Results 1 to 8 of 8

Thread: Apparmor profile skype 4.1.0.20 - Ubuntu 12.04

  1. #1
    Join Date
    Feb 2012
    Location
    el_GR
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Apparmor profile skype 4.1.0.20 - Ubuntu 12.04

    Hello ,

    I've found a working apparmor profile for skype. I want to restrict this program.
    Code:
    apt-cache policy skype
    skype:
      Installed: 4.1.0.20.0-0ubuntu0.12.04.1
      Candidate: 4.1.0.20.0-0ubuntu0.12.04.1
      Version table:
     *** 4.1.0.20.0-0ubuntu0.12.04.1 0
            500 http://archive.canonical.com/ubuntu/ precise/partner i386 Packages
            100 /var/lib/dpkg/status
    Code:
    lsb_release -rcd ; uname -r 
    Description:    Ubuntu 12.04.1 LTS
    Release:    12.04
    Codename:    precise
    3.2.0-33-generic-pae
    Here is the apparmor-profile I use right now.

    Code:
    #include <tunables/global>
     /usr/bin/skype {
        #include <abstractions/base>
        #include <abstractions/user-tmp>
        #include <abstractions/audio>
        #include <abstractions/nameservice>
        #include <abstractions/ssl_certs>
        #include <abstractions/fonts>
        #include <abstractions/X>
        #include <abstractions/freedesktop.org>
        #include <abstractions/kde>
         /usr/bin/skype mr,
        /opt/skype/skype pix,
        /opt/skype/** kmr,
        /usr/share/fonts/X11/** m,
         @{PROC}/*/net/arp r,
        @{PROC}/sys/kernel/ostype r,
        @{PROC}/sys/kernel/osrelease r,
         /dev/ r,
        /dev/tty rw,
            /dev/snd/* mrw,
            /dev/shm/ r,
            /dev/shm/pulse-shm-* mrw,
        /etc/pulse/client.conf r,
        /dev/pts/* rw,
        /dev/video* mrw,
        /var/lib/dbus/machine-id r,
        @{HOME}/Downloads/* krw,
        @{HOME}/Downloads/ krw,
         /etc/xdg/Trolltech.conf rk,
        /usr/share/locale-langpack/* mr,
        /usr/share/glib-2.0/schemas/gschemas.compiled rm,
        /sys/devices/system/cpu/cpu0/cpufreq/* r,
         @{HOME}/.Skype/ rw,
        @{HOME}/.Skype/** krw,
        /usr/share/skype/** kmr,
        /usr/share/skype/sounds/*.wav kr,
         deny @{HOME}/.mozilla/ r, # no idea what it needs there
        deny @{PROC}/[0-9]*/fd/ r,
        deny @{PROC}/[0-9]*/task/ r,
        deny @{PROC}/[0-9]*/task/** r,
     }
    Found it here.

    Is there a way to improve it ? I'm calling the apparmor guru guys here. I'm ready to test any improvement.

    Thanks
    # How to mark the Thread as [SOLVED] when done.
    # Ubuntu Greek Community
    # Gain 20GB of space on copy.com when sign up with my referral link.

  2. #2
    Join Date
    Jun 2008
    Beans
    9

    Re: Apparmor profile skype 4.1.0.20 - Ubuntu 12.04

    I think this is a majorly important thread. I just installed this profile as well. Seems to work so far. Caught skype trying to access /etc/passwd. I wonder for what purposes.

    Note: running 12.04, skype 4.1.0.20, aa-enforce-ing skype with the profile from http://eternalwalkabout.wordpress.co...armor-profile/
    Last edited by Zburatorul; December 2nd, 2012 at 07:42 AM.

  3. #3
    Soul-Sing is offline Chocolate-Covered Ubuntu Beans
    Join Date
    Aug 2006
    Beans
    1,374
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: Apparmor profile skype 4.1.0.20 - Ubuntu 12.04

    why in /opt? The new release comes with reg. updates.
    why copy/paste complete profiles? when you could make your own?
    whereis skype: skype: /usr/bin/skype /usr/bin/X11/skype /usr/share/skype

  4. #4
    Join Date
    Nov 2010
    Beans
    55

    Re: Apparmor profile skype 4.1.0.20 - Ubuntu 12.04

    I think this is a majorly important thread. I just installed this profile as well. Seems to work so far. Caught skype trying to access /etc/passwd. I wonder for what purposes.
    The command

    Code:
    ls -l
    accesses /etc/passwd. Your encrypted password is stored in /etc/shadow. /etc/passwd is used to map user IDs to usernames. It is not a sign that Skype is trying to subvert your system.



  5. #5
    Join Date
    Jun 2008
    Beans
    9

    Re: Apparmor profile skype 4.1.0.20 - Ubuntu 12.04

    Quote Originally Posted by DanR01 View Post


    The command

    Code:
    ls -l
    accesses /etc/passwd. Your encrypted password is stored in /etc/shadow. /etc/passwd is used to map user IDs to usernames. It is not a sign that Skype is trying to subvert your system.


    I had in the meantime done some googling to discover what you just wrote. Okay, so that's not bad.

    Nevertheless, any specific fear aside, I think I would still like to start a general practice of creating profiles for any closed-source applications that I need to run.

  6. #6
    Join Date
    Feb 2012
    Location
    el_GR
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Apparmor profile skype 4.1.0.20 - Ubuntu 12.04

    Quote Originally Posted by Zburatorul View Post
    I think I would still like to start a general practice of creating profiles for any closed-source applications that I need to run.
    Me too

    So I posted this profile and waiting for improvements - additions and/or unnecessary entries like @Soul-Sing mentioned.

    Well , the best restriction (for me) remains the VB. (something like sandbox) , but apparmor is there (pre-installed) and I want to learn how to use it.

    I'm not capable (right now) to create my own profiles , I'm reading posts - tutorials - forum stickies .. I will figure it out sometime.

    Thanks for answers
    # How to mark the Thread as [SOLVED] when done.
    # Ubuntu Greek Community
    # Gain 20GB of space on copy.com when sign up with my referral link.

  7. #7
    Join Date
    Dec 2007
    Location
    Bombay
    Beans
    6,077
    Distro
    Lubuntu 14.10 Utopic Unicorn

    Re: Apparmor profile skype 4.1.0.20 - Ubuntu 12.04

    Quote Originally Posted by NikTh View Post
    ...
    So I posted this profile and waiting for improvements - additions and/or unnecessary entries ...
    In the profile in the first post, there is this: "#include <abstractions/kde>". Do you think it is necessary if you're not running Kubuntu? Or is Skype a qt app that somehow needs some kde stuff? Farther down there's "/etc/xdg/Trolltech.conf rk," which may also be qt-related.

    BTW, the default evince profile also has "/etc/passwd r,".
    de gustibus et coloribus non est disputandum -- Wiktionary

  8. #8
    Join Date
    Feb 2012
    Location
    el_GR
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Apparmor profile skype 4.1.0.20 - Ubuntu 12.04

    Quote Originally Posted by vasa1 View Post
    In the profile in the first post, there is this: "#include <abstractions/kde>". Do you think it is necessary if you're not running Kubuntu? Or is Skype a qt app that somehow needs some kde stuff? Farther down there's "/etc/xdg/Trolltech.conf rk," which may also be qt-related.

    BTW, the default evince profile also has "/etc/passwd r,".
    Hey , thanks vasa1

    Yes I understood this about kde entries . Are not necessary if you don't use KDE. And Trolltech.conf is also for Kde , yes.

    cat /etx/xdg/Trolltech.conf
    Code:
    [qt]
    4.8\libraryPath=/usr/lib/kde4/plugins
    Of course Library Path not exist at my installation.

    I'm reading to understand what this #include <abbstractions/blah..blah> are and which of these I have to use , and when..
    the other configurations , I think I understand them.. (about the paths - allow - deny and the permissions ,r,m,k,....)

    Thanks
    # How to mark the Thread as [SOLVED] when done.
    # Ubuntu Greek Community
    # Gain 20GB of space on copy.com when sign up with my referral link.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •