Originally posted by DrYak
View Post
A different possibility would be AppArmor:
Notes:
- NOT tested against today's Skype 4.3 (yet).
- you should edit which sub-part of /home/ you need to allow acces to skype (Documents, etc.)
- in order not to break pulseaudio, this profile enables dbus. But there's currently no fine-grained control of dbus in AppArmor. (you can't restrict Skype to only pulseaudio-related namespace).
To all systemd-haters:
- this is actually the kind of stuff that systemd is going to make much more simple:
- start any "suspicious software" in its own LXC session (fast, without much configuring) and use portals and similar to communicate with the actual desktop.
Code:
#include <tunables/global> /usr/bin/skype { #include <abstractions/audio> #include <abstractions/base> #include <abstractions/bash> #include <abstractions/kde> #include <abstractions/nameservice> #include <abstractions/ssl_certs> #include <abstractions/dbus-session> network dgram, network stream, /home/*/Documents/** r, /home/*/Documents/ r, /home/*/Pictures/** rw, /home/*/Pictures/ rw, /home/*/download/** rw, /home/*/download/ rw, deny /bin/bash r, deny /etc/group m, deny /etc/passwd m, deny owner /home/*/ r, deny /home/*/.kde4/share/config/ w, deny /home/*/.mozilla/ r, deny owner /home/*/Documents/ r, deny owner /home/*/* w, deny /proc/*/net/route r, deny /sys/devices/system/cpu/ r, deny /usr/bin/dbus-launch x, deny /usr/bin/kfmclient x, deny /usr/bin/xdg-open x, deny /usr/lib64/firefox/firefox.sh x, /usr/bin/pavucontrol Ux, /dev/ r, /dev/shm/ r, owner /dev/shm/pulse-shm-* mrw, /dev/snd/* mrw, /dev/video* mrw, /etc/X11/fs/config r, /etc/kde4/share/config/kdebugrc r, /etc/kde4rc r, /etc/ssl/openssl.cnf r, /etc/pulse/client.conf r, /etc/alsa-pulse.conf r, /etc/asound-pulse.conf r, owner /home/*/.ICEauthority r, owner /home/*/.Skype rw, owner /home/*/.Skype/ rw, owner /home/*/.Skype/** rwk, owner /home/*/.Xauthority r, owner /home/*/.asoundrc r, owner /home/*/.config/Polyester/Style.conf rk, owner /home/*/.config/Trolltech.conf rwk, owner /home/*/.fontconfig/ w, owner /home/*/.fontconfig/* mrw, owner /home/*/.fonts.conf r, owner /home/*/.fonts/** m, owner /home/*/.icons/** r, owner /home/*/.kde*/share/config/kdeglobals rk, owner /home/*/.kde/share/config/kioslaverc r, owner /home/*/.kde4/share/config/kdebugrc r, owner /home/*/.pulse-cookie rwk, owner /home/*/.pulse/ rw, owner /home/*/.qt/* rw, /opt/kde3/share/fonts/ r, /opt/kde3/share/fonts/** mr, owner /proc/*/fd/ r, /proc/interrupts r, /usr/bin/skype mr, /usr/lib/qt4/plugins/iconengines/ r, /usr/lib/qt4/plugins/imageformats/ r, /usr/lib/qt4/plugins/inputmethods/ r, /usr/lib64/jvm/java*/jre/lib/fonts/** mr, /usr/share/X11/XKeysymDB r, /usr/share/X11/locale/** r, /usr/share/desktop-data/qtrc r, /usr/share/fonts/ r, /usr/share/fonts/** mr, /usr/share/ghostscript/fonts/ r, /usr/share/ghostscript/fonts/** mr, /usr/share/icons/** mrk, /usr/share/kde4/config/kdebug.areas r, /usr/share/kde4/config/kdebugrc r, /usr/share/skype/lang/* mr, /usr/share/skype/sound/* r, /usr/share/skype/sounds/* rk, /usr/share/ssl/ r, /usr/share/texmf/fonts/** r, /var/lib/dbus/machine-id r, owner /var/tmp/kdecache-*/icon-cache.kcache mrw, owner /var/tmp/kdecache-*/kpc/kde-icon-cache.data mrw, owner /var/tmp/kdecache-*/kpc/kde-icon-cache.index mrw, }
- NOT tested against today's Skype 4.3 (yet).
- you should edit which sub-part of /home/ you need to allow acces to skype (Documents, etc.)
- in order not to break pulseaudio, this profile enables dbus. But there's currently no fine-grained control of dbus in AppArmor. (you can't restrict Skype to only pulseaudio-related namespace).
To all systemd-haters:
- this is actually the kind of stuff that systemd is going to make much more simple:
- start any "suspicious software" in its own LXC session (fast, without much configuring) and use portals and similar to communicate with the actual desktop.
Comment