Monday, October 5, 2009

Sandbox`ed (AppArmor) Skype 2.1 in Linux

To be able to stay in touch with my contacts and speak for free with people through Skype I agree that my workstation becomes P2P-node. But I do not agree that Skype scans my private files (browser cookies and history). What to do? As far as I am Linux user the solution is simple: to use AppArmor. According to this approach Skype is launched in some kind of sandbox, i.e. in the invironment where not everything is allowed You can read more about sandbox`ing Skype with AppArmor here.

But the problem is that all AppArmor profiles I found for Skype do not work for the latest version 2.1 -- they cause a termination of the application. Because they seem to be just a bit outdated. So I have managed to write (after hours of experiments) a new one, which definitely works well for me (Ubuntu 8.10 + latest Skype 2.1b). Here is a draft version of usr.bin.skype:
# Skype profile for AppArmor, tested with Skype v2.1 on Ubuntu 8.10
# by Andrew Sichevoi, http://thekondor.net
#include <tunables/global>

/usr/bin/skype {
        #include <abstractions/audio>
        #include <abstractions/base>
        #include <abstractions/fonts>
        #include <abstractions/X>
        #include <abstractions/nameservice>

       /home/*/.ICEauthority r,
       /home/*/.Skype/ rw,
       /home/*/.Skype/** rwk,
       /home/*/.Xauthority r,
       /home/*/.config/Trolltech.conf rk,
       /home/*/.fontconfig/* r,
       /dev/ r,
       /dev/video* rwm,
       /dev/shm/ rw,
       /dev/shm/pulse* wrm,
       # /sys/devices/system/cpu/ r,
       /etc/pulse/client.conf r,
       /usr/share/fonts/** rm,
      deny /proc/*/net/route r,
      deny /etc/passwd r,
      deny /etc/group r,
      deny /home/*/.mozilla/** r,
      deny /home/*/.purple/** r,
      deny /home/*/.opera/** r,
      deny /home/*/.ssh/** r,
      deny /home/*/.config/** r,
      /proc/interrupts r,
      /tmp/.ICE-unix/* w,
      /tmp/.X11-unix/X0 w,
      /tmp/pulse-*/native rw,
      /usr/bin/skype mr,
      /usr/lib/qt4/plugins/iconengines/ r,
      /usr/lib/qt4/plugins/imageformats/ r,
      /usr/lib/qt4/plugins/imageformats/*.so mr,
      /usr/lib/qt4/plugins/inputmethods/ r,
      /usr/share/X11/locale/** r,
      /usr/share/icons/** r,
      /usr/share/skype/** mrk,
      /var/cache/libx11/compose/* r,
}
Enjoy.
Posted by Andrew "kondor" Sichevoi at
Labels: ,

1 comment:

Subscribe to: Post Comments (Atom)