[Bug 1191858] Re: Skype doesn't fully work in enforce mode

Mon, 17 Jun 2013 11:36:26 -0700 

There's really two issues here; first is the new permissions Skype is
requesting. I can't see why Skype would care about init's command line,
so I think I'd just add a 'deny' rule for it to quiet the messages. Or
leave it alone, if you'd rather be reminded that Skype is doing funny
things. The other permissions it is requesting could be handled like
this:

deny /proc/1/cmdline r,
owner /proc/*/status r,
/proc/modules r,
/sys/devices/*/*/usb*/*/* r,

/usr/share/icons/gnome/index.theme k,
/usr/share/icons/hicolor/index.theme k,

owner @{HOME}/.config/Skype/Skype.conf rw,


I've guessed at a very broad /sys/devices/*/*/usb*/*/* r, line, on the 
assumption that Skype should legitimately be able to query information about 
every USB device on the system. This might not be perfect, but will allow it to 
discover usual webcams and the like.

I don't know why Skype wants to lock the icon themes but on its own it
feels harmless. If an update operation is hung due to Skype not
releasing the lock in a timely fashion, an admin can always just kill
Skype and be done with it.

Perhaps the above lines should be added to the default Skype profile.
I'd like your feedback on what else might be needed once these lines are
added.

The second issue is your changed location. The following lines will
address your very specific error messages and allow you to use "~/New
Folder/" as a download location:

@{HOMEDIRS} r,
@{HOME} r,
"@{HOME}/New Folder/" r,
"@{HOME}/New Folder/**" rw,


If you want the file browser to generally work everywhere, you'll probably want 
to add a line like:

@{HOME}/**/ r,

Of course, this still denies actually writing to nearly everything. If
you _really_ want to allow downloading anywhere in a home directory, you
could add something like:

#include <abstractions/private-files-strict>

@{HOME}/** rw,

Be aware that this is extremely permissive.

Thanks

** Changed in: apparmor (Ubuntu)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1191858

Title:
  Skype doesn't fully work in enforce mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1191858/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to