Sandboxing Skype

= Sandboxing Skype =

Skype is a closed-source, proprietary application that should not be trusted. This section describes how to run it in a sandbox. The instructions ere have been tested with the version of Skype 4.3 for Linux that is available in the Ubuntu software repository.

Unfortunately, audio does not work well on Xubuntu 16.04 as of january 2017, so this method is actually not usable in practice. This is probably a Pulseaudio issue. The instructions on this page work sometimes, but often enough, Skype does not get access to the audio hardware. I tried to debug this problem to no avail. And then I saw the following article:

Maintainers for desktop "critical infrastructure" https://lwn.net/Articles/711337/ Look for user comment "The multi-user system setup described is certainly something PulseAudio promised to provide"

It has certainly been a pain to try to get PulseAudio to work with more than one user account. It is true that the documentation is lacking. If you know the solution, please drop me a line.

System Configuration (to do only once per computer)

 * Add a separate user account for Skype with the following commands:     sudo groupadd skypegroup      sudo useradd  --create-home   --gid skypegroup   --groups audio,video   -s /bin/bash   skypeuser Notes about the commands above are:
 * Membership of the video group is necessary in order to access the webcam.
 * Membership of the audio group is necessary in order to access the local hardware sound devices over PulseAudio. Otherwise, if you open PulseAudio's volume control applet (pavucontrol) under the skypeuser account in a window on your main user account's session, you will notice that skyperuser only has access to the "Dummy Output" sound device. There are lots of advice on the Internet that no user should be member of the audio group, and indeed your normal user account is not a member, so I do not quite understand this. I guess on Ubuntu membership of the audio group overrides the standard audio permissions based on the currently-logged on user.
 * The new user has no password yet, so you cannot logon with this account in any way other than with sudo.
 * Make sure that the skypeuser account cannot access your home directory. By default, all accounts can access other user's home directories. See further above for details. You can test the new account like this:     sudo   --user=skypeuser   --set-home   bash -c "cd \$HOME && bash"
 * It is probably a good idea that nodoby else can access skypeuser's home directory either.

Starting Skype

 * Authorise the Skype user account to access the X server:     xhost +SI:localuser:skypeuser "SI" means "Server Interpreted", and localuser:username instructs the X server to authorise user username. Adding an authorised user is not persistent, after logging off all other users lose their authorisation. Issue command "xhost" to see all authorised users. See also commands "xauth info" and "xauth list".
 * Remove from the X11 root window the information that PulseAudio publishes on start-up. The command is:     pax11publish -r When you start your normal user's session, PulseAudio publishes some access credentials to its services in the X11 root window, see start-pulseaudio-x11 for more information. If you do not clear them with "pax11publish -r", then "pulseaudio --start" will fail under the skypeuser account. I do not know what negative consequences clearing PulseAudio's configuration data from the X11 root window would have on other sound applications. On my system, everything keeps running as usual. I guess the system defaults work so well, that this specific information is not actually necessary. Because of X11's lax security, you can run "pax11publish -r" beforehand on your normal user account, or afterwards on the skypeuser account.
 * Start Skype like this:     sudo  --user=skypeuser  --set-home  bash -c  "cd \$HOME  &amp;&amp;  pulseaudio --start  &amp;&amp;  { nohup firejail skype >\$HOME/SkypeLog.txt 2>&1 & }" Remarks about this are:
 * The first time you start Skype under a new user account, it will take several seconds to open up.
 * You can open PulseAudio's volume control applet (pavucontrol) within Skype like this: Menu "Options", "Sound Devices", button "Open PulseAudio Volume Control".
 * firejail does not let Skype automatically start the pulseaudio daemon, so we need to manually start it beforehand. If pulseaudio does not start, then Skype will not offer a button to open PulseAudio's volume control applet (pavucontrol). All of Skype's sound devices (microphone, speakers, ringing) will be limited to the "Virtual Device", which means that sound will not work at all.
 * firejail comes with a configuration file for Skype. If you run the command in a console, you should see the following message: Reading profile /etc/firejail/skype.profile
 * If the microphone does not work, beware that it is disabled (muted) by default. You can enable it with the volume control applet (pavucontrol).
 * Use the following scripts to automate the steps above. The scripts do additional error checking. https://github.com/rdiez/Tools/tree/master/SandboxingSkype

Some other notes I have kept

 * Firejail's website mentions a workaround for older PulseAudio versions. It may be worth investigating those. Search for option --fix-sound.
 * I am having trouble with pulseaudio when I connect the USB headphones, but only from the Skype user account, at least on one laptop I have tried. The headphones just stops working after a few seconds.
 * The Arch Wiki has information about sandboxing with systemd-nspawn.
 * You could use Xephyr to sandbox Skype so that it cannot access other user applications over the insecure X server environment. Unfortunately, Xephyr did not work on my Xubuntu LTS 16.04 with the following suggested commands, Skype just did not start.     Xephyr -ac -br  -noreset -screen 1280x800 :1 &      DISPLAY=:1 firejail skype
 * I have seen advice about letting pulseaudio connect over TCP/IP, but it does not seem necessary. Notes kept:
 * Install package paprefs and start applet paprefs on your normal user account. Under "Network Server", tick option "Enable network access to local sound devices". The server will use port 4317/tcp. Restart the audio server with "pulseaudio --kill" (or log out and log in again). Check whether the server is listening with "netstat --listen --tcp --programs | grep 4713".
 * Change the Skype start script like this: pulseaudio --load \"module-native-protocol-tcp auth-ip-acl=127.0.0.1\" . pulseaudio's option auth-ip-acl does not take a hostname like localhost, only IP addresses.