed that you have enough knowledge of ubuntu — at least more than me.
Find the package? apt-get install apparmor-profiles (I wasn’t able to find the file online at launchpad.net [probably looked at the wrong place], otherwise I would have provided a link…) 🙂
I didn’t mean to submit changes to ubuntu (I’m not sure if they would accept it), I just meant another blog post about it. That’s what I think you created the blog for, writing posts. 😀
As you wrote a lot ubuntu posts, I believed you know it — at least better than me. 🙂 To find the package: apt-get install apparmor-profiles (I wasn’t able to find the file at launchpad.net, otherwise I would have provided a link earlier [probably I didn’t looked at the right place]) 🙂 And I didn’t mean that you should submit the changes (I’m even not sure if they were willing to take it), I just thought that you may write another blog post. Cause that’s what I think why you created this blog. 😀
i didnt find anything that would reference to apparmor skype profile in teh apparmor-profiles package … i’ve checked in /etc/apparmor.d where profiles are stored.
The profiles of the apparmor-profiles package are in /usr/share/doc/apparmor-profiles/extras/ don’t know why. I copied it to /etc/apparmor.d/ (as your one didn’t work for me, I couldn’t call [no audio playback was possible] and skype could not load some stuff for his user interface, it was cluttered.)
I’ve checked /usr/share/doc/apparmor-profiles/extras/ and this skype profile is really basic and it’s obvious that can’t work. What I did in my profile is that i’ve used aa-complain mode and looked system log where i saw what exactly does skype need to work. This way i’ve modified my profile. So my profile is actually the profile where I allow skype only the necessary things that are needed that skype is fully functional without additions like themes etc… so i cant comment why exactly some things are necessary for skype as i didnt study them into details. I’ve seen that skype is very crash sensitive if doesn’t have /dev/smh dev/snd etc.. and similar kinds of lines in apparmor profile.
as i can imagine profiles in /usr/share/doc/apparmor-profiles/extras/ are additional profiles you can modify by yourself and then you have to move them to /etc/appamor.d if you want to use them eventually.
try to use your profile in aa-complain instead of aa-enforce mode and watch your system log what is going on.
Thank you so much, I added your profile to my configuration of apparmor.
I just have one question, why the lines:
/ opt / skype / skype pix,
/ opt / skype / ** kmr,
Thank you, Giulio.
Sorry that i couldnt reply sooner… i guess /opt/blablah is for other linux distributions in case that skype would have any files in this folder. As far as i can see in Ubuntu Linux there is nothing useful in /opt/skype folder so this in this case is really trivial.. you can just delete it.
Pingback: Ubuntu:Where could I get the apparmor profile for latest Skype4? – Ubuntu Linux Questions