#include /usr/bin/skype { #include #include #include #include #include #include #include #include #include #include #include #include #include @{PROC}/sys/kernel/{ostype,osrelease} r, @{PROC}/@{pid}/net/arp r, owner @{PROC}/@{pid}/auxv r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/[0-9]*/stat r, /sys/devices/**/power_supply/**/online r, /sys/devices/system/cpu/ r, /sys/devices/system/cpu/cpu[0-9]*/cpufreq/scaling_{cur_freq,max_freq} r, /dev/ r, owner /{dev,run}/shm/pulse-shm* m, /dev/snd/* m, /dev/video* mrw, /var/cache/libx11/compose/* r, # should this be in a separate KDE abstraction? owner @{HOME}/.kde{,4}/share/config/kioslaverc r, /usr/bin/skype mr, /etc/xdg/sni-qt.conf rk, /etc/xdg/Trolltech.conf rk, /usr/share/skype/** kr, /usr/share/skype/**/*.qm mr, /usr/share/skype/sounds/*.wav kr, /usr/lib{,32}/pango/** mr, /usr/lib{,32}/libv4l/* mr, # For opening links in the browser (still requires explicit access to execute # the browser) /usr/bin/xdg-open ixr, owner @{HOME}/.Skype/ rw, owner @{HOME}/.Skype/** krw, owner @{HOME}/.config/ r, owner @{HOME}/.config/*/ r, owner @{HOME}/.config/Skype/Skype.conf rw, owner @{HOME}/.config/Trolltech.conf kr, # Skype traverses the .mozilla directory and needs access to prefs.js deny owner @{HOME}/.mozilla/ r, deny owner @{HOME}/.mozilla/**/ r, deny owner @{HOME}/.mozilla/*/*/prefs.js r, # Skype also looks around in these directories /{,usr/,usr/local/}lib{,32}/ r, # Recent skype builds have an executable stack, so it tries to mmap certain # files. Let's deny them for now. deny /etc/passwd m, deny /etc/group m, deny /usr/share/fonts/** m, # Silence a few non-needed writes deny /var/cache/fontconfig/ w, deny owner @{HOME}/.fontconfig/ w, deny owner @{HOME}/.fontconfig/*.cache-*.TMP* w, }