Skype crashes on start
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
New
|
Undecided
|
Unassigned | ||
openSUSE |
New
|
Undecided
|
Unassigned |
Bug Description
Skype 4.3 crashes on start with default skype profile (usr.bin.skype) from /usr/share/
description: | updated |
Vincas Dargis (talkless) wrote : | #1 |
Vincas Dargis (talkless) wrote : | #2 |
Oh, bug report has marked "openSUSE". I did not test that profile there. I could do that though.
AlekseyK (tantrido) wrote : | #3 |
Thanks! Prefer to use 4.3 as do not know how new skypeforlinux works and spy after me or my data. I like how current skype profile works - it just blocks everything for skype - it even does not see my home dir content. I know it is unsupported however it still works fine and have better functionality comparing to newest one.
However if Your skypeforlinux profile also blocks everything for skype - it is good, could give it a try it in the future.
Vincas Dargis (talkless) wrote : Re: [Bug 1745067] Re: Skype crashes on start | #4 |
On 1/24/18 9:35 PM, AlekseyK wrote:
> Thanks! Prefer to use 4.3 as do not know how new skypeforlinux works and
> spy after me or my data. I like how current skype profile works - it
> just blocks everything for skype - it even does not see my home dir
> content. I know it is unsupported however it still works fine and have
> better functionality comparing to newest one.
>
> However if Your skypeforlinux profile also blocks everything for skype -
> it is good, could give it a try it in the future.
New usr.bin.
download directory for various programs), also allows Downloads and Desktop directories [0]. Dot files in $HOME are
not allowed.
If you care about maximum privacy, I would suggest to use firejail[1] with so-called private home directory, X server
confinement and more. I will be probably the most intrusive way of doing it, as you will have to launch Skype via
firejail (or create a special .desktop launcher I guess), but if convenience is not the concern for you, maybe that's
the better alternative?
[0] https:/
[1] https:/
AlekseyK (tantrido) wrote : | #5 |
>New usr.bin.
>directories [0].
Terrible. Not acceptable. Could You fix old usr.bin.skype profile please?
firejail use seems pretty easy: just prefix necessary command with firejail. Could use it if forced to use modern skype. Old one more preferable for now as I said.
Vincas Dargis (talkless) wrote : | #6 |
On 1/25/18 11:11 PM, AlekseyK wrote:
>> New usr.bin.
>> directories [0].
>
> Terrible. Not acceptable. Could You fix old usr.bin.skype profile
> please?
First of all I do not know where would I get Skype v4 .deb package for my system, and I just doubt I would like to spend
time on deprecated application, sorry.
You could just try to copy my new usr.bin.
> firejail use seems pretty easy: just prefix necessary command with
> firejail. Could use it if forced to use modern skype. Old one more
> preferable for now as I said.
I don't like that approach because you have to explicitly launch it. Of course, adding it into your desktops Autostart
list fixes that, but you could still launch accidentally it without firejail. Another application might launch your
application not in jailed mode too. Too fragile in my taste. But let's not get into off-topic any more. :)
AlekseyK (tantrido) wrote : | #7 |
https:/
download.
AlekseyK (tantrido) wrote : | #8 |
Strange, today skype started normal in enforce mode. :) So will stay on 4.3 for now.
AlekseyK (tantrido) wrote : | #9 |
Sorry, wrong messge. It still crashes like before (just did not restart to check).
AlekseyK (tantrido) wrote : | #10 |
- Patched skype profile Edit (2.6 KiB, text/plain)
I have fixed You profile, now all works just fine, appeared not too complex. :)
1st I ran
>sudo aa-genprof skype
2nd in another terminal I ran skype in complain mode.
3rd I press Scan in 1st terminal with genprof. I mostly interested in fontconfig dirs it was crashing on. When it generated new profile for me based on Yours, I reduced patch to only 3 lines of code:
/usr/share/
/usr/share/
/usr/share/
Patched profile attached. So You can fix it in public and close the issue. Thanks! :)
AlekseyK (tantrido) wrote : | #11 |
One more line added here for correct work:
/usr/share/
AlekseyK (tantrido) wrote : | #12 |
Hi, Vincas
Now I'm trying to use Your new usr.bin.
Also any way to restrict home dir access and allow only some ~/Download/Skype dir? Thanks!
Vincas Dargis (talkless) wrote : | #13 |
On 2/28/18 3:07 PM, AlekseyK wrote:
> Hi, Vincas
>
> Now I'm trying to use Your new usr.bin.
> skypeforlinux won't start with it - runs only in complain mode. How to
> solve? Help me please! Thanks!
What distribution and desktop are you running? I'm using KDE on two
Debian machines, also tested on Ubuntu VM.
Also, please paste DENIED messages from kernel log.
> Also any way to restrict home dir access and allow only some
> ~/Download/Skype dir? Thanks!
In the future (with AppArmor >=3) with so-called Conditionals will be
possible to make profiles more configurable. Selecting what abstractions
to use by changing a variable in singe file would be much better than
allowing too much by default, or asking for user to edit/delete some
lines in profile (in this case "#include <abstractions/
Anyway, you can edit profile and remove that line I've mentioned, and
add this line (in same profile or in
/etc/apparmor.
owner @{HOME}
Alternatively, it could be possible to add `deny` rules into
`/etc/apparmor.
written in <abstractions/
AlekseyK (tantrido) wrote : | #14 |
Found some solution here: https:/
AlekseyK (tantrido) wrote : | #15 |
>Vincas Dargis (talkless) wrote on 2018-01-26:
>What distribution and desktop are you running? I'm using KDE on two
>Debian machines, also tested on Ubuntu VM.
As I said: openSUSE.
> Also any way to restrict home dir access and allow only some
> ~/Download/Skype dir? Thanks!
Profile mentioned here: https:/
owner @{HOME}
The only problem there: camera does not work. I've added following lines from Your profile:
/dev/video[0-9]* m,
/dev/video[0-9]* rw,
owner /dev/shm/* m, # mmaps /dev/shm/eiSAHx, video does not work without it
Still does not work. Any ideas?
Vincas Dargis (talkless) wrote : | #16 |
On 2/28/18 7:32 PM, AlekseyK wrote:
>> Vincas Dargis (talkless) wrote on 2018-01-26:
>> What distribution and desktop are you running? I'm using KDE on two
>> Debian machines, also tested on Ubuntu VM.
>
> As I said: openSUSE.
Oh sorry, I forgot that part. Yes I should test on SUSE too, maybe this
weekend.
> The only problem there: camera does not work. I've added following lines
> from Your profile:
>
> /dev/video[0-9]* m,
> /dev/video[0-9]* rw,
> owner /dev/shm/* m, # mmaps /dev/shm/eiSAHx, video does not work without it
>
> Still does not work. Any ideas?
I can't comment if I do not see DENIED messages in your kernel log.
Also, profile you are using might have "deny" rules that hides the core
issue. Try removing "deny" rules one by one until maybe camera starts
working.
Vincas Dargis (talkless) wrote : | #17 |
On 2/28/18 7:32 PM, AlekseyK wrote:> Profile mentioned here:
https:/
> access to home dir. I've added only this line:
>
> owner @{HOME}
I've decided to make my profile working by default (including accepting
downloaded files to default places), without requiring user to modify
profile. This is simply a decision author can take.
AlekseyK (tantrido) wrote : | #18 |
>Vincas Dargis (talkless) wrote 39 minutes ago:
>I can't comment if I do not see DENIED messages in your kernel log.
How to see it? Seems /var/log/messages is missed in openSUSE.
>Also, profile you are using might have "deny" rules that hides the core
>issue. Try removing "deny" rules one by one until maybe camera starts>
>working.
https:/
AlekseyK (tantrido) wrote : | #19 |
> This is simply a decision author can take.
I understand this. However skype is terrible thing and such "protection" does nothing.
Vincas Dargis (talkless) wrote : | #20 |
On 2/28/18 8:50 PM, AlekseyK wrote:
>> Vincas Dargis (talkless) wrote 39 minutes ago:
>> I can't comment if I do not see DENIED messages in your kernel log.
> How to see it? Seems /var/log/messages is missed in openSUSE.
If auditd is installed, it should be in /var/log/
If not, running `sudo journalctl -f | fgrep DENIED" before launching
Skype should show DENIED messages.
I have just reproduced crash on OpenSUSE VM, it's due to denied access
to some font-related files. I'll fix that other day (I'm done for today).
Seth Arnold (seth-arnold) wrote : | #21 |
On Wed, Feb 28, 2018 at 06:50:14PM -0000, AlekseyK wrote:
> >I can't comment if I do not see DENIED messages in your kernel log.
> How to see it? Seems /var/log/messages is missed in openSUSE.
dmesg will show the kernel message buffer.
journalctl -k will also show the kernel message buffer if dmesg has also
been removed.
If auditd is installed it is probably logging to /var/log/
and the above options are probably not very useful.
Thanks
AlekseyK (tantrido) wrote : | #22 |
- DENIED log Edit (237.4 KiB, text/plain)
Output attached.
# cat /var/log/
AlekseyK (tantrido) wrote : | #23 |
sudo journalctl -f | fgrep DENIED
shows nothing. Camera in settings shows black screen, when video was not allowed in profile - error was shown in skype dialog. So it works somehow partially: access to /dev/video0 granted but shows nothing - black. In complain mode works fine.
Christian Boltz (cboltz) wrote : | #24 |
If it works in complain mode, this means the problem is missing rules, but not deny rules (deny rules are enforced even in complain mode).
Note that the log messages include ALLOWED instead of DENIED in complain mode, so you'll need to grep for that ;-)
Vincas Dargis (talkless) wrote : | #25 |
On 2/28/18 11:23 PM, AlekseyK wrote:
> sudo journalctl -f | fgrep DENIED
>
> shows nothing.
Because it seems you have auditd running, as you have attached audit
log. If auditd is running, you shound't see relevant stuff with this
command (unless it's userspace DBus error apparently).
`sudo tail -f /var/log/
that case.
AlekseyK (tantrido) wrote : | #26 |
Thank You. While trying to enable video in a call, prints following:
type=AVC msg=audit(
type=AVC msg=audit(
Vincas Dargis (talkless) wrote : | #28 |
I have updated my profile to fix Skype on OpenSUSE [0]. Tested on KDE
and GNOME. I am not sure if webcam should work though... Skype does see
device name, though I can't get video at all even with Cheese, probably
VirtualBox USB forwarding issues or whatever.
On 3/1/18 8:12 PM, AlekseyK wrote:
> Thank You. While trying to enable video in a call, prints following:
>
> type=AVC msg=audit(
> type=AVC msg=audit(
These are fixed in my profile I believe.
[0]
https:/
AlekseyK (tantrido) wrote : | #27 |
What will be the correct rule here?
Vincas Dargis (talkless) wrote : | #29 |
On 3/1/18 8:50 PM, AlekseyK wrote:
> What will be the correct rule here?
Line 164-165:
Or you could just use my profile after removing "#include
<abstractions/
AlekseyK (tantrido) wrote : | #30 |
I've added 3 lines from You profile related to video:
/dev/video* rw,
/dev/video[0-9]* m,
owner /dev/shm/* m, # mmaps /dev/shm/eiSAHx, video does not work without it
Still does not work. Any other need to add?
AlekseyK (tantrido) wrote : | #31 |
With Your complete profile video does not work also:
type=AVC msg=audit(
AlekseyK (tantrido) wrote : | #32 |
>Vincas Dargis (talkless) wrote 22 minutes ago:
>Line 164-165:
After these lines works correctly now! Thank You very much!
Vincas Dargis (talkless) wrote : | #33 |
On 3/1/18 9:33 PM, AlekseyK wrote:
>> Vincas Dargis (talkless) wrote 22 minutes ago:
>> Line 164-165:
> After these lines works correctly now! Thank You very much!
>
I am confused. So my profile works or not? These lines should fix DENIED
message you pasted just earlier, and these *are* in my profile, so not
sure what's wrong with mine (if it is still not working).
AlekseyK (tantrido) wrote : | #34 |
My profile with lines 164-165 from Yours works. I tried Yours but seems apparmor does not reload/restart profile. I did by instructions in Your repo:
aa-enforce /etc/apparmor.
rcpostfix restart ; rcapparmor restart
And it does not help. Trying also
systemctl reload apparmor.service
systemctl restart apparmor.service
Still using my profile. Only restarting PC helps. How to correctly switch/reload profile?
Vincas Dargis (talkless) wrote : | #35 |
On 3/2/18 9:15 PM, AlekseyK wrote:
> Still using my profile. Only restarting PC helps. How to correctly
> switch/reload profile?
My profile has child profile for "locale" (and other profile might not)
, maybe that's the issue.
I do not know how correctly overcome this issue, though one way on my
machine is to launch "sudo /etc/init.
restart apparmor.service. Or reboot.
So after reboot, what DENIED messages my profile produces, if it gives
problems?
AlekseyK (tantrido) wrote : | #36 |
- skype_url_deny.log Edit (17.6 KiB, text/plain)
With Your profile camera does not work - no error, no DENIED message related to /dev/* - just black square. Also Your profile allows full access to HOME dir even with removed removing "#include
<abstractions/
Have small question: in my profile URL-click does not work. Produces error message in skype:
Unable to create io-slave. Can not create socket for launching io-slave for protocol 'https'.
produced DENIED log attached. What rule need to add here?
Vincas Dargis (talkless) wrote : | #37 |
On 3/2/18 11:55 PM, AlekseyK wrote:
> With Your profile camera does not work - no error, no DENIED message related to /dev/* - just black square. Also Your profile allows full access to HOME dir even with removed removing "#include
> <abstractions/
That's unfortunate about the camera. I'll try to debug this with
OpenSUSE live cd (it should have one?), not through VM, in order to
debug this.
About home - profile has `/**/` r, rule that allows to list files and
directories so file browser could browse to any directory from where you
would like to upload some files, but it does not allow to read all the
files.
For example, you might want to allow to upload (read) files from
`/media/
local/usr.
browser first somehow...
> Have small question: in my profile URL-click does not work. Produces
> error message in skype:
>
> Unable to create io-slave. Can not create socket for launching io-slave
> for protocol 'https'.
>
> produced DENIED log attached. What rule need to add here?
>
> ** Attachment added: "skype_
> https:/
>
Sorry but that profiles has too much denies to offer single suggestion.
Maybe that line with kde5-open is the culprit.
Vincas Dargis (talkless) wrote : | #38 |
I have tried my profile on openSUSE KDE & GNOME liveCDs. Sometimes I do get dark video from camera, but it's enough to restart Skype ant it works. Not sure what could be the issue here.
AlekseyK (tantrido) wrote : | #39 |
>Vincas Dargis (talkless) wrote 5 hours ago:
>Maybe that line with kde5-open is the culprit.
Also think so. What rule(s) need to add for it?
>About home - profile has `/**/` r, rule that allows to list files and
>directories so file browser could browse to any directory from where you
>would like to upload some files, but it does not allow to read all the files.
I suggest only allow to browse ~/Download dir. I like my variant however where it can't browse anything: manually enter path ~/Download/Skype. Thanks for explanation however! Useful!
>I have tried my profile on openSUSE KDE & GNOME liveCDs.
>Sometimes I do get dark video from camera,
>but it's enough to restart Skype ant it works.
For me restart is not enough with Your profile. You may compare with mine to see the difference: https:/
Please consider upgrading to newer Skype, as 4.3 is unsupported.
You can use my WIP profile (that I use myself daily) until it get's merged into extras directory:
https:/ /gitlab. com/Talkless/ apparmor/ blob/skypeforli nux/profiles/ apparmor/ profiles/ extras/ usr.bin. skypeforlinux