[GH-ISSUE #2933] skypeforlinux 8.51.0.86 now requires SYS_ADMIN, SYS_CHROOT capabilities

gitea-mirror commented

2026-05-05 08:29:52 -06:00

Owner

Originally created by @vutny on GitHub (Aug 27, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2933

The newest stable Skype version 8.51.0.86 stopped working in firejail.
I got latest profile version from master.
It seems that they completely moved to Chome Sandbox, which requires broad set of permissions.

TL;DR

By experimenting for a while I managed to run Skype with these minimal options:

firejail --ignore=nonewprivs --ignore=noroot --ignore=protocol --ignore=seccomp --ignore=caps.drop --caps.keep=sys_admin,sys_chroot skypeforlinux

CAP_SYS_CHROOT

The error with CAP_SYS_CHROOT disabled:

Cannot chroot into /proc/ directory: Operation not permitted

CAP_SYS_ADMIN

The error with CAP_SYS_ADMIN disabled:

Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted

The same error is also caused by applying nonewprivs, protocol and seccomp settings. Any Seccomp filter also breaks the app.

`noroot`

Since the binary /usr/share/skypeforlinux/chrome-sandbox is now having setuid bit installed, noroot needs to be ignored as well.

Originally created by @vutny on GitHub (Aug 27, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2933 The newest stable Skype version 8.51.0.86 stopped working in `firejail`. I got latest profile version from `master`. It seems that they completely moved to Chome Sandbox, which requires broad set of permissions. ### TL;DR By experimenting for a while I managed to run Skype with these minimal options: ```sh firejail --ignore=nonewprivs --ignore=noroot --ignore=protocol --ignore=seccomp --ignore=caps.drop --caps.keep=sys_admin,sys_chroot skypeforlinux ``` ### CAP_SYS_CHROOT The error with `CAP_SYS_CHROOT` disabled: ``` Cannot chroot into /proc/ directory: Operation not permitted ``` ### CAP_SYS_ADMIN The error with `CAP_SYS_ADMIN` disabled: ``` Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted ``` The same error is also caused by applying `nonewprivs`, `protocol` and `seccomp` settings. Any Seccomp filter also breaks the app. ### `noroot` Since the binary `/usr/share/skypeforlinux/chrome-sandbox` is now having setuid bit installed, `noroot` needs to be ignored as well.

gitea-mirror closed this issue

2026-05-05 08:29:54 -06:00

gitea-mirror commented

2026-05-05 08:29:56 -06:00

Author

Owner

@reinerh commented on GitHub (Aug 27, 2019):

Does that mean skype now needs to be installed setuid-root?

@reinerh commented on GitHub (Aug 27, 2019): Does that mean skype now needs to be installed setuid-root?

gitea-mirror commented

2026-05-05 08:29:56 -06:00

Author

Owner

@FOSSONLY commented on GitHub (Aug 28, 2019):

I last used Skype before it was destructively run down by Microsoft. Today Skype is an advertising-contaminated spyware and bloatware that has lost all its original values. And now you're going to give this proprietary spyware root rights? Seriously? For those who haven't done it yet, now is the perfect time to get rid of this software for good, and there have long been very good alternatives that respect their users. Can only advise not to put up with this extension of privileges, especially considering the purpose of this software.

@FOSSONLY commented on GitHub (Aug 28, 2019): I last used Skype before it was destructively run down by Microsoft. Today Skype is an advertising-contaminated spyware and bloatware that has lost all its original values. And now you're going to give this proprietary spyware root rights? Seriously? For those who haven't done it yet, now is the perfect time to get rid of this software for good, and there have long been very good alternatives that respect their users. Can only advise not to put up with this extension of privileges, especially considering the purpose of this software.

gitea-mirror commented

2026-05-05 08:29:58 -06:00

Author

Owner

@Vincent43 commented on GitHub (Aug 28, 2019):

@reinerh it uses setuid-root helper binary /usr/share/skypeforlinux/chrome-sandbox, same as chromium.

@Vincent43 commented on GitHub (Aug 28, 2019): @reinerh it uses setuid-root helper binary `/usr/share/skypeforlinux/chrome-sandbox`, same as chromium.

gitea-mirror commented

2026-05-05 08:29:59 -06:00

Author

Owner

@vutny commented on GitHub (Sep 4, 2019):

Yeah. Technically speaking, modern Skype is just a web application running on MIcrosoft servers.
You could use it from any recent full-featured browser, including Firefox, but the video and calls are supported only in Chrome AFAIK.
The Linux package they ship is just an Electron app, which is a custom build of Google Chrome.
I assume in the latest version they have enforced Chrome Sandbox feature. It does all the isolation using namespaces on its own, and that's why requires root and permissions to chroot and isolate.

As I expect, firejail does not completely support Chrome/Chromium because of that.

Still some additional "jailing" could be applied.
Also I have found this article, describing further steps to sandbox Skype. Neither tried any of those, though.

The main question remains, can we update the Skype profile within the firejail distribution to actually make it work?

@vutny commented on GitHub (Sep 4, 2019): Yeah. Technically speaking, modern Skype is just a web application running on MIcrosoft servers. You could use it from any recent full-featured browser, including Firefox, but the video and calls are supported only in Chrome AFAIK. The Linux package they ship is just an [Electron](https://electronjs.org/) app, which is a custom build of Google Chrome. I assume in the latest version they have enforced Chrome Sandbox feature. It does all the isolation using namespaces on its own, and that's why requires root and permissions to chroot and isolate. As I expect, firejail does not completely support Chrome/Chromium because of that. Still some additional "jailing" could be applied. Also I have found [this article](http://rdiez.shoutwiki.com/wiki/Sandboxing_Skype), describing further steps to sandbox Skype. Neither tried any of those, though. The main question remains, can we update the Skype profile within the firejail distribution to actually make it work?

gitea-mirror commented

2026-05-05 08:30:00 -06:00

Author

Owner

@rusty-snake commented on GitHub (Sep 4, 2019):

The main question remains, can we update the Skype profile within the firejail distribution to actually make it work?

That is generally a good question. Current situation is that if a profile was fixed a few months later a new firejail version appears which contains this fix. But ...

Who get this new version?

Users who downloaded firejail from the website will get if they keep an eye on this.
ArchLinux Users
Debian unstable/testing Users
Debian stable user who installed firejail from backports
...

Who not?
The most users of stable distro who don't use backports.

But what's in the meantime? The last release was 3 months ago.
Every fix from the last 3 months have only users who compile firejail by them self.

Faster release cycles which would then also come in distros are required, at least for fixes which fix a program which has become unusable. or we bypass the distros with a firefix 😁 program which downloads and applies all important fixes

@rusty-snake commented on GitHub (Sep 4, 2019): > The main question remains, can we update the Skype profile within the firejail distribution to actually make it work? That is generally a good question. Current situation is that if a profile was fixed a few months later a new firejail version appears which contains this fix. But ... **Who get this new version?** - Users who downloaded firejail from the website will get if they keep an eye on this. - ArchLinux Users - Debian unstable/testing Users - Debian stable user who installed firejail from backports - ... **Who not?** The most users of stable distro who don't use backports. **But what's in the meantime?** The last release was 3 months ago. Every fix from the last 3 months have only users who compile firejail by them self. Faster release cycles which would then also come in distros are required, at least for fixes which fix a program which has become unusable. or we bypass the distros with a `firefix` :grin: program which downloads and applies all important fixes

gitea-mirror commented

2026-05-05 08:30:01 -06:00

Author

Owner

@vutny commented on GitHub (Sep 5, 2019):

Thanks for the clarification, @rusty-snake . This is fine.

My question was more about is that OK to submit a PR here with updated skypeforlinux.profile, so users would benefit from having out-of-the-box solution when they upgrade Skype/Firejail by any convenient channel?

@vutny commented on GitHub (Sep 5, 2019): Thanks for the clarification, @rusty-snake . This is fine. My question was more about is that OK to submit a PR here with updated `skypeforlinux.profile`, so users would benefit from having out-of-the-box solution when they upgrade Skype/Firejail by any convenient channel?

gitea-mirror commented

2026-05-05 08:30:03 -06:00

Author

Owner

@rusty-snake commented on GitHub (Sep 5, 2019):

Yes, you can send a PR. Since skypeforlinux is broken without these adjustments, there is no way to avoid such a weakening of the firejail sandbox.

Any Seccomp filter also breaks the app.

To confirm: Not only seccomp breaks it, it is also broken with seccomp.drop __dummy__?

@rusty-snake commented on GitHub (Sep 5, 2019): Yes, you can send a PR. Since skypeforlinux is broken without these adjustments, there is no way to avoid such a weakening of the firejail sandbox. > Any Seccomp filter also breaks the app. To confirm: Not only `seccomp` breaks it, it is also broken with `seccomp.drop __dummy__`?

gitea-mirror commented

2026-05-05 08:30:04 -06:00

Author

Owner

@vutny commented on GitHub (Sep 5, 2019):

@rusty-snake
I've tried that setting and Skype was not starting.
It seems that if any seccomp filtering applied (like with protocol option), the chrome-sandbox helper fails to start.

Although, it is totally not obvious from terminal output:

Parent pid 329, child pid 330
Post-exec seccomp protector enabled
Seccomp list in: __dummy__, check list: @default-keep,
Child process initialized in 79.77 ms

Parent is shutting down, bye...

Exit code 1.

@vutny commented on GitHub (Sep 5, 2019): @rusty-snake I've tried that setting and Skype was not starting. It seems that if any `seccomp` filtering applied (like with `protocol` option), the `chrome-sandbox` helper fails to start. Although, it is totally not obvious from terminal output: ``` Parent pid 329, child pid 330 Post-exec seccomp protector enabled Seccomp list in: __dummy__, check list: @default-keep, Child process initialized in 79.77 ms Parent is shutting down, bye... ``` Exit code 1.

gitea-mirror commented

2026-05-05 08:30:05 -06:00

Author

Owner

@Vincent43 commented on GitHub (Sep 5, 2019):

@vutny chromium profile indeed doesn't have seccomp rule. You may base your skype changes on it.

@Vincent43 commented on GitHub (Sep 5, 2019): @vutny [chromium profile](https://github.com/netblue30/firejail/blob/master/etc/chromium-common.profile#L28) indeed doesn't have `seccomp` rule. You may base your skype changes on it.

gitea-mirror commented

2026-05-05 08:30:07 -06:00

Author

Owner

@vutny commented on GitHub (Sep 6, 2019):

Thanks for your input, @Vincent43 . I will definitely take a look on it.

@vutny commented on GitHub (Sep 6, 2019): Thanks for your input, @Vincent43 . I will definitely take a look on it.

gitea-mirror commented

2026-05-05 08:30:08 -06:00

Author

Owner

@rusty-snake commented on GitHub (Sep 7, 2019):

BTW: where is the different between skype and skypeforlinux?

@rusty-snake commented on GitHub (Sep 7, 2019): BTW: where is the different between skype and skypeforlinux?

gitea-mirror commented

2026-05-05 08:30:09 -06:00

Author

Owner

@vutny commented on GitHub (Sep 9, 2019):

@rusty-snake I believe the skype.profile is the legacy file for old "classic" Skype 4.X, which is neither longer available nor supported. The file has not received any software-specific changes since year 2015.

Could we drop it along with fixing real Skype profile?

@vutny commented on GitHub (Sep 9, 2019): @rusty-snake I believe the `skype.profile` is the legacy file for old "classic" Skype 4.X, which is neither longer available nor supported. The file has not received any software-specific changes since year 2015. Could we drop it along with fixing _real_ Skype profile?

gitea-mirror commented

2026-05-05 08:30:10 -06:00

Author

Owner

@rusty-snake commented on GitHub (Sep 9, 2019):

If skype is not in repos of not EOL distros / offical third-party repo or didn't work anymore (e.g. protocol changes) so that it doesn't have any users any more. IMHO it should be a simple redirect for skypeforlinux.profile.

@rusty-snake commented on GitHub (Sep 9, 2019): If skype is not in repos of not EOL distros / offical third-party repo or didn't work anymore (e.g. protocol changes) so that it doesn't have any users any more. IMHO it should be a simple redirect for skypeforlinux.profile.

gitea-mirror commented

2026-05-05 08:30:11 -06:00

Author

Owner

@vutny commented on GitHub (Sep 9, 2019):

Thanks, understood. Let's separate concerns, I will log another issue for this kind of housekeeping and we will discuss appropriate solution there.

@vutny commented on GitHub (Sep 9, 2019): Thanks, understood. Let's separate concerns, I will log another issue for this kind of housekeeping and we will discuss appropriate solution there.

gitea-mirror referenced this issue

2026-05-05 10:13:27 -06:00

[PR #1831] [MERGED] private-lib fix #4082

gitea-mirror referenced this issue

2026-05-05 10:13:28 -06:00

[PR #1837] [MERGED] WIP: Blacklist common programming interpreters. #4085