Home / ubuntu / Questions / 487294
Accepted
Sepero
Asked: 2014-06-24 12:08:44 +0800 CST

Anyway to use Skype in AppArmor?

  • 772

Ubuntu 14.04 and Skype 4.2 installed. I've set up AppArmor using the Skype AppArmor profile from this wiki. When I use AppArmor with Skype, it has no audio. Is anyone using AppArmor successfully with the latest Skype? How can I make this work?

UPDATE:
The profile below is what I now use successfully. I commented out a few permissions that I think Skype shouldn't have. If you have problems with this profile, then try removing all hashes (#) after line 15, and reload the profile with apparmor_parser -r /etc/apparmor.d/usr.bin.skype.

# Last Modified: Tue Jun 24 05:59:42 2014
#include <tunables/global>

/usr/bin/skype {
  #include <abstractions/audio>
  #include <abstractions/consoles>
  #include <abstractions/dbus-session>
  #include <abstractions/gnome>
  #include <abstractions/kde>
  #include <abstractions/nameservice>
  #include <abstractions/video>

  deny /sys/devices/virtual/dmi/** r,
  deny owner @{HOME}/docker** r,
  deny owner @{HOME}/.mozilla/ r,
  deny owner @{HOME}/.mozilla/** r,

#  /dev/ r,
  /dev/video[0-9]* mrw,
#  /etc/ r,
  /etc/asound.conf r,
  /etc/machine-id r,
  /etc/xdg/Trolltech.conf r,
#  /etc/xdg/Trolltech.conf rk,
  /etc/xdg/sni-qt.conf r,
#  /etc/xdg/sni-qt.conf rk,
  /sys/devices/pci*/*/usb[0-9]*/*/{idVendor,idProduct,speed} r,
  /sys/devices/system/cpu/cpu[0-9]*/cpufreq/scaling_{cur_freq,max_freq} r,
#  /tmp/** rwlk,
  /usr/bin/kde4-config mrPUx,
  /usr/bin/skype mrix,
  /usr/bin/xdg-open mrPUx,
  /usr/lib{,32}/libv4l/v4l2convert.so r,
#  /usr/lib{,32}/libv4l/v4l2convert.so mr,
  /usr/lib{,32}/skype/skype mrix,
  /usr/share/icons/*/index.theme r,
#  /usr/share/icons/*/index.theme rk,
  /usr/share/nvidia/nvidia-application-profiles-*-rc r,
#  /usr/share/skype/ r,
  /usr/share/skype/** r,
#  /usr/share/skype/lib/libQtWebKit.so.4 mr,
  /{run,dev}/shm/pulse-shm* r,
#  /{run,dev}/shm/pulse-shm* rwk,
#  /home/ r,
  owner @{HOME}/ r,
  owner @{HOME}/.Xauthority r,
  owner @{HOME}/.cache/fontconfig/* r,
  owner @{HOME}/.kde/** r,
  owner @{HOME}/.Skype/ r,
  owner @{HOME}/.Skype/** rwk,
  owner @{HOME}/.config/Skype/ r,
  owner @{HOME}/.config/Skype/** rwk,
  owner @{HOME}/.config/Trolltech.conf r,
#  owner @{HOME}/.config/Trolltech.conf rwk,
  owner @{HOME}/.config/fontconfig/fonts.conf r,
  owner @{HOME}/.config/gtk-3.0/bookmarks r,
  owner @{HOME}/.config/oxygen-gtk/argb-apps.conf r,
#  owner @{HOME}/.config/oxygen-gtk/argb-apps.conf rw,
  owner @{HOME}/.config/pulse/cookie r,
#  owner @{HOME}/.config/pulse/cookie rwk,
  owner @{HOME}/.icons/** r,
  owner @{HOME}/.kde4/share/config/gtkrc-2.0 r,
  owner @{HOME}/.kde4/share/config/kdeglobals r,
#  owner @{HOME}/.kde4/share/config/kdeglobals rwk,
  owner @{HOME}/.kde4/share/config/oxygenrc r,
  owner @{HOME}/Downloads/ r,
  owner @{HOME}/Downloads/** rw,
  owner @{PROC}/[0-9]*/cmdline r,
  owner @{PROC}/[0-9]*/fd/ r,
  owner @{PROC}/[0-9]*/status r,
  owner @{PROC}/[0-9]*/task/ r,
  owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
  @{PROC}/*/net/route r,
  @{PROC}/[0-9]*/net/arp r,
  @{PROC}/sys/kernel/{ostype,osrelease} r,
  @{PROC}/sys/vm/overcommit_memory r,
}
security

1 Answers

  1. Best Answer

    You will have to manually review and debug they Apparmor Profile you copied from Arch. My guess is that you can review and make a few (minor) changes.

    If you can not do this, then I suggest you put the profile into complain mode and run aa-logprof

    sudo aa-complain /etc/apparmor.d/usr.bin.skype

    Open and use Skype. Close Skype.

    Then run aa-logprof

    sudo aa-logprof

    Review and accept the changes.

    I suggest you review the final profile ;)

    Then re-enable the profile

    sudo aa-enforce /etc/apparmor.d/usr.bin.skype

    See:

    https://help.ubuntu.com/community/AppArmor

    https://wiki.ubuntu.com/DebuggingApparmor

    • 2