Tero Karvinen - Articles - Downloads - Courses - Contact

Table of Contents

Skype in a Sandbox

Skype is a closed source VoIP phone that works. Skype makes heavy use of traffic obfuscation and encryption; binary is encrypted and uses many anti-debugger techniques. Because it’s hard to trust a closed source program that keeps sending unknown data to trough Internet, I wanted to run Skype in a sandbox. This way, it can’t access all data on my system.

This article is a work in process, alpha quality. Many notes here are not detailed or double checked at all.

Get Skype

Get Skype static, linux, 32 bit (because there is no amd64 version). Don’t run it yet.

To make it work on amd64, install 32 bit / x86 compatibility libraries:

$ sudo apt-get install ia32-libs

(This fixes the error: $ /home/tero/skype/skype bash: /home/tero/skype/skype: No such file or directory)

Run Apparmor, run Skype

Set up apparmor as described by Kaivola 2007: App Armorin käyttäminen (local mirror)

$ sudo genprof /home/tero/skype/skype

Open another console and run skype

$ sudo genprof /home/tero/skype/skype

Create a profile, make a test call. Quit skype.

Get back to genprof window. Scan for events “S” and choose 123, G, A or D.

Finally, S save and F finnish.

Run Skype with Restrictions

$ sudo aa-enforce skype
Setting /home/tee/skype/skype to enforce mode.

Check with

$ sudo sudo apparmor_status

Readymade Profile

I replaced /etc/apparmor.d/home.tero.skype.skype with the Skype profile from article by Kaivola

# Last Modified: Wed Nov 28 19:26:07 2007
#include <tunables/global>
/home/tee/skype/skype {
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/fonts>
  #include <abstractions/nameservice>
  #include <abstractions/nvidia>
  /etc/gai.conf r,
  /home/*/.ICEauthority r,
  /home/*/.Skype/** krw,
  /home/*/.Xauthority r,
  /home/*/.config/* kr,
  /home/*/.kde/share/config/kioslaverc r,
  /proc/*/cmdline r,
  /tmp/.ICE-unix/* w,
  /tmp/.X11-unix/* w,
  /usr/bin/skype mr,
  /usr/share/X11/* r,
  /usr/share/icons/** r,
  /usr/share/skype/** kr,
}
$ sudo /etc/init.d/apparmor restart

Remember to verify that some actions are really blocked. You can also check it with

$ dmesg

Limiting Network Access

Could use Firetero iptables firewall to limit network capacity used by Skype.

Where are Open Source Encrypting Phones?

I’d love to have an open source encrypting VoIP phone with NAT bypass.

Last modified: 2007-11-29. Permanent url: http://www.iki.fi/karvinen/skype_in_a_sandbox.html

Tero Karvinen www.iki.fi/karvinen - Top - Validate HTML - Validate CSS