Comment 5 for bug 1191858

'k' just allows the use of fcntl(2)-based advisory file locking. Allowing the program to lock its own configuration file is almost certainly harmless.

The xdg-open command is significantly harder to deal with -- it is probably using that to spawn a web browser, via a tool designed to make it easier to have any number of tools providing services for a given request.

I don't know what would be best here -- on the one hand, you want to allow Skype to eventually start a browser, but you'd like it to be safe.

We'll need to discuss how to handle this, and the XDG download directory, on the apparmor mail list, because I'm unfamiliar enough with xdg-open to know the best course of action.

If you mostly trust Skype, you can add /usr/bin/gvfs-open Ux. If you mostly distrust Skype, you should probably create a child profile for xdg-open (/usr/bin/xdg-open cx -> xdg_open, then add a new block to the profile, nested within, "profile xdg_open { /usr/bin/xdg-open ix, /usr/bin/firefox Px, .... }". It might take some experimentation to find the best balance of convenience versus safety for this case.