about:blog Archives

reversing, python and cookies
Friends: aj deadrom1 fr33tux mlleCarnot skia


Running Skype in docker

I had to install Skype for various reasons, but I didn't wanted to install an obfuscated malicious binary blob with network capabilities on my machine.

At first, I used qemu with Windows xp (yes, Skype runs on Windows xp), but since we're now in 2015, I though that I should give a try to docker, since (hopefully) Skype will never try to actively escape its container, it should be ok.

My main concern was the access to my filesystem and messing around with my processes, but thanks to cgroups, unless Skype has some 0-day, it won't be able to do any harm/spying.

But because we don't trust Skype, we'll make it run within AppArmor. I based my configuration on this one.

Despite the fact that I know that you can do funky stuff once you have access to Xorg, I chose to use X forwarding to access the GUI, because I'm too lazy to use a VNC, and once again, my thread model doesn't include Skype being actively malicious to other applications.

And here is the Dockerfile that I used:

#
# Losely based on https://github.com/shofetim/docker-skype and https://github.com/tomparys/docker-skype-pulseaudio
#

FROM debian:stable
MAINTAINER Julien (jvoisin) Voisin "julien.voisin@dustri.org"

# Skype is i386 only
RUN dpkg --add-architecture i386
RUN apt-get update

# We'll use ssh to access Skype with X-forwarding
RUN apt-get install --no-install-recommends -y openssh-server wget

# Create a docker:docker user
RUN useradd -m -d /home/docker docker
RUN echo "docker:docker" | chpasswd

# Install Skype
RUN wget http://download.skype.com/linux/skype-debian_4.3.0.37-1_i386.deb -O /usr/src/skype.deb
RUN echo 'a820e641d1ee3fece3fdf206f384eb65e764d7b1ceff3bc5dee818beb319993c  skype-debian_4.3.0.37-1_i386.deb' | sha256sum -c
RUN dpkg -i /usr/src/skype.deb || true
RUN apt-get install -fy
RUN rm /usr/src/skype.deb

# AppArmor, because we don't trust Skype
RUN apt-get install -y --no-install-recommends apparmor-profiles
RUN apt-get install -y --no-install-recommends apparmor-utils
ADD usr.bin.skype /etc/apparmor.d/
RUN service apparmor reload

# Enable X11Forwarding
RUN echo X11Forwarding yes >> /etc/ssh/ssh_config
RUN mkdir -p /var/run/sshd

# Exposes the ssh port
EXPOSE 22

# Start ssh services.
CMD ["/usr/sbin/sshd", "-D"]

Throw this on a Dockerfile, and run

$ docker build -t skype .
$ docker run -d -p 55555:22 --name skype skype
$ sh-copy-id docker-skype
$ ssh docker-skype skype
[...]  # Configure your skype client
$ docker commit skype skype_complete
$ docker rm -f skype

You can now run Skype with docker run -d -p 55555:22 --name skype_ skype_complete && sleep 1 && ssh docker-skype skype && docker rm -f skype_, within a container. Feel free to add this to your shell aliases.