Ubuntu
skype package

Skype apparmor

Bug #1325131 reported by Mark Vartanyan on 2014-05-30

278

This bug affects 5 people

Affects		Status	Importance	Assigned to	Milestone
	skype (Ubuntu)	Confirmed	Undecided	Unassigned

Bug Description

Skype has a nasty habit of crawling user folders, e.g. .mozilla, .opera and others, gaining access to password files for an unknown reason. Thus, it deserves an apparmor profile which restricts this behavior.

The attached file can be the one to start with. Audio, Video, UI works fine.

Things to consider: allow using users's Downloads folder.

Other suggestion: instead of restricting that hard, just deny the access to sensitive dot-folders.

Revision history for this message

Mark Vartanyan (kolypto) wrote on 2014-05-30:

usr.bin.skype Edit (1.2 KiB, text/plain)

Attachment (failed last time)

Seth Arnold (seth-arnold) on 2014-06-04

information type:

Private Security → Public Security

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2014-06-04:

Thanks for this starting point; I have a few suggestions.

It'd be nice to use @{PROC} throughout for /proc/ rules.
It'd be nice to use Pixm for the pulseaudio program, so an existing profile for it can be used.
Granting lock to all of /usr/share/** feels too wide -- I can't think of consequences now, but it seems needless.
No existing profiles grant write privileges to /var/cache/fontconfig/* -- probably skype should also not have the ability to modify system-wide fontconfig cache files.
It would be nice to use the two-argument form of link permission for the kdeglobals rule to restrict which files can be linked.
It would be nice to use owner on the /tmp/tmp/** rule, to keep several users from colliding in this directory.

Thanks

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-06-19:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in skype (Ubuntu):
status:	New → Confirmed

Revision history for this message

papukaija (papukaija) wrote on 2014-07-01:

Please don't forget that there's already an AppArmor profile for Skype in the apparmor-profiles package. However, it doesn't fully work in the enforce mode, please see bug 1191858 for more details. That bug also has some discussion about adding rules for the download folder and for opening a web browser (from the purchase/account links).