This is https://launchpad.net/bugs/933440
Skype has changed a lot and needs quite a few updates to the profile.
Most are not controversial, but I'd like to mention the following:
- I cleaned up the .mozilla directories access
- I tightened up the access to @{HOME} to use 'owner'
- I tightened up the access to @{HOME}/.config to not use a glob
- several 'm' accesses were allowed or explicitly denied due to skype
being built with an executable stack
I smoke-tested on Ubuntu 12.04 LTS with others in the bug mentioning
that the various additions worked for them.
--
Jamie Strandboge | http://www.canonical.com
Author: Jamie Strandboge <ja...@canonical.com> Description: update skype profile Bug-Ubuntu: https://launchpad.net/bugs/933440 Forwarded: yes Index: apparmor-2.8.0/profiles/apparmor/profiles/extras/usr.bin.skype =================================================================== --- apparmor-2.8.0.orig/profiles/apparmor/profiles/extras/usr.bin.skype 2012-07-05 12:17:18.000000000 -0500 +++ apparmor-2.8.0/profiles/apparmor/profiles/extras/usr.bin.skype 2012-07-05 12:42:12.000000000 -0500 @@ -1,40 +1,80 @@ -# Last Modified: Mon Oct 26 13:29:13 2009 -# REPOSITORY: http://apparmor.test.opensuse.org/backend/api draglor 53 -# Additional profiling based on work by Андрей Калинин, LP: #226624 +# Last Modified: Thu Jul 5 11:06:45 2009 +# Additional profiling based on work by: +# - Андрей Калинин, LP: #226624 +# - Jamie Strandboge and Ivan Frederiks, LP: #933440 #include <tunables/global> /usr/bin/skype flags=(complain) { #include <abstractions/audio> #include <abstractions/base> + #include <abstractions/dbus-session> #include <abstractions/fonts> #include <abstractions/freedesktop.org> + #include <abstractions/gnome> + #include <abstractions/ibus> #include <abstractions/kde> #include <abstractions/nameservice> #include <abstractions/nvidia> + #include <abstractions/ssl_certs> #include <abstractions/user-tmp> #include <abstractions/X> - # are these needed? - /proc/*/cmdline r, + @{PROC}/sys/kernel/{ostype,osrelease} r, + @{PROC}/[0-9]*/net/arp r, + owner @{PROC}/[0-9]*/auxv r, + owner @{PROC}/[0-9]*/cmdline r, + owner @{PROC}/[0-9]*/fd/ r, + owner @{PROC}/[0-9]*/task/ r, + owner @{PROC}/[0-9]*/task/[0-9]*/stat r, + + /sys/devices/**/power_supply/**/online r, + /sys/devices/system/cpu/ r, + /sys/devices/system/cpu/cpu[0-9]*/cpufreq/scaling_{cur_freq,max_freq} r, + + /dev/ r, + owner /{dev,run}/shm/pulse-shm* m, + /dev/snd/* m, /dev/video* mrw, + /var/cache/libx11/compose/* r, # should this be in a separate KDE abstraction? - @{HOME}/.kde/share/config/kioslaverc r, + owner @{HOME}/.kde/share/config/kioslaverc r, /usr/bin/skype mr, + /etc/xdg/sni-qt.conf rk, + /etc/xdg/Trolltech.conf rk, /usr/share/skype/** kr, + /usr/share/skype/**/*.qm mr, /usr/share/skype/sounds/*.wav kr, + /usr/lib/@{multiarch}/pango/** mr, - @{HOME}/.Skype/ rw, - @{HOME}/.Skype/** krw, - @{HOME}/.config/* kr, - - @{HOME}/.mozilla/ r, - @{HOME}/.mozilla/*/ r, - @{HOME}/.mozilla/*/*/ r, - @{HOME}/.mozilla/*/*/bookmarkbackups/ r, - @{HOME}/.mozilla/*/*/chrome/ r, - @{HOME}/.mozilla/*/*/extensions/ r, - @{HOME}/.mozilla/*/*/prefs.js r, + # For opening links in the browser (still requires explicit access to execute + # the browser) + /usr/bin/xdg-open ixr, + + owner @{HOME}/.Skype/ rw, + owner @{HOME}/.Skype/** krw, + owner @{HOME}/.config/ r, + owner @{HOME}/.config/*/ r, + owner @{HOME}/.config/Trolltech.conf kr, + + # Skype traverses the .mozilla directory and needs access to prefs.js + owner @{HOME}/.mozilla/ r, + owner @{HOME}/.mozilla/**/ r, + owner @{HOME}/.mozilla/*/*/prefs.js r, + + # Skype also looks around in these directories + /{,usr/,usr/local/}lib/ r, + + # Recent skype builds have an executable stack, so it tries to mmap certain + # files. Let's deny them for now. + deny /etc/passwd m, + deny /etc/group m, + deny /usr/share/fonts/** m, + + # Silence a few non-needed writes + deny /var/cache/fontconfig/ w, + deny owner @{HOME}/.fontconfig/ w, + deny owner @{HOME}/.fontconfig/*.cache-*.TMP* w, }
signature.asc
Description: This is a digitally signed message part
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
