I have Spotify installed from their repo, by following these instructions.
But I am concerned about the security ramifications of having proprietary code running on my machine - since it's not available for independent review, and Spotify are entirely responsible for fixing any security flaws.
I'd like to secure it using AppArmor, to reduce the impact it could have. I found some AppArmor profiles on the Internet, but none worked properly for me. (More information on AppArmor)
Since I could not find a profile that worked for me, I profiled Spotify and created my own. This won't stop the Spotify binary from being able to access everything you might not want it to, but it's better than nothing. I give no guarantees, use this at your own risk.
This works for me on both Ubuntu 14.04 and 15.04, and Spotify version 0.9.17.1. I'm using the standard GNOME and LightDM desktop, I haven't tested this with KDE or XFCE etc.
When working with AppArmor, I find it incredibly useful to have the apparmor-utils package installed. In a terminal run:
sudo apt-get install apparmor-utils
Let's begin with copying the profile to the appropriate location. First, open up gedit with root permissions:
sudo gedit /etc/apparmor.d/opt.spotify.spotify-client.spotify
Then copy this into the new window:
# Created by Sean Lanigan. Released to the Public Domain.
# Retrieved from https://askubuntu.com/a/664812/237387
# Last Modified: Sun 30 Aug 2015
#include <tunables/global>
/opt/spotify/spotify-client/spotify {
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/dbus-strict>
#include <abstractions/ibus>
#include <abstractions/lightdm>
#include <abstractions/gnome>
#include <abstractions/dconf>
#include <abstractions/nameservice>
# Give some access to some user things
/home/*/.config/Trolltech.conf rwk,
/home/*/.pki/nssdb/* rw,
/home/*/.pki/nssdb/cert9.db rwk,
/home/*/.pki/nssdb/key4.db rwk,
# Give some access to some system things
@{PROC}/*/auxv r,
@{PROC}/*/oom_score_adj rw,
@{PROC}/sys/kernel/shmmax r,
# Allow read, write and lock access to Spotify config and cache files
owner @{HOME}/.cache/spotify/ rw,
owner @{HOME}/.cache/spotify/** rwk,
owner @{HOME}/.config/spotify/ rw,
owner @{HOME}/.config/spotify/** rwk,
owner @{HOME}/.local/share/spotify/ rw,
owner @{HOME}/.local/share/spotify/** rwk,
# Read local music, no write permission given
owner @{HOME}/Music/ r,
owner @{HOME}/Music/** r,
}
Then save and exit.
Now all we have to do is enable the new profile:
sudo aa-enforce /opt/spotify/spotify-client/spotify
And that's all there is to it! Spotify has access to all the things it needs to work properly, including to your ~/Music directory - and hopefully none of the things it shouldn't be accessing.
If you have any improvements to this profile, please mention it in the comments!
If you want to disable AppArmor from confining Spotify, you can run
sudo aa-disable /opt/spotify/spotify-client/spotify
This might be necessary if a new version of the Spotify application is changed and starts to crash with this profile. If that is the case, you'll need to update the AppArmor profile to allow whatever those changes might be.
I've posted my Spotify profile for AppArmor on GitHub: https://github.com/ruudkoot/spotify-apparmor.
unix (receive, send, connect) peer=(addr=@/tmp/.ICE-unix/*), do?
– seanlano
Aug 25 '15 at 01:04
By the way, as Spotify uses the Chromium Embedded Framework, a lot of the profile was based on the one for Chromium.
– Ruud Koot Aug 25 '15 at 13:53
apparmor-easyprof. I started with the audio abstraction (figured that was a no-brainer), and the base abstraction. For the dbus and ibus abstractions, when I was profiling it I noticed a lot of names mentioning these two, so I tried first the *-strict and in the case of ibus then tried the full abstraction. Similar story for lightdm. I didn't want to give it the whole X abstraction, so I just picked a few parts until it worked. The rest are just "neatened up" from what easyprof suggested. It did take a fair bit of work to tune it though, so I wanted to share it! – seanlano Aug 24 '15 at 11:32