Skype 4.0 on Ubuntu 12.04 – apparmor

I’ve used my old apparmor profile because it works and added few lines to allow reading and writting to Downloads folder… now i can reaceive and send files but skype is still not allowed to read and write to other folders in the home tree folder structure.

One suggestion… first run skype without apparmor and set up downloading files to the Download foder and make a shortcut to it …because later when you run apparmor profile you wont be able to browse nothing in your home folder unless you’ve set up the thing before and made a shortcut.

 

#include <tunables/global>

/usr/bin/skype {

    #include <abstractions/base>
    #include <abstractions/user-tmp>
    #include <abstractions/audio>
    #include <abstractions/nameservice>
    #include <abstractions/ssl_certs>
    #include <abstractions/fonts>
    #include <abstractions/X>
    #include <abstractions/freedesktop.org>
    #include <abstractions/kde>

    /usr/bin/skype mr,
    /opt/skype/skype pix,
    /opt/skype/** kmr,
    /usr/share/fonts/X11/** m,

    @{PROC}/*/net/arp r,
    @{PROC}/sys/kernel/ostype r,
    @{PROC}/sys/kernel/osrelease r,

    /dev/ r,
    /dev/tty rw,
        /dev/snd/* mrw,
        /dev/shm/ r,
        /dev/shm/pulse-shm-* mrw,
    /etc/pulse/client.conf r,
    /dev/pts/* rw,
    /dev/video* mrw,
    /var/lib/dbus/machine-id r,
    @{HOME}/Downloads/* krw,
    @{HOME}/Downloads/ krw,

    /etc/xdg/Trolltech.conf rk,
    /usr/share/locale-langpack/* mr,
    /usr/share/glib-2.0/schemas/gschemas.compiled rm,
    /sys/devices/system/cpu/cpu0/cpufreq/* r,

    @{HOME}/.Skype/ rw,
    @{HOME}/.Skype/** krw,
    /usr/share/skype/** kmr,
    /usr/share/skype/sounds/*.wav kr,

    deny @{HOME}/.mozilla/ r, # no idea what it needs there
    deny @{PROC}/[0-9]*/fd/ r,
    deny @{PROC}/[0-9]*/task/ r,
    deny @{PROC}/[0-9]*/task/** r,

}

new apparmor profile for skype in ubuntu 12.04 … before i’ve had some issues with pulseaudio.. now it’s fixed… i didnt manage to test new skype 4 for linux … so it’s not sure that this profile will work for it…

—————

#include <tunables/global>

/usr/bin/skype {

#include <abstractions/base>
#include <abstractions/user-tmp>
#include <abstractions/audio>
#include <abstractions/nameservice>
#include <abstractions/ssl_certs>
#include <abstractions/fonts>
#include <abstractions/X>
#include <abstractions/freedesktop.org>
#include <abstractions/kde>

/usr/bin/skype mr,
/opt/skype/skype pix,
/opt/skype/** kmr,
/usr/share/fonts/X11/** m,

@{PROC}/*/net/arp r,
@{PROC}/sys/kernel/ostype r,
@{PROC}/sys/kernel/osrelease r,

/dev/ r,
/dev/tty rw,
/dev/snd/* mrw,
/dev/shm/ r,
/dev/shm/pulse-shm-* mrw,
/etc/pulse/client.conf r,
/run/shm/pulse-shm-* mrw,
/dev/pts/* rw,
/dev/video* mrw,
/etc/group m,
/sys/devices/system/cpu/ r,
/var/lib/dbus/machine-id r,  # without this skype dont work with pulse audio normally

/etc/xdg/Trolltech.conf rk,
/usr/share/locale-langpack/* mr,
/usr/share/glib-2.0/schemas/gschemas.compiled rm,
/sys/devices/system/cpu/cpu0/cpufreq/* r,

@{HOME}/.Skype/ rw,
@{HOME}/.Skype/** krw,
/usr/share/skype/** kmr,
/usr/share/skype/sounds/*.wav kr,

deny @{HOME}/.mozilla/ r, # no idea what it needs there
deny @{PROC}/[0-9]*/fd/ r,
deny @{PROC}/[0-9]*/task/ r,
deny @{PROC}/[0-9]*/task/** r,

}

Ubuntu 12.04 Skype apparmor profile

I’ve had to improve apparmor profile for Skype because there were some issues and Skype didn’t want to turn on. So if you’ll compare old and new profile you’ll see that I’ve added only few lines only allowing reading few configuration files. Also I have to say that in 64 bit Ubuntu there were no issues. Problem was in 32 bit Ubuntu. But now everything works fine again. I hope this will be helpful for you.

#include <tunables/global>

/usr/bin/skype {

    #include <abstractions/base>
    #include <abstractions/user-tmp>
    #include <abstractions/audio>
    #include <abstractions/nameservice>
    #include <abstractions/ssl_certs>
    #include <abstractions/fonts>
    #include <abstractions/X>
    #include <abstractions/freedesktop.org>
    #include <abstractions/kde>

    /usr/bin/skype mr,
    /opt/skype/skype pix,
    /opt/skype/** kmr,
    /usr/share/fonts/X11/** m,

    @{PROC}/*/net/arp r,
    @{PROC}/sys/kernel/ostype r,
    @{PROC}/sys/kernel/osrelease r,

    /dev/ r,
    /dev/tty rw,
        /dev/snd/* mrw,
        /dev/shm/ r,
        /dev/shm/pulse-shm-* mrw,
    /etc/pulse/client.conf r,
    /dev/pts/* rw,
    /dev/video* mrw,

    /etc/xdg/Trolltech.conf rk,
    /usr/share/locale-langpack/* mr,
    /usr/share/glib-2.0/schemas/gschemas.compiled rm,
    /sys/devices/system/cpu/cpu0/cpufreq/* r,

    @{HOME}/.Skype/ rw,
    @{HOME}/.Skype/** krw,
    /usr/share/skype/** kmr,
    /usr/share/skype/sounds/*.wav kr,

    deny @{HOME}/.mozilla/ r, # no idea what it needs there
    deny @{PROC}/[0-9]*/fd/ r,
    deny @{PROC}/[0-9]*/task/ r,
    deny @{PROC}/[0-9]*/task/** r,

}

 

Ubuntu 11.10 Skype apparmor profile

This is something what didn’t allow me to sleep 🙂 Finally I’ve figured out how to make apparmor profile to encapsulate closed source Skype application in Ubuntu Linux.

You have to create usr.bin.skype file in /etc/apparmor.d/ directory… and then copy&paste following content in this file.

At the end do: sudo aa-enforce skype

That’s it 🙂

——————————————————-

#include <tunables/global>

/usr/bin/skype {

#include <abstractions/base>
#include <abstractions/user-tmp>
#include <abstractions/audio>
#include <abstractions/nameservice>
#include <abstractions/ssl_certs>
#include <abstractions/fonts>
#include <abstractions/X>
#include <abstractions/freedesktop.org>
#include <abstractions/kde>

/usr/bin/skype mr,
/opt/skype/skype pix,
/opt/skype/** kmr,
/usr/share/fonts/X11/** m,

@{PROC}/*/net/arp r,
@{PROC}/sys/kernel/ostype r,
@{PROC}/sys/kernel/osrelease r,

/dev/ r,
/dev/tty rw,
/dev/snd/* mrw,
/dev/shm/ r,
/dev/shm/pulse-shm-* mrw,
/etc/pulse/client.conf r,
/dev/pts/* rw,
/dev/video* mrw,

@{HOME}/.Skype/ rw,
@{HOME}/.Skype/** krw,
/usr/share/skype/** kmr,
/usr/share/skype/sounds/*.wav kr,

deny @{HOME}/.mozilla/ r,
deny @{PROC}/[0-9]*/fd/ r,
deny @{PROC}/[0-9]*/task/ r,
deny @{PROC}/[0-9]*/task/** r,

}

 

————————

For me this apparmor profile works perfectly in Ubuntu 11.10 with latest Skype 2.2.0.35

Reason for writting this post is because I was searching whole internet but i didnt find profile that would work with skype… so i’ve created it by myself with mixture of other profiles.

Is also good to know that with this profile you won’t be able to receive or send files by Skype as profile doesn’t allow read/write access.