## adapted from usr.bin.skype by Андрей Калинин, LP: #226624 and Jamie Strandboge and Ivan Frederiks, LP: #933440 #include #/usr/share/skypeforlinux/skypeforlinux flags=(complain) { /usr/share/skypeforlinux/skypeforlinux { #include #include #include #include #include #include #include #include #include #include #include #include #include @{PROC}/sys/kernel/{ostype,osrelease} r, @{PROC}/@{pid}/net/arp r, @{PROC}/@{pid}/net/dev r, owner @{PROC}/@{pid}/auxv r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/[0-9]*/stat r, /usr/share/skypeforlinux/natives_blob.bin r, /usr/share/skypeforlinux/snapshot_blob.bin r, /usr/share/skypeforlinux/skypeforlinux mr, /usr/share/skypeforlinux/** kr, /usr/share/skypeforlinux/** mr, # it wants to fork itself? # 'audit: type=1400 audit(1510220769.297:6962): apparmor="DENIED" operation="exec" profile="/usr/share/skypeforlinux/skypeforlinux" name="/usr/share/skypeforlinux/skypeforlinux" pid=20629 comm="skypeforlinux" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0' /usr/share/skypeforlinux/skypeforlinux ix, /sys/devices/**/power_supply/**/online r, /sys/devices/system/cpu/ r, /sys/devices/system/cpu/cpu[0-9]*/cpufreq/scaling_{min_freq,cur_freq,max_freq} r, /sys/devices/system/cpu/cpufreq/policy[0-9]/scaling_{min_freq,cur_freq,max_freq} r, /sys/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_{min_freq,cur_freq,max_freq} r, # WARNING: it wants to know everything about pci devices # "pcilib: Cannot open /sys/bus/pci/devices/0000:00:19.0/class: Permission denied" # "pcilib: Cannot open /sys/bus/pci/devices/0000:00:1e.0/resource: Permission denied" # and so on... /sys/bus/pci/devices/ r, /sys/devices/ r, /sys/devices/pci**/ r, /sys/devices/pci**/* r, /sys/bus/pci/devices/**/ r, /sys/bus/pci/devices/**/* r, /sys/class/tty/tty0/active r, /etc/pulse/client.conf.d/ r, /etc/pulse/client.conf.d/50-system.conf r, /etc/alsa-pulse.conf r, /etc/asound-pulse.conf r, owner /{dev,run}/shm/pulse-shm* m, /etc/settings/sni-qt.conf r, /etc/ssl/openssl.cnf r, /dev/ r, /dev/dri/ r, /dev/shm/ r, owner /dev/shm/* rw, # WARNING: "m" could be dangerous owner /dev/shm/.org.chromium.Chromium.* mrw, /dev/snd/* m, /dev/video* mrw, /dev/pts/0 wr, /proc/ r, /proc/self/status r, /var/cache/libx11/compose/* r, # should this be in a separate KDE abstraction? owner @{HOME}/.kde{,4}/share/config/kioslaverc r, /etc/xdg/sni-qt.conf rk, /etc/xdg/Trolltech.conf rk, /usr/lib/@{multiarch}/pango/** mr, # For opening links in the browser (still requires explicit access to execute # the browser) /usr/bin/xdg-open ixr, owner @{HOME}/.Skype/ rw, owner @{HOME}/.Skype/** krw, owner @{HOME}/.config/skypeforlinux/ rw, owner @{HOME}/.config/skypeforlinux/** krw, owner @{HOME}/.config/ r, owner @{HOME}/.config/*/ r, owner @{HOME}/.config/gtkrc-2.0 r, owner @{HOME}/.config/Skype/Skype.conf rw, owner @{HOME}/.config/Trolltech.conf kr, owner @{HOME}/.rnd r, # Skype traverses the .mozilla directory and needs access to prefs.js owner @{HOME}/.mozilla/ r, owner @{HOME}/.mozilla/**/ r, owner @{HOME}/.mozilla/*/*/prefs.js r, # Skype also looks around in these directories /{,usr/,usr/local/}lib/ r, # Recent skype builds have an executable stack, so it tries to mmap certain # files. Let's deny them for now. deny /etc/passwd m, deny /etc/group m, deny /usr/share/fonts/** m, # Silence a few non-needed writes deny /var/cache/fontconfig/ w, deny owner @{HOME}/.fontconfig/ w, deny owner @{HOME}/.fontconfig/*.cache-*.TMP* w, }