# restricting skype and wine, disallow a use by a user[solved]

## The Doctor

I am intending to install skype and only run it from a new, dedicated user to limit my system's exposure to it. Not installing skype really is not an option, so if there are any other ideas, I would like to hear them.

Second, I would like to disallow my normal user from running skype, just so I don't do it by accident. I can't seem to find any instructions on how to do this on Google.

I would like to do the same thing with wine.

By the way, the method I intend to use is as follows:

add a group called skype

make a new user with primary group skype and also add to the audio group

add an alias to my .bashrc file: alias skype="xhost +local: && sudo -u skype /opt/bin/skype"

add %wheel ALL=(skype) NOPASSWD: /usr/bin/skype to my soders file

This method comes from Arch Linux Wiki

I would like to do the same for wine, and even more critically I want to prevent wine from ever starting as my normal user. If it dose catch a cold, I don't want it spreading to my data.

Thanks!

----------

## Ant P.

chgrp blobusers, chmod o-x,g+x /usr/bin/wine?

----------

## PaulBredbury

 *penguin swordmaster wrote:*   

> limit my system's exposure to it

 

I run skype (along with e.g. firefox) under AppArmor. I'd recommend it.

----------

## The Doctor

 *Ant P. wrote:*   

> chgrp blobusers, chmod o-x,g+x /usr/bin/wine?

 

Thanks, that works!

----------

## The Doctor

 *PaulBredbury wrote:*   

>  *penguin swordmaster wrote:*   limit my system's exposure to it 
> 
> I run skype (along with e.g. firefox) under AppArmor. I'd recommend it.

 

Thanks for the recommendation, I look into it.

----------

## Jacekalex

Apparmor is a good choice, but it requires a patch to ensure compatibility with version 2.4, which I have not found (working) on the kernel older than 3.2.9, not to mention the version 3.5.3 - which I'm currently using

Without this patch you will see the result:

```
/ etc / init.d / apparmor start

apparmor | * Starting apparmor ...

apparmor | * apparmor compatibility is not present in the kernel [!! ]

apparmor | * ERROR: apparmor failed to start
```

You can also use Grsecurity - and set up the ACL policy for the system, step by step information you have on the wiki - Gentoo Hardened.

A sample profile of grsecurity ACL skype (skype works as a separate user voip):

```
subject /opt/skype/skype o {

   /            h

   /SYSV00000000         x

   /SYSV00003400         x

   /SYSV00003401         x

   /dev            

   /dev/grsec         h

   /dev/kmem         h

   /dev/log         h

   /dev/mem         h

   /dev/null         rw

   /dev/port         h

   /dev/snd         rxw

   /dev/urandom         r

   /dev/video1         rw

   /etc            rx

   /etc/grsec         h

   /etc/gshadow         h

   /etc/ppp                 h

   /etc/samba/smbpasswd   h

   /etc/shadow         h

   /etc/ssh                            h

   /etc/ssl/private                   h

   /home            h

    /home/*/.ssh       h

    /home/*/.purple      h

    /home/*/.mozilla   h

    /home/*/.opera      h

    /home/*/.thunderbird        h

   /home/voip         rw

   /home/voip/.Skype      rwcd

   /home/voip/.Skype/{PROFILE_NAME}   rwcd

   /home/voip/.Skype/shared_dynco   

   /home/voip/.Skype/shared_dynco/dc.db   rw

   /home/voip/.Skype/shared_dynco/dc.db-journal   rwcd

   /home/voip/.Skype/shared_dynco/dc.lock   rwcd

   /home/voip/.Skype/shared_httpfe   

   /home/voip/.Skype/shared_httpfe/queue.db   rw

   /home/voip/.Skype/shared_httpfe/queue.lock   rwcd

   /lib            rx

   /lib/modules         h

   /opt            

   /opt/skype         rx

   /proc            r

   /proc/bus         h

   /proc/kallsyms         h

   /proc/kcore         h

   /proc/modules         h

   /proc/slabinfo         h

   /selinux         

   /tmp            rwcd

   /usr            

   /usr/bin/dbus-launch      x

   /usr/lib         rx

   /usr/share         rx

   /usr/src         h

   /var            h

   /var/cache         h

   /var/cache/fontconfig      rx

   /var/lib         h

   /var/lib/dbus/machine-id   r

   -CAP_ALL

   bind 127.0.0.1/32:0 dgram udp

   bind 0.0.0.0/32:0 stream dgram ip tcp udp

   bind 0.0.0.0/32:7334 stream dgram ip tcp udp

   connect 0.0.0.0/0:1024-65535 stream dgram tcp udp

   connect 0.0.0.0/0:443 stream dgram tcp udp

   connect 0.0.0.0/0:80 stream dgram tcp udp

   connect 0.0.0.0/0:53 stream dgram tcp udp

   sock_allow_family netlink
```

This is automatically generated rules in the gradm learning mode.

http://www.gentoo.org/proj/en/hardened/grsecurity.xml

Cheers

 :Cool: 

----------

## PaulBredbury

 *Jacekalex wrote:*   

> patch

 

Get apparmor-whatever.tar.gz from launchpad, and look in the "kernel-patches" dir - currently has patches for linux 3.0 to 3.4.

 *Jacekalex wrote:*   

> to ensure compatibility with version 2.4

 

Version 2.4 of *what*?

----------

## Jacekalex

 *PaulBredbury wrote:*   

>  *Jacekalex wrote:*   patch 
> 
> Get apparmor-whatever.tar.gz from launchpad, and look in the "kernel-patches" dir - currently has patches for linux 3.0 to 3.4.
> 
> ......
> ...

 

```
echo $PWD

/usr/src/linux-3.4.7-hardened

 patch -p1  < ../patch34/3.4/0002-UBUNTU-SAUCE-AppArmor-basic-networking-rules.patch 

patching file security/apparmor/.gitignore

patching file security/apparmor/Makefile

patching file security/apparmor/apparmorfs.c

Hunk #1 succeeded at 201 (offset -226 lines).

patching file security/apparmor/include/audit.h

patching file security/apparmor/include/net.h

patching file security/apparmor/include/policy.h

patching file security/apparmor/lsm.c

Hunk #2 FAILED at 623.

1 out of 3 hunks FAILED -- saving rejects to file security/apparmor/lsm.c.rej

patching file security/apparmor/net.c

patching file security/apparmor/policy.c

patching file security/apparmor/policy_unpack.c

```

```

cat security/apparmor/lsm.c.rej

security/apparmor/lsm.c.rej

--- security/apparmor/lsm.c

+++ security/apparmor/lsm.c

@@ -623,6 +624,104 @@

    return error;

 }

 

+static int apparmor_socket_create(int family, int type, int protocol, int kern)

+{

+   struct aa_profile *profile;

+   int error = 0;

+

+   if (kern)

+      return 0;

+

+   profile = __aa_current_profile();

+   if (!unconfined(profile))

+      error = aa_net_perm(OP_CREATE, profile, family, type, protocol,

+                NULL);

+   return error;

+}

+

+static int apparmor_socket_bind(struct socket *sock,

+            struct sockaddr *address, int addrlen)

+{

+   struct sock *sk = sock->sk;

+

+   return aa_revalidate_sk(OP_BIND, sk);

+}

+

+static int apparmor_socket_connect(struct socket *sock,

+               struct sockaddr *address, int addrlen)

+{

+   struct sock *sk = sock->sk;

+

+   return aa_revalidate_sk(OP_CONNECT, sk);

+}

+

+static int apparmor_socket_listen(struct socket *sock, int backlog)

+{

+   struct sock *sk = sock->sk;

+

+   return aa_revalidate_sk(OP_LISTEN, sk);

+}

+

+static int apparmor_socket_accept(struct socket *sock, struct socket *newsock)

+{

+   struct sock *sk = sock->sk;

+

+   return aa_revalidate_sk(OP_ACCEPT, sk);

+}

+

+static int apparmor_socket_sendmsg(struct socket *sock,

+               struct msghdr *msg, int size)

+{

+   struct sock *sk = sock->sk;

+

+   return aa_revalidate_sk(OP_SENDMSG, sk);

+}

+

+static int apparmor_socket_recvmsg(struct socket *sock,

+               struct msghdr *msg, int size, int flags)

+{

+   struct sock *sk = sock->sk;

+

+   return aa_revalidate_sk(OP_RECVMSG, sk);

+}

+

+static int apparmor_socket_getsockname(struct socket *sock)

+{

+   struct sock *sk = sock->sk;

+

+   return aa_revalidate_sk(OP_GETSOCKNAME, sk);

+}

+

+static int apparmor_socket_getpeername(struct socket *sock)

+{

+   struct sock *sk = sock->sk;

+

+   return aa_revalidate_sk(OP_GETPEERNAME, sk);

+}

+

+static int apparmor_socket_getsockopt(struct socket *sock, int level,

+                  int optname)

+{

+   struct sock *sk = sock->sk;

+

+   return aa_revalidate_sk(OP_GETSOCKOPT, sk);

+}

+

+static int apparmor_socket_setsockopt(struct socket *sock, int level,

+                  int optname)

+{

+   struct sock *sk = sock->sk;

+

+   return aa_revalidate_sk(OP_SETSOCKOPT, sk);

+}

+

+static int apparmor_socket_shutdown(struct socket *sock, int how)

+{

+   struct sock *sk = sock->sk;

+

+   return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk);

+}

+

 static struct security_operations apparmor_ops = {

    .name =            "apparmor",

```

Generally, perhaps one day will AppArmor had real support in Gentoo, but for now it is the overlay userspace and kernel requires patches from Ubuntu, I would not call this normal support, which the widths of the system responsible for the safety of a very important

In general, I do not understand, if you need compatibility with userspace apparmor-2.4 version, how did it happen that the kernel apparmor went without this (very important) compatibility.

Both Grsecurity in hardened-sources, as well as all sources SELINUX any special patch does not need to just work.

Cheers

 :Wink: 

----------

