github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3330] Best practice for AppImage profiles #2089

New issue
Closed
opened 2026-05-05 08:45:46 -06:00 by gitea-mirror · 4 comments
gitea-mirror commented 2026-05-05 08:45:46 -06:00
Owner
Copy link

Originally created by @albinou on GitHub (Apr 8, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3330

Hi,

I wrote a firejail profile for a proprietary AppImage (let's call it MYAPP). For now, I installed a MYAPP.profile file under /etc/firejail and I need to run MYAPP with the following command:

firejail --profile=MYAPP --appimage /PATH/TO/MYAPP

Is there a common practice to handle this case and make the use of the firejail profile? Can firecfg help me do something to be able to run MYAPP directly without specifying the firejail profile to use?

Also, should appimage profiles be submitted to the firejail project?

*: The AppImage I wrote a profile for is Blacknut (https://www.blacknut.com).

Thanks,

Originally created by @albinou on GitHub (Apr 8, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3330 Hi, I wrote a firejail profile for a proprietary AppImage (let's call it `MYAPP`). For now, I installed a `MYAPP.profile` file under `/etc/firejail` and I need to run `MYAPP` with the following command: `firejail --profile=MYAPP --appimage /PATH/TO/MYAPP` Is there a common practice to handle this case and make the use of the firejail profile? Can `firecfg` help me do something to be able to run `MYAPP` directly without specifying the firejail profile to use? Also, should appimage profiles be submitted to the firejail project? *: The AppImage I wrote a profile for is Blacknut (https://www.blacknut.com). Thanks,
gitea-mirror 2026-05-05 08:45:46 -06:00
gitea-mirror commented 2026-05-05 08:45:48 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 8, 2020):

Also, should appimage profiles be submitted to the firejail project?

We don't have seperate appimage profiles. Firejail supports the --appimage flag as you mentioned. And there's a conditional ?HAS_APPIMAGE: construct to specify specific needs for an application when it is used as appimage (usually ignoring private-dev).

Can firecfg help me do something to be able to run MYAPP directly without specifying the firejail profile to use?

Alas not if there isn't a 'regular' (non-appimage) version of the application. But you can easily replicate what firecfg does by manually adding a symlink to /usr/bin/firejail in /usr/local/bin using the application name:

$ sudo ln -fs /usr/bin/firejail /usr/local/bin/MYAPP

<!-- gh-comment-id:611132773 --> @ghost commented on GitHub (Apr 8, 2020): > Also, should appimage profiles be submitted to the firejail project? We don't have seperate appimage profiles. Firejail supports the `--appimage` flag as you mentioned. And there's a conditional `?HAS_APPIMAGE:` construct to specify specific needs for an application when it is used as appimage (usually ignoring private-dev). > Can firecfg help me do something to be able to run MYAPP directly without specifying the firejail profile to use? Alas not if there isn't a 'regular' (non-appimage) version of the application. But you can easily replicate what firecfg does by manually adding a symlink to /usr/bin/firejail in /usr/local/bin using the application name: $ sudo ln -fs /usr/bin/firejail /usr/local/bin/MYAPP
gitea-mirror commented 2026-05-05 08:45:49 -06:00
Author
Owner
Copy link

@albinou commented on GitHub (Apr 9, 2020):

Thanks for your answer :-)

Can firecfg help me do something to be able to run MYAPP directly without specifying the firejail profile to use?

Alas not if there isn't a 'regular' (non-appimage) version of the application. But you can easily replicate what firecfg does by manually adding a symlink to /usr/bin/firejail in /usr/local/bin using the application name:

$ sudo ln -fs /usr/bin/firejail /usr/local/bin/MYAPP

Hum, but this doesn't work since firejail needs the --appimage option.
Here is what I have (/usr/bin/blacknut is the AppImage I am trying to run with firejail):

shell$ ls -la /usr/bin/blacknut    
-rwxr-xr-x 1 root root 78M Apr  9 09:33 /usr/bin/blacknut*
shell$ ls -la /usr/local/bin/blacknut
lrwxrwxrwx 1 root root 17 Apr  9 09:31 /usr/local/bin/blacknut -> /usr/bin/firejail
shell$ wich blacknut
/usr/local/bin/blacknut
shell$ blacknut                        
Reading profile /etc/firejail/blacknut.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Parent pid 7494, child pid 7495
Warning: skipping alternatives for private /etc
Private /etc installed in 16.00 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 105.53 ms
fuse: device not found, try 'modprobe fuse' first

Cannot mount AppImage, please check your FUSE setup.
You might still be able to extract the contents of this AppImage 
if you run it with the --appimage-extract option. 
See https://github.com/AppImage/AppImageKit/wiki/FUSE 
for more information
open dir error: No such file or directory

Parent is shutting down, bye...

while the following works (except I also need to add the --no-sandbox for other reasons):

shell$ firejail --profile=blacknut --appimage /usr/bin/blacknut             
Reading profile /etc/firejail/blacknut.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Mounting appimage type 2
Parent pid 9460, child pid 9463

**     Warning: dropping all Linux capabilities     **

Warning: skipping alternatives for private /etc
Private /etc installed in 21.25 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 121.86 ms

Parent is shutting down, bye...
AppImage unmounted
shell$ firejail --profile=blacknut --appimage /usr/bin/blacknut --no-sandbox
Reading profile /etc/firejail/blacknut.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Mounting appimage type 2
Parent pid 9509, child pid 9512

**     Warning: dropping all Linux capabilities     **

Warning: skipping alternatives for private /etc
Private /etc installed in 23.28 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 152.28 ms
# Blacknut AppImage is running correctly

Am I proceeding correctly?
Thanks again

<!-- gh-comment-id:611438829 --> @albinou commented on GitHub (Apr 9, 2020): Thanks for your answer :-) > > Can firecfg help me do something to be able to run MYAPP directly without specifying the firejail profile to use? > > Alas not if there isn't a 'regular' (non-appimage) version of the application. But you can easily replicate what firecfg does by manually adding a symlink to /usr/bin/firejail in /usr/local/bin using the application name: > > $ sudo ln -fs /usr/bin/firejail /usr/local/bin/MYAPP Hum, but this doesn't work since firejail needs the `--appimage` option. Here is what I have (/usr/bin/blacknut is the AppImage I am trying to run with firejail): ``` shell$ ls -la /usr/bin/blacknut -rwxr-xr-x 1 root root 78M Apr 9 09:33 /usr/bin/blacknut* shell$ ls -la /usr/local/bin/blacknut lrwxrwxrwx 1 root root 17 Apr 9 09:31 /usr/local/bin/blacknut -> /usr/bin/firejail shell$ wich blacknut /usr/local/bin/blacknut shell$ blacknut Reading profile /etc/firejail/blacknut.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Parent pid 7494, child pid 7495 Warning: skipping alternatives for private /etc Private /etc installed in 16.00 ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Child process initialized in 105.53 ms fuse: device not found, try 'modprobe fuse' first Cannot mount AppImage, please check your FUSE setup. You might still be able to extract the contents of this AppImage if you run it with the --appimage-extract option. See https://github.com/AppImage/AppImageKit/wiki/FUSE for more information open dir error: No such file or directory Parent is shutting down, bye... ``` while the following works (except I also need to add the --no-sandbox for other reasons): ``` shell$ firejail --profile=blacknut --appimage /usr/bin/blacknut Reading profile /etc/firejail/blacknut.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Mounting appimage type 2 Parent pid 9460, child pid 9463 ** Warning: dropping all Linux capabilities ** Warning: skipping alternatives for private /etc Private /etc installed in 21.25 ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Child process initialized in 121.86 ms Parent is shutting down, bye... AppImage unmounted shell$ firejail --profile=blacknut --appimage /usr/bin/blacknut --no-sandbox Reading profile /etc/firejail/blacknut.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Mounting appimage type 2 Parent pid 9509, child pid 9512 ** Warning: dropping all Linux capabilities ** Warning: skipping alternatives for private /etc Private /etc installed in 23.28 ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Child process initialized in 152.28 ms # Blacknut AppImage is running correctly ``` Am I proceeding correctly? Thanks again
gitea-mirror commented 2026-05-05 08:45:50 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 9, 2020):

Is there a common practice to handle this case and make the use of the firejail profile? Can firecfg help me do something to be able to run MYAPP directly without specifying the firejail profile to use?

You can use a shell-script or a .desktop file.

except I also need to add the --no-sandbox for other reasons

https://github.com/netblue30/firejail/issues/2946#issuecomment-568425707

<!-- gh-comment-id:611442883 --> @rusty-snake commented on GitHub (Apr 9, 2020): > Is there a common practice to handle this case and make the use of the firejail profile? Can firecfg help me do something to be able to run MYAPP directly without specifying the firejail profile to use? You can use a shell-script or a .desktop file. > except I also need to add the --no-sandbox for other reasons https://github.com/netblue30/firejail/issues/2946#issuecomment-568425707
gitea-mirror commented 2026-05-05 08:45:51 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 6, 2020):

I'm closing here due to inactivity, please fell free to reopen if you have more questions.

<!-- gh-comment-id:624735184 --> @rusty-snake commented on GitHub (May 6, 2020): I'm closing here due to inactivity, please fell free to reopen if you have more questions.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2089
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?