# HOWTO:
# $ sudo aa-genprof /usr/bin/skype
# $ sudo service apparmor restart
# $ sudo aa-enforce skype
# then monitor syslog and add more, if required
# INFO: man 5 apparmor.d
# Access modes:
# r - read
# w - write
# m -- allow PROT_EXEC with mmap()
# l -- link
# k -- lock
# *x -- different ways to execute. Best: ix
#include <tunables/global>
/usr/bin/skype {
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/kde>
#include <abstractions/nameservice>
#include <abstractions/fonts>
#include <abstractions/video>
#include <abstractions/dbus>
#include <abstractions/nvidia>
#include <abstractions/X>
# System
/proc/sys/kernel/** r,
@{PROC}/@{pid}/** r,
/dev/ r,
/dev/video* rw,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/** r,
# Executables
/usr/bin/skype mr,
/usr/bin/pulseaudio rmix,
# Root
/etc/xdg/Trolltech.conf rk,
/usr/share/** rk,
/var/cache/fontconfig/** rwk,
# Home
owner @{HOME}/.Skype/ rwk,
owner @{HOME}/.Skype/** rwk,
owner @{HOME}/.config/Skype/** rwk,
owner @{HOME}/.kde/share/config/kioslaverc r,
owner @{HOME}/.kde{,4}/share/config/kdeglobals rl,
# Uploads to /tmp/tmp/
/tmp/tmp/** rwk,
}