Skype crashes on start

Please consider upgrading to newer Skype, as 4.3 is unsupported.

You can use my WIP profile (that I use myself daily) until it get's merged into extras directory:

https://gitlab.com/Talkless/apparmor/blob/skypeforlinux/profiles/apparmor/profiles/extras/usr.bin.skypeforlinux

Oh, bug report has marked "openSUSE". I did not test that profile there. I could do that though.

Thanks! Prefer to use 4.3 as do not know how new skypeforlinux works and spy after me or my data. I like how current skype profile works - it just blocks everything for skype - it even does not see my home dir content. I know it is unsupported however it still works fine and have better functionality comparing to newest one.

However if Your skypeforlinux profile also blocks everything for skype - it is good, could give it a try it in the future.

On 1/24/18 9:35 PM, AlekseyK wrote:
> Thanks! Prefer to use 4.3 as do not know how new skypeforlinux works and
> spy after me or my data. I like how current skype profile works - it
> just blocks everything for skype - it even does not see my home dir
> content. I know it is unsupported however it still works fine and have
> better functionality comparing to newest one.
>
> However if Your skypeforlinux profile also blocks everything for skype -
> it is good, could give it a try it in the future.

New usr.bin.skypeforlinux uses "abstractions/user-download" that does allow to read and write into $HOME (as it's common
  download directory for various programs), also allows Downloads and Desktop directories [0]. Dot files in $HOME are
not allowed.

If you care about maximum privacy, I would suggest to use firejail[1] with so-called private home directory, X server
confinement and more. I will be probably the most intrusive way of doing it, as you will have to launch Skype via
firejail (or create a special .desktop launcher I guess), but if convenience is not the concern for you, maybe that's
the better alternative?

[0] https://gitlab.com/apparmor/apparmor/blob/master/profiles/apparmor.d/abstractions/user-download
[1] https://firejail.wordpress.com/

>New usr.bin.skypeforlinux uses "abstractions/user-download" that does allow to read and write into >$HOME (as it's common download directory for various programs), also allows Downloads and Desktop
>directories [0].

Terrible. Not acceptable. Could You fix old usr.bin.skype profile please?

firejail use seems pretty easy: just prefix necessary command with firejail. Could use it if forced to use modern skype. Old one more preferable for now as I said.

On 1/25/18 11:11 PM, AlekseyK wrote:
>> New usr.bin.skypeforlinux uses "abstractions/user-download" that does allow to read and write into >$HOME (as it's common download directory for various programs), also allows Downloads and Desktop
>> directories [0].
>
> Terrible. Not acceptable. Could You fix old usr.bin.skype profile
> please?

First of all I do not know where would I get Skype v4 .deb package for my system, and I just doubt I would like to spend
time on deprecated application, sorry.

You could just try to copy my new usr.bin.skypeforlinux and remove some lines though.

> firejail use seems pretty easy: just prefix necessary command with
> firejail. Could use it if forced to use modern skype. Old one more
> preferable for now as I said.

I don't like that approach because you have to explicitly launch it. Of course, adding it into your desktops Autostart
list fixes that, but you could still launch accidentally it without firejail. Another application might launch your
application not in jailed mode too. Too fragile in my taste. But let's not get into off-topic any more. :)

https://askubuntu.com/a/938239/130585
download.skype.com/linux/skype-ubuntu-precise_4.3.0.37-1_i386.deb

Strange, today skype started normal in enforce mode. :) So will stay on 4.3 for now.

Sorry, wrong messge. It still crashes like before (just did not restart to check).

I have fixed You profile, now all works just fine, appeared not too complex. :)

1st I ran
>sudo aa-genprof skype
2nd in another terminal I ran skype in complain mode.
3rd I press Scan in 1st terminal with genprof. I mostly interested in fontconfig dirs it was crashing on. When it generated new profile for me based on Yours, I reduced patch to only 3 lines of code:

/usr/share/cantarell-fonts/conf.avail/** r,
/usr/share/fonts-config/conf.avail/** r,
/usr/share/ghostscript/fonts/** r,

Patched profile attached. So You can fix it in public and close the issue. Thanks! :)

One more line added here for correct work:

/usr/share/*/conf.avail/** r,

Hi, Vincas

Now I'm trying to use Your new usr.bin.skypeforlinux profile. skypeforlinux won't start with it - runs only in complain mode. How to solve? Help me please! Thanks!

Also any way to restrict home dir access and allow only some ~/Download/Skype dir? Thanks!

On 2/28/18 3:07 PM, AlekseyK wrote:
> Hi, Vincas
>
> Now I'm trying to use Your new usr.bin.skypeforlinux profile.
> skypeforlinux won't start with it - runs only in complain mode. How to
> solve? Help me please! Thanks!

What distribution and desktop are you running? I'm using KDE on two
Debian machines, also tested on Ubuntu VM.

Also, please paste DENIED messages from kernel log.

> Also any way to restrict home dir access and allow only some
> ~/Download/Skype dir? Thanks!

In the future (with AppArmor >=3) with so-called Conditionals will be
possible to make profiles more configurable. Selecting what abstractions
to use by changing a variable in singe file would be much better than
allowing too much by default, or asking for user to edit/delete some
lines in profile (in this case "#include <abstractions/user-download>")...

Anyway, you can edit profile and remove that line I've mentioned, and
add this line (in same profile or in
/etc/apparmor.d/local/usr.bin.skypeforlinux include):

owner @{HOME}/Download/Skype/{,**} rw,

Alternatively, it could be possible to add `deny` rules into
`/etc/apparmor.d/local/usr.bin.skypeforlinux` to cancel out what's
written in <abstractions/user-download>, but that's too complicated...

Found some solution here: https://askubuntu.com/a/1010702/130585, only have problem with web camera.

>Vincas Dargis (talkless) wrote on 2018-01-26:
>What distribution and desktop are you running? I'm using KDE on two
>Debian machines, also tested on Ubuntu VM.

As I said: openSUSE.

> Also any way to restrict home dir access and allow only some
> ~/Download/Skype dir? Thanks!

Profile mentioned here: https://askubuntu.com/a/1010702/130585 blocks access to home dir. I've added only this line:

owner @{HOME}/Download/Skype/{,**} rw,

The only problem there: camera does not work. I've added following lines from Your profile:

  /dev/video[0-9]* m,
  /dev/video[0-9]* rw,
  owner /dev/shm/* m, # mmaps /dev/shm/eiSAHx, video does not work without it

Still does not work. Any ideas?

On 2/28/18 7:32 PM, AlekseyK wrote:
>> Vincas Dargis (talkless) wrote on 2018-01-26:
>> What distribution and desktop are you running? I'm using KDE on two
>> Debian machines, also tested on Ubuntu VM.
>
> As I said: openSUSE.

Oh sorry, I forgot that part. Yes I should test on SUSE too, maybe this
weekend.

> The only problem there: camera does not work. I've added following lines
> from Your profile:
>
> /dev/video[0-9]* m,
> /dev/video[0-9]* rw,
> owner /dev/shm/* m, # mmaps /dev/shm/eiSAHx, video does not work without it
>
> Still does not work. Any ideas?

I can't comment if I do not see DENIED messages in your kernel log.

Also, profile you are using might have "deny" rules that hides the core
issue. Try removing "deny" rules one by one until maybe camera starts
working.

On 2/28/18 7:32 PM, AlekseyK wrote:> Profile mentioned here:
https://askubuntu.com/a/1010702/130585 blocks
> access to home dir. I've added only this line:
>
> owner @{HOME}/Download/Skype/{,**} rw,

I've decided to make my profile working by default (including accepting
downloaded files to default places), without requiring user to modify
profile. This is simply a decision author can take.

>Vincas Dargis (talkless) wrote 39 minutes ago:
>I can't comment if I do not see DENIED messages in your kernel log.
How to see it? Seems /var/log/messages is missed in openSUSE.

>Also, profile you are using might have "deny" rules that hides the core
>issue. Try removing "deny" rules one by one until maybe camera starts>
>working.
https://askubuntu.com/a/1010702/130585 - look at profile by the link please: it very simple and short - there is no deny rules there.

> This is simply a decision author can take.
I understand this. However skype is terrible thing and such "protection" does nothing.

On 2/28/18 8:50 PM, AlekseyK wrote:
>> Vincas Dargis (talkless) wrote 39 minutes ago:
>> I can't comment if I do not see DENIED messages in your kernel log.
> How to see it? Seems /var/log/messages is missed in openSUSE.

If auditd is installed, it should be in /var/log/audit/audit.log.

If not, running `sudo journalctl -f | fgrep DENIED" before launching
Skype should show DENIED messages.

I have just reproduced crash on OpenSUSE VM, it's due to denied access
to some font-related files. I'll fix that other day (I'm done for today).

On Wed, Feb 28, 2018 at 06:50:14PM -0000, AlekseyK wrote:
> >I can't comment if I do not see DENIED messages in your kernel log.
> How to see it? Seems /var/log/messages is missed in openSUSE.

dmesg will show the kernel message buffer.
journalctl -k will also show the kernel message buffer if dmesg has also
been removed.
If auditd is installed it is probably logging to /var/log/audit/audit.log
and the above options are probably not very useful.

Thanks

Output attached.

# cat /var/log/audit/audit.log | grep DENIED >>skype.log

sudo journalctl -f | fgrep DENIED

shows nothing. Camera in settings shows black screen, when video was not allowed in profile - error was shown in skype dialog. So it works somehow partially: access to /dev/video0 granted but shows nothing - black. In complain mode works fine.

If it works in complain mode, this means the problem is missing rules, but not deny rules (deny rules are enforced even in complain mode).

Note that the log messages include ALLOWED instead of DENIED in complain mode, so you'll need to grep for that ;-)

On 2/28/18 11:23 PM, AlekseyK wrote:
> sudo journalctl -f | fgrep DENIED
>
> shows nothing.

Because it seems you have auditd running, as you have attached audit
log. If auditd is running, you shound't see relevant stuff with this
command (unless it's userspace DBus error apparently).

`sudo tail -f /var/log/audit/audit.log | fgrep DENIED` is alternative in
that case.

Thank You. While trying to enable video in a call, prints following:

type=AVC msg=audit(1519927869.593:595): apparmor="DENIED" operation="link" profile="/usr/bin/skypeforlinux" name="/dev/shm/sem.mtx-16414-5" pid=16414 comm="skypeforlinux" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/dev/shm/7xsNcP"
type=AVC msg=audit(1519927881.977:599): apparmor="DENIED" operation="link" profile="/usr/bin/skypeforlinux" name="/dev/shm/sem.mtx-16414-6" pid=16414 comm="skypeforlinux" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/dev/shm/h5GWjY"

I have updated my profile to fix Skype on OpenSUSE [0]. Tested on KDE
and GNOME. I am not sure if webcam should work though... Skype does see
device name, though I can't get video at all even with Cheese, probably
VirtualBox USB forwarding issues or whatever.

On 3/1/18 8:12 PM, AlekseyK wrote:
> Thank You. While trying to enable video in a call, prints following:
>
> type=AVC msg=audit(1519927869.593:595): apparmor="DENIED" operation="link" profile="/usr/bin/skypeforlinux" name="/dev/shm/sem.mtx-16414-5" pid=16414 comm="skypeforlinux" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/dev/shm/7xsNcP"
> type=AVC msg=audit(1519927881.977:599): apparmor="DENIED" operation="link" profile="/usr/bin/skypeforlinux" name="/dev/shm/sem.mtx-16414-6" pid=16414 comm="skypeforlinux" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/dev/shm/h5GWjY"

These are fixed in my profile I believe.

[0]
https://gitlab.com/Talkless/apparmor/commit/a1cef82aed4898629d59eb330626d7030f77026c

What will be the correct rule here?

On 3/1/18 8:50 PM, AlekseyK wrote:
> What will be the correct rule here?

Line 164-165:

https://gitlab.com/Talkless/apparmor/blob/a1cef82aed4898629d59eb330626d7030f77026c/profiles/apparmor/profiles/extras/usr.bin.skypeforlinux#L164

Or you could just use my profile after removing "#include
<abstractions/user-download>" ?

I've added 3 lines from You profile related to video:

/dev/video* rw,
/dev/video[0-9]* m,
owner /dev/shm/* m, # mmaps /dev/shm/eiSAHx, video does not work without it

Still does not work. Any other need to add?

With Your complete profile video does not work also:

type=AVC msg=audit(1519931731.597:1382): apparmor="DENIED" operation="link" profile="/usr/bin/skypeforlinux" name="/dev/shm/sem.mtx-30377-1" pid=30377 comm="skypeforlinux" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/dev/shm/vudPUv"

>Vincas Dargis (talkless) wrote 22 minutes ago:
>Line 164-165:
After these lines works correctly now! Thank You very much!

On 3/1/18 9:33 PM, AlekseyK wrote:
>> Vincas Dargis (talkless) wrote 22 minutes ago:
>> Line 164-165:
> After these lines works correctly now! Thank You very much!
>

I am confused. So my profile works or not? These lines should fix DENIED
message you pasted just earlier, and these *are* in my profile, so not
sure what's wrong with mine (if it is still not working).

My profile with lines 164-165 from Yours works. I tried Yours but seems apparmor does not reload/restart profile. I did by instructions in Your repo:

aa-enforce /etc/apparmor.d/usr.bin.skypeforlinux
rcpostfix restart ; rcapparmor restart

And it does not help. Trying also

systemctl reload apparmor.service
systemctl restart apparmor.service

Still using my profile. Only restarting PC helps. How to correctly switch/reload profile?

On 3/2/18 9:15 PM, AlekseyK wrote:
> Still using my profile. Only restarting PC helps. How to correctly
> switch/reload profile?

My profile has child profile for "locale" (and other profile might not)
, maybe that's the issue.

I do not know how correctly overcome this issue, though one way on my
machine is to launch "sudo /etc/init.d/apparmor teardown" and then
restart apparmor.service. Or reboot.

So after reboot, what DENIED messages my profile produces, if it gives
problems?

With Your profile camera does not work - no error, no DENIED message related to /dev/* - just black square. Also Your profile allows full access to HOME dir even with removed removing "#include
<abstractions/user-download>" which is unacceptable to me. Will use mine. Thanks for Your suggestions - helped much!

Have small question: in my profile URL-click does not work. Produces error message in skype:

Unable to create io-slave. Can not create socket for launching io-slave for protocol 'https'.

produced DENIED log attached. What rule need to add here?

On 3/2/18 11:55 PM, AlekseyK wrote:
> With Your profile camera does not work - no error, no DENIED message related to /dev/* - just black square. Also Your profile allows full access to HOME dir even with removed removing "#include
> <abstractions/user-download>" which is unacceptable to me. Will use mine. Thanks for Your suggestions - helped much!

That's unfortunate about the camera. I'll try to debug this with
OpenSUSE live cd (it should have one?), not through VM, in order to
debug this.

About home - profile has `/**/` r, rule that allows to list files and
directories so file browser could browse to any directory from where you
would like to upload some files, but it does not allow to read all the
files.

For example, you might want to allow to upload (read) files from
`/media/storage/myfiles/documents/**` (by adding rule into
local/usr.bin.skypeforlinux) , but you need to browse there via file
browser first somehow...

> Have small question: in my profile URL-click does not work. Produces
> error message in skype:
>
> Unable to create io-slave. Can not create socket for launching io-slave
> for protocol 'https'.
>
> produced DENIED log attached. What rule need to add here?
>
> ** Attachment added: "skype_url_deny.log"
> https://bugs.launchpad.net/apparmor/+bug/1745067/+attachment/5067505/+files/skype_url_deny.log
>

Sorry but that profiles has too much denies to offer single suggestion.
Maybe that line with kde5-open is the culprit.

I have tried my profile on openSUSE KDE & GNOME liveCDs. Sometimes I do get dark video from camera, but it's enough to restart Skype ant it works. Not sure what could be the issue here.

>Vincas Dargis (talkless) wrote 5 hours ago:
>Maybe that line with kde5-open is the culprit.

Also think so. What rule(s) need to add for it?

>About home - profile has `/**/` r, rule that allows to list files and
>directories so file browser could browse to any directory from where you
>would like to upload some files, but it does not allow to read all the files.

I suggest only allow to browse ~/Download dir. I like my variant however where it can't browse anything: manually enter path ~/Download/Skype. Thanks for explanation however! Useful!

>I have tried my profile on openSUSE KDE & GNOME liveCDs.
>Sometimes I do get dark video from camera,
>but it's enough to restart Skype ant it works.

For me restart is not enough with Your profile. You may compare with mine to see the difference: https://askubuntu.com/a/1010702/130585