Skype liest unter anderem /etc/passwd. Ich mag das nicht. Mit apparmor lässt sich Skype einsperren.
/etc/apparmor.d/usr.bin.skype:
#include <tunables/global>
/usr/bin/skype {
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/freedesktop.org>
#include <abstractions/kde>
#include <abstractions/nameservice>
#include <abstractions/nvidia>
#include <abstractions/user-tmp>
#include <abstractions/X>
# for video
/dev/ r,
/dev/video* rw,
# pulse audio
/dev/snd/* m,
/{dev,run}/shm/* m,
/usr/bin/pulseaudio Ux,
/usr/bin/pavucontrol Ux,
/var/lib/dbus/machine-id r,
# i have no idea why this is needed
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq r,
/sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq r,
# TODO: narrow down
/proc/*/task/ r,
/proc/*/task/*/stat r,
/proc/*/status r,
/proc/*/net/arp r,
/usr/bin/skype mr,
/usr/share/skype/** kr,
/usr/share/skype/sounds/*.wav kr,
/usr/share/skype/lang/* m,
@{HOME}/.Skype/ rw,
@{HOME}/.Skype/** krw,
# Skype tries to create this dir:
@{HOME}/.config/Skype/** krw,
/etc/xdg/Trolltech.conf rk,
/usr/share/locale-langpack/** m,
/usr/lib/i386-linux-gnu/pango/*/modules/pango-basic-fc.so m,
/usr/share/themes/** r,
/usr/share/fonts/** m,
/usr/local/share/fonts/** m,
}