gitea-mirror commented

Owner

Originally created by @CocoR55 on GitHub (Jul 1, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3485

Bonjour,

I cannot inclure tutanota-desktop-linux.AppImage in a sandbox with firejail. I've read different articles on the Web that the applications included in Appimage couldn't work in a sandbox. The perfect counter-example, and the case of krita software. As you can see below:
$ firejail --list
3446:michaou::/usr/bin/firejail /usr/bin/firefox
6556:michaou::firejail --appimage krita-4.3.0-x86_64.appimage
$ firejail --tree
3446:michaou::/usr/bin/firejail /usr/bin/firefox
3449:michaou::/usr/bin/firejail /usr/bin/firefox
3459:michaou::/usr/lib/firefox/firefox
3527:michaou::/usr/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -prefsLen 1 -prefMapSize 235295 -parentBuildID 20200602222727 -appdir /usr/lib/firefox/browser 10 true tab
3595:michaou::/usr/lib/firefox/firefox -contentproc -childID 2 -isForBrowser -prefsLen 6341 -prefMapSize 235295 -parentBuildID 20200602222727 -appdir /usr/lib/firefox/browser 10 true tab
6556:michaou::firejail --appimage krita-4.3.0-x86_64.appimage
6559:michaou::firejail --appimage krita-4.3.0-x86_64.appimage
6562:michaou::/run/firejail/appimage/.appimage-6556/AppRun

Nevertheless, with tutanota, that fails as you can see below:
$ firejail --appimage tutanota-desktop-linux.AppImage
Mounting appimage type 2
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 5347, child pid 5350

** Warning: dropping all Linux capabilities **
Child process initialized in 21.32 ms

Parent is shutting down, bye...
AppImage unmounted

Question is:
krita.appimage works in a sandbox. According to you, is it normal that tutanota.appimage can't work in a sandbox?
Maybe there's something I missed. Maybe I should do something with firecfg?

All ideas are welcome.

Regards,

CocoR55

Originally created by @CocoR55 on GitHub (Jul 1, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3485 Bonjour, I cannot inclure **tutanota-desktop-linux.AppImage** in a sandbox with **firejail**. I've read different articles on the Web that the applications included in Appimage couldn't work in a sandbox. The perfect **counter-example**, and the case of **krita** software. As you can see below: **$ firejail --list** 3446:michaou::/usr/bin/firejail /usr/bin/firefox 6556:michaou::firejail --appimage krita-4.3.0-x86_64.appimage **$ firejail --tree** 3446:michaou::/usr/bin/firejail /usr/bin/firefox 3449:michaou::/usr/bin/firejail /usr/bin/firefox 3459:michaou::/usr/lib/firefox/firefox 3527:michaou::/usr/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -prefsLen 1 -prefMapSize 235295 -parentBuildID 20200602222727 -appdir /usr/lib/firefox/browser 10 true tab 3595:michaou::/usr/lib/firefox/firefox -contentproc -childID 2 -isForBrowser -prefsLen 6341 -prefMapSize 235295 -parentBuildID 20200602222727 -appdir /usr/lib/firefox/browser 10 true tab 6556:michaou::firejail --appimage **krita**-4.3.0-x86_64.appimage 6559:michaou::firejail --appimage krita-4.3.0-x86_64.appimage 6562:michaou::/run/firejail/appimage/.appimage-6556/AppRun **Nevertheless, with tutanota, that fails as you can see below:** $ firejail --appimage tutanota-desktop-linux.AppImage Mounting appimage type 2 Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 5347, child pid 5350 ** Warning: dropping all Linux capabilities ** Child process initialized in 21.32 ms Parent is shutting down, **bye**... AppImage unmounted **Question is:** krita.appimage works in a sandbox. According to you, is it normal that tutanota.appimage can't work in a sandbox? Maybe there's something I missed. Maybe I should do something with **firecfg**? **All ideas are welcome.** Regards, CocoR55

gitea-mirror closed this issue

2026-05-05 08:52:33 -06:00

gitea-mirror commented

2026-05-05 08:52:35 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 1, 2020):

saying tutanot doesn't work, but krita does, is useless because there are two different programs. Anyway krita has a profile, while tutanota-desktop has no profile. It is expected that apps w/o a profile may fail with the default profile. You can use firejail --noprofile --appimage tutanota-desktop-linux.AppImage to see whether there is a general issue with it.

@rusty-snake commented on GitHub (Jul 1, 2020): saying tutanot doesn't work, but krita does, is useless because there are two different programs. Anyway krita has a profile, while tutanota-desktop has no profile. It is expected that apps w/o a profile may fail with the default profile. You can use `firejail --noprofile --appimage tutanota-desktop-linux.AppImage` to see whether there is a general issue with it.

gitea-mirror commented

2026-05-05 08:52:36 -06:00

Author

Owner

@CocoR55 commented on GitHub (Jul 1, 2020):

Thank you rustysnake for your message
$ firejail --noprofile --appimage tutanota-desktop-linux.AppImage
Mounting appimage type 2
Parent pid 4409, child pid 4412

** Warning: dropping all Linux capabilities **
Child process initialized in 48.55 ms

Parent is shutting down, bye...
AppImage unmounted

It doesn't work with --noprofile either. Is this a general problem? Something is wrong but what?
Regards,
CocoR55

@CocoR55 commented on GitHub (Jul 1, 2020): Thank you **rustysnake** for your message $ firejail --noprofile --appimage tutanota-desktop-linux.AppImage Mounting appimage type 2 Parent pid 4409, child pid 4412 ** Warning: dropping all Linux capabilities ** Child process initialized in 48.55 ms Parent is shutting down, **bye**... AppImage unmounted It doesn't work with **--noprofile** either. Is this a general problem? Something is wrong but what? Regards, CocoR55

gitea-mirror commented

2026-05-05 08:52:37 -06:00

Author

Owner

@bbhtt commented on GitHub (Jul 1, 2020):

I don't know how useful is this if at all in terms of sandboxing (I'm new to the program and the repo).

Like you I tried with those options on the appimage; didn't work. So I extracted the appimage and tried to run the binary under firejail; again doesn't work; works only with `--

noprofile` which I guess doesn't provide any sandbox (?). So I made a custom profile and ran the binary with it and it works.

Still can't figure out the appimage thing, I need to take a look on appimage.c. I traced the calls and FUSE, whitelisting them doesn't seem to have any effect.

:~/Downloads/tutanota-desktop-linux$ firejail --profile=~/.config/firejail/tutanota-desktop.profile ./tutanota-desktop

Audit and profile are attached.

tutanota-desktop.profile

I think there's a daemon to integrate appimages which works under sandbox, so maybe running via that will help.

@bbhtt commented on GitHub (Jul 1, 2020): _I don't know how useful is this if at all in terms of sandboxing (**I'm new to the program and the repo**)_. Like you I tried with those options on the appimage; didn't work. So I extracted the appimage and tried to run the binary under firejail; again doesn't work; works only with `-- noprofile` which I guess doesn't provide any sandbox (?). So I made a custom profile and ran the binary with it and it works. Still can't figure out the appimage thing, I need to take a look on `appimage.c`. I traced the calls and FUSE, whitelisting them doesn't seem to have any effect. `:~/Downloads/tutanota-desktop-linux$ firejail --profile=~/.config/firejail/tutanota-desktop.profile ./tutanota-desktop` Audit and profile are attached. [tutanota-desktop.profile](https://github.com/netblue30/firejail/files/4872082/tutanota-desktop.log) I think there's a daemon to integrate appimages which works under sandbox, so maybe running via that will help.

gitea-mirror commented

2026-05-05 08:52:38 -06:00

Author

Owner

@CocoR55 commented on GitHub (Jul 2, 2020):

Thank you kortewegdevries
Follwing your message, I tried that:
$ firejail --appimage --profile=~/.config/firejail/tutanota-desktop-linux.AppImage.profile tutanota-desktop-linux.AppImage
Reading profile /home/michaou/.config/firejail/tutanota-desktop-linux.AppImage.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Mounting appimage type 2
Parent pid 11976, child pid 11979

** Warning: dropping all Linux capabilities **
Child process initialized in 150.12 ms

Parent is shutting down, bye...
AppImage unmounted

I would've thought that would've worked........
CocoR55

@CocoR55 commented on GitHub (Jul 2, 2020): Thank you **kortewegdevries** Follwing your message, I tried that: `$ firejail --appimage --profile=~/.config/firejail/tutanota-desktop-linux.AppImage.profile tutanota-desktop-linux.AppImage` Reading profile /home/michaou/.config/firejail/tutanota-desktop-linux.AppImage.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Mounting appimage type 2 Parent pid 11976, child pid 11979 ** Warning: dropping all Linux capabilities ** Child process initialized in 150.12 ms **Parent is shutting down, bye**... AppImage unmounted I would've thought that would've worked........ CocoR55

gitea-mirror commented

2026-05-05 08:52:40 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 2, 2020):

As long as --noprofile is broken, additional hardening is not expected to change something. In theory options like --writeable-var can have a effect. @CocoR55 is force-nonewprivs set in /etc/firejail/firejail.config?

@rusty-snake commented on GitHub (Jul 2, 2020): As long as `--noprofile` is broken, additional hardening is not expected to change something. In theory options like `--writeable-var` can have a effect. @CocoR55 is `force-nonewprivs` set in /etc/firejail/firejail.config?

gitea-mirror commented

2026-05-05 08:52:40 -06:00

Author

Owner

@bbhtt commented on GitHub (Jul 3, 2020):

@CocoR55 The profile I gave was not for the appimage itself, it was for the executable inside it which I couldn't run with Firejail default profile. I changed the filename from tutanota-desktop-linux.Appimage to tutanota-desktop-linux.zip>extract>go to folder tutanota-desktop-linux> chmod the file tutanota-desktop to set as executable> Use that profile (you need to redownload, I updated it) to launch it like this:
:~/Downloads/tutanota-desktop-linux$ firejail --profile=~/.config/firejail/tutanota-desktop.profile ./tutanota-desktop Since this is an executable no need to use --appimage

I can launch the appimage like this:

$ firejail --noprofile ./tutanota-desktop-linux.Appimage

The -appimage flag is creating the problem here, I think.

@rusty-snake
Cannot mount either way:

$ firejail --writable-var --appimage ./tutanota-desktop-linux.Appimage 
$ firejail --writable-var --appimage --noprofile ./tutanota-desktop-linux.Appimage

Works with this, again:
$ firejail --writable-var --noprofile ./tutanota-desktop-linux.Appimage
with force-nonewprivs again above two doesn't work, with this:

$ firejail --writable-var --noprofile ./tutanota-desktop-linux.Appimage

Parent pid 3710, child pid 3711
Child process initialized in 10.13 ms
fusermount: mount failed: Operation not permitted

Cannot mount AppImage, please check your FUSE setup.
You might still be able to extract the contents of this AppImage 
if you run it with the --appimage-extract option. 
See https://github.com/AppImage/AppImageKit/wiki/FUSE 
for more information
open dir error: No such file or directory

Parent is shutting down, bye...

Edit. 1. Found a way to launch the appimage with the above profile:
$ firejail --profile=~/Downloads/tutanota-desktop.profile ./tutanota-desktop-linux.appimage --appimage-extract-and-run

@bbhtt commented on GitHub (Jul 3, 2020): @CocoR55 The profile I gave was **not for the appimage** itself, it was for the **executable** inside it which I _couldn't run with Firejail default profile_. I changed the filename from `tutanota-desktop-linux.Appimage` to `tutanota-desktop-linux.zip`>extract>go to folder `tutanota-desktop-linux`> chmod the file `tutanota-desktop` to set as executable> Use that profile (you need to _redownload_, I updated it) to launch it like this: `:~/Downloads/tutanota-desktop-linux$ firejail --profile=~/.config/firejail/tutanota-desktop.profile ./tutanota-desktop` Since this is an executable no need to use `--appimage` I can launch the appimage like this: `$ firejail --noprofile ./tutanota-desktop-linux.Appimage` The `-appimage` flag is creating the problem here, I think. @rusty-snake Cannot mount either way: ``` $ firejail --writable-var --appimage ./tutanota-desktop-linux.Appimage $ firejail --writable-var --appimage --noprofile ./tutanota-desktop-linux.Appimage ``` Works with this, again: `$ firejail --writable-var --noprofile ./tutanota-desktop-linux.Appimage` with `force-nonewprivs` again above two doesn't work, with this: ``` $ firejail --writable-var --noprofile ./tutanota-desktop-linux.Appimage Parent pid 3710, child pid 3711 Child process initialized in 10.13 ms fusermount: mount failed: Operation not permitted Cannot mount AppImage, please check your FUSE setup. You might still be able to extract the contents of this AppImage if you run it with the --appimage-extract option. See https://github.com/AppImage/AppImageKit/wiki/FUSE for more information open dir error: No such file or directory Parent is shutting down, bye... ``` **Edit. 1.** Found a way to launch the _appimage_ with the above profile: `$ firejail --profile=~/Downloads/tutanota-desktop.profile ./tutanota-desktop-linux.appimage --appimage-extract-and-run`

gitea-mirror commented

2026-05-05 08:52:41 -06:00

Author

Owner

@CocoR55 commented on GitHub (Jul 3, 2020):

Bonjour, Thank you for your messages
@rusty-snake
$ cat firejail.config | grep -i force-nonewprivs

force-nonewprivs no

One remark: all the lines of firejail.config are in comments
@kortewegdevries
firejail --profile=~/.config/firejail/tutanota-desktop-linux.AppImage.profile ./tutanota-desktop-linux.appimage --appimage-extract-and-run
Reading profile /home/michaou/.config/firejail/tutanota-desktop-linux.AppImage.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Error: cannot access profile file: whitelist-usr-share-common.in

@CocoR55 commented on GitHub (Jul 3, 2020): Bonjour, Thank you for your messages **@rusty-snake** $ `cat firejail.config | grep -i force-nonewprivs` # force-nonewprivs no One remark: all the lines of firejail.config are in comments **@kortewegdevries** `firejail --profile=~/.config/firejail/tutanota-desktop-linux.AppImage.profile ./tutanota-desktop-linux.appimage --appimage-extract-and-run` Reading profile /home/michaou/.config/firejail/tutanota-desktop-linux.AppImage.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc **Error: cannot access profile file: whitelist-usr-share-common.in**

gitea-mirror commented

2026-05-05 08:52:42 -06:00

Author

Owner

@CocoR55 commented on GitHub (Jul 3, 2020):

@rusty-snake
I don't know why the result is so dilated. It's not my fault. Moreover, this a comment.
redo:
/etc/firejail $ cat firejail.config | grep -i force-nonewprivs
# force-nonewprivs no

@CocoR55 commented on GitHub (Jul 3, 2020): **@rusty-snake** I don't know why the result is so dilated. It's not my fault. Moreover, this a comment. redo: ` /etc/firejail $ cat firejail.config | grep -i force-nonewprivs` `# force-nonewprivs no`

gitea-mirror commented

2026-05-05 08:52:42 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 3, 2020):

I don't know why the result is so dilated. It's not my fault. Moreover, this a comment.

GitHub uses markdown to format comments. In markdown headers are lines starting with #, ##, ... see https://guides.github.com/features/mastering-markdown/#syntax

Error: cannot access profile file: whitelist-usr-share-common.in

correct the typo to whitelist-usr-share-common.inc and try again.

@rusty-snake commented on GitHub (Jul 3, 2020): > I don't know why the result is so dilated. It's not my fault. Moreover, this a comment. GitHub uses markdown to format comments. In markdown headers are lines starting with `#`, `##`, ... see https://guides.github.com/features/mastering-markdown/#syntax > Error: cannot access profile file: whitelist-usr-share-common.in correct the typo to whitelist-usr-share-common.in**c** and try again.

gitea-mirror commented

2026-05-05 08:52:42 -06:00

Author

Owner

@bbhtt commented on GitHub (Jul 3, 2020):

correct the typo to whitelist-usr-share-common.inc and try again.

I checked it, there isn't a typo? Maybe @CocoR55 typed it wrong here, edited the profile or doesn't have that file in /etc/firejail. For the last case, commenting the line works too,I checked (insert a "#" in front of the line and save); or this My test environment (no changes were made to /etc/firejail/firejail.config):

$ firejail --version
firejail version 0.9.62
$
System:
  Kernel: 5.4.0-40-generic x86_64 bits: 64 compiler: gcc v: 9.3.0 
  Desktop: Xfce 4.14.2 Distro: Ubuntu 20.04 LTS (Focal Fossa)

@bbhtt commented on GitHub (Jul 3, 2020): > correct the typo to whitelist-usr-share-common.in**c** and try again. I checked it, there isn't a typo? Maybe @CocoR55 typed it wrong here, edited the profile or doesn't have that file in `/etc/firejail`. For the last case, commenting the line works too,I checked (insert a "#" in front of the line and save); or [this](https://github.com/netblue30/firejail/blob/master/etc/inc/whitelist-usr-share-common.inc) My test environment (no changes were made to `/etc/firejail/firejail.config`): ``` $ firejail --version firejail version 0.9.62 $ System: Kernel: 5.4.0-40-generic x86_64 bits: 64 compiler: gcc v: 9.3.0 Desktop: Xfce 4.14.2 Distro: Ubuntu 20.04 LTS (Focal Fossa) ```

gitea-mirror commented

2026-05-05 08:52:43 -06:00

Author

Owner

@CocoR55 commented on GitHub (Jul 3, 2020):

@rusty-snake
$ firejail --profile=~/.config/firejail/tutanota-desktop-linux.AppImage.profile ./tutanota-desktop-linux.appimage --appimage-extract-and-run
Reading profile /home/michaou/.config/firejail/tutanota-desktop-linux.AppImage.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Error: cannot access profile file: whitelist-usr-share-common.inc
I had mistyped and forgotten the letter c on my previous message
@kortewegdevries I don't see any tutanota-desktop-linux.AppImage.profil in /etc/firejail
/etc/firejail $ ls | grep -i tutanota-desktop-linux.AppImage.profile
/etc/firejail $
I inserted a "#" in front of the line as you can see on second one below:

# include whitelist-common.inc
# include whitelist-usr-share-common.inc
include whitelist-var-common.inc

If I give a look at /etc/firejail $ cat firejail.config all lines still start with a # (comment)
$ firejail --profile=~/.config/firejail/tutanota-desktop-linux.AppImage.profile ./tutanota-desktop-linux.appimage --appimage-extract-and-run
Reading profile /home/michaou/.config/firejail/tutanota-desktop-linux.AppImage.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 5419, child pid 5420
Child process initialized in 142.11 ms
Error: no suitable ./tutanota-desktop-linux.appimage executable found

Parent is shutting down, bye...
$ firejail --version
firejail version 0.9.60

Compile time support:
- AppArmor support is disabled
- AppImage support is enabled
- chroot support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- networking support is enabled
- overlayfs support is enabled
- private-home support is enabled
- seccomp-bpf support is enabled
- user namespace support is enabled
- X11 sandboxing support is enabled

@CocoR55 commented on GitHub (Jul 3, 2020): **@rusty-snake** $` firejail --profile=~/.config/firejail/tutanota-desktop-linux.AppImage.profile ./tutanota-desktop-linux.appimage --appimage-extract-and-run` Reading profile /home/michaou/.config/firejail/tutanota-desktop-linux.AppImage.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc **Error: cannot access profile file: whitelist-usr-share-common.inc** I had mistyped and forgotten the letter **c** on my previous message **@kortewegdevries** I don't see any` tutanota-desktop-linux.AppImage.profil` in `/etc/firejail` /etc/firejail $ `ls | grep -i tutanota-desktop-linux.AppImage.profile` /etc/firejail $ I inserted a "#" in front of the line as you can see on second one below: ``` # include whitelist-common.inc # include whitelist-usr-share-common.inc include whitelist-var-common.inc ``` If I give a look at `/etc/firejail $ cat firejail.config` all lines still start with a` #` (comment) $` firejail --profile=~/.config/firejail/tutanota-desktop-linux.AppImage.profile ./tutanota-desktop-linux.appimage --appimage-extract-and-run` Reading profile /home/michaou/.config/firejail/tutanota-desktop-linux.AppImage.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 5419, child pid 5420 Child process initialized in 142.11 ms Error: no suitable ./tutanota-desktop-linux.appimage executable found **Parent is shutting down, bye...** `$ firejail --version` firejail version **0.9.60** Compile time support: - AppArmor support is **disabled** - AppImage support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled

gitea-mirror commented

2026-05-05 08:52:43 -06:00

Author

Owner

@bbhtt commented on GitHub (Jul 3, 2020):

Error: no suitable ./tutanota-desktop-linux.appimage executable found

You should run this in the directory where the appimage is located, like for mine I had it in ~/Downloads. Also make sure the filename is exactly the same as yours; if not change it to yours.
Open a terminal there or cd /path/to/appimage/directory/ and run the command.
You don't have to search in firejail.config, I meant that I tested with all default options there. Also what is your distro? Looks like Firejail needs a update maybe? Also, just to make sure, if you didn't, you need to re-download the profile I gave from above because I had to change something in it :)

@bbhtt commented on GitHub (Jul 3, 2020): > `Error: no suitable ./tutanota-desktop-linux.appimage executable found` You should run this in the directory where the appimage is located, like for mine I had it in `~/Downloads`. Also make sure the filename is **_exactly the same_** as yours; if not change it to yours. Open a terminal there or `cd /path/to/appimage/directory/` and run the command. You don't have to search in `firejail.config`, I meant that I tested with all default options there. Also what is your distro? Looks like Firejail needs a update maybe? Also, just to make sure, if you didn't, you need to re-download the profile I gave from above because I had to change something in it :)

gitea-mirror commented

2026-05-05 08:52:44 -06:00

Author

Owner

@CocoR55 commented on GitHub (Jul 3, 2020):

Now:
# firejail --version
firejail version 0.9.62
~/Documents/TutanotaAppimage $ ls
tuta tutanota-desktop-linux.AppImage
~/Documents/TutanotaAppimage $ firejail --profile=~/.config/firejail/tutanota-desktop-linux.AppImage.profile ./tutanota-desktop-linux.AppImage --appimage-extract-and-run
Reading profile /home/michaou/.config/firejail/tutanota-desktop-linux.AppImage.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 18373, child pid 18374
Child process initialized in 197.92 ms
Error: no suitable ./tutanota-desktop-linux.AppImage executable found

Parent is shutting down, bye...

 ~/Documents/TutanotaAppimage $ cd ~/.config/firejail
 ~/.config/firejail $ ls

tutanota-desktop-linux.AppImage.profile
You can see that the file names are the same in the directory and in the command.
Without firejail that works.
~/Documents/TutanotaAppimage $ ./tutanota-desktop-linux.AppImage
[2020-07-03T18:05:36.179Z] the monkey has been patche.............
cat /etc/lsb-release
DISTRIB_ID=LinuxMint
DISTRIB_RELEASE=18.3
DISTRIB_CODENAME=sylvia
DISTRIB_DESCRIPTION="Linux Mint 18.3 Sylvia"
Cinnamon
Some remarks:
The line: noblacklist ${HOME}/.config/tutanota-desktop/ shouldn't it be something like
noblacklist ${HOME}/.config/tutanota-desktop-linux/ ?
The lines:

# **apparmor**
caps.drop all
ipc-namespace
machine-id

are not inconsistent with:
firejail version 0.9.62
Compile time support:
- AppArmor support is disabled....?

@CocoR55 commented on GitHub (Jul 3, 2020): Now: `# firejail --version` firejail version **0.9.62** `~/Documents/TutanotaAppimage $ ls` **tuta** **tutanota-desktop-linux.AppImage** `~/Documents/TutanotaAppimage $ firejail --profile=~/.config/firejail/tutanota-desktop-linux.AppImage.profile ./tutanota-desktop-linux.AppImage --appimage-extract-and-run` Reading profile /home/michaou/.config/firejail/tutanota-desktop-linux.AppImage.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 18373, child pid 18374 Child process initialized in 197.92 ms **Error: no suitable ./tutanota-desktop-linux.AppImage executable found** Parent is shutting down, bye... ``` ~/Documents/TutanotaAppimage $ cd ~/.config/firejail ~/.config/firejail $ ls ``` **tutanota-desktop-linux.AppImage.profile** You can see that the file names are **the same** in the directory and in the command. Without firejail that works. ~/Documents/TutanotaAppimage $ ./tutanota-desktop-linux.AppImage [2020-07-03T18:05:36.179Z] the monkey has been patche............. `cat /etc/lsb-release` DISTRIB_ID=LinuxMint DISTRIB_RELEASE=18.3 DISTRIB_CODENAME=sylvia DISTRIB_DESCRIPTION="Linux Mint 18.3 Sylvia" Cinnamon Some remarks: The line:` noblacklist ${HOME}/.config/tutanota-desktop/` shouldn't it be something like `noblacklist ${HOME}/.config/tutanota-desktop-linux/` ? The lines: ``` # **apparmor** caps.drop all ipc-namespace machine-id ``` are not inconsistent with: firejail version 0.9.62 Compile time support: - **AppArmor support is disabled**....?

gitea-mirror commented

2026-05-05 08:52:44 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 3, 2020):

Error: no suitable ./tutanota-desktop-linux.AppImage executable found

Do you have mounted /home with noexec?

~/Documents/TutanotaAppimage

include disable-xdg.inc contains blacklist ${DOCUMENTS}.

The line: noblacklist ${HOME}/.config/tutanota-desktop/ shouldn't it be something like
noblacklist ${HOME}/.config/tutanota-desktop-linux/ ?

Yes, whitelist, blacklist, noblacklist should not have a trailing /.

The lines: …… are not inconsistent with: firejail version 0.9.62

Why? 0.9.62 supports these lines.

AppArmor support is disabled....?

Linux Mint does not use AA by default, therefore they likely does not enable AA support in firejail.

@rusty-snake commented on GitHub (Jul 3, 2020): > Error: no suitable ./tutanota-desktop-linux.AppImage executable found Do you have mounted /home with `noexec`? > ~/Documents/TutanotaAppimage `include disable-xdg.inc` contains `blacklist ${DOCUMENTS}`. > The line: noblacklist ${HOME}/.config/tutanota-desktop/ shouldn't it be something like noblacklist ${HOME}/.config/tutanota-desktop-linux/ ? Yes, `whitelist`, `blacklist`, `noblacklist` should not have a trailing `/`. > The lines: …… are not inconsistent with: firejail version 0.9.62 Why? 0.9.62 supports these lines. > - AppArmor support is disabled....? Linux Mint does not use AA by default, therefore they likely does not enable AA support in firejail.

gitea-mirror commented

2026-05-05 08:52:44 -06:00

Author

Owner

@ghost commented on GitHub (Jul 3, 2020):

Reading profile /etc/firejail/disable-xdg.inc

@CocoR55 The above line indicates your custom profile includes disable-xdg.inc. The latter blacklists ${DOCUMENTS} (amongst others). So when you put the appimage in a location like ${HOME}/Documents/TutanotaAppimage/tutanota-desktop-linux.AppImage firejail will not find it because that directory is blacklisted.

You can either add 'noblacklist ${DOCUMENTS}' to your ~/.config/firejail/tutanota-desktop-linux.AppImage.profile (by convention we put such an override above the line where you include disable-xdg.inc) or move the appimage somewhere else. In any case you'll need to make sure that the directory where you put it is not blacklisted in your profile.

@ghost commented on GitHub (Jul 3, 2020): > Reading profile /etc/firejail/disable-xdg.inc @CocoR55 The above line indicates your custom profile includes disable-xdg.inc. The latter blacklists ${DOCUMENTS} (amongst others). So when you put the appimage in a location like ${HOME}/Documents/TutanotaAppimage/tutanota-desktop-linux.AppImage firejail will not find it because that directory is blacklisted. You can either add 'noblacklist ${DOCUMENTS}' to your ~/.config/firejail/tutanota-desktop-linux.AppImage.profile (by convention we put such an override above the line where you include disable-xdg.inc) or move the appimage somewhere else. In any case you'll need to make sure that the directory where you put it is not blacklisted in your profile.

gitea-mirror commented

2026-05-05 08:52:45 -06:00

Author

Owner

@CocoR55 commented on GitHub (Jul 4, 2020):

Thank you all for your messages and helps
@glitsj16 Explanation is clear. The folder ${HOME}/Documents/TutanotaAppimage is replaced by {HOME}/Tuta. From this last directory: ` firejail --profile=~/.config/firejail/tutanota-desktop-linux.AppImage.profile ./tutanota-desktop-linux.AppImage --appimage-extract-and-run**Error**: no suitable ./tutanota-desktop-linux.AppImage executable found I did many tries. There, the summary:$ firejail --noprofile ./tutanota-desktop-linux.AppImage is **OK**$ firejail --noprofile ./tutanota-desktop-linux.AppImage --appimage-extract-and-run` is OK with huge quantity of comments.
Like kortewegdevries above, if the tutanota-desktop-linux.AppImage.profile file is movedin the ${HOME}/Tuta folder
and for the purpose of authorizing the execution of fusermount, the two lines below are added in this profile file:

noblacklist /bin/
noblacklist /usr/share/bash-completion/completions

$ firejail --profile=tutanota-desktop-linux.AppImage.profile ./tutanota-desktop-linux.AppImage --appimage-extract-and-run
is OK
Remark:
On a site, I had read that the command should be
$ firejail --appimage ................ but if I add --appimage it does not work.
I don't understand why we have to move the profile to the Tuta directory. I searched in the blacklists and didn't see a
.config/firejail directory. I don't have an explanation.
To allow the execution of fusermount, I put an override in the profile for in the two files where I found it.
There may be a better method......

@CocoR55 commented on GitHub (Jul 4, 2020): **Thank you all for your messages and helps** **@glitsj16** Explanation is clear. The folder ${HOME}/Documents/TutanotaAppimage is replaced by ${HOME}/Tuta. From this last directory: `$ firejail --profile=~/.config/firejail/tutanota-desktop-linux.AppImage.profile ./tutanota-desktop-linux.AppImage --appimage-extract-and-run` **Error**: no suitable ./tutanota-desktop-linux.AppImage executable found I did many tries. There, the summary: `$ firejail --noprofile ./tutanota-desktop-linux.AppImage` is **OK** `$ firejail --noprofile ./tutanota-desktop-linux.AppImage --appimage-extract-and-run` is **OK** with huge quantity of comments. Like **kortewegdevries** above, if the **tutanota-desktop-linux.AppImage.profile** file is movedin the ${HOME}/Tuta folder and for the purpose of authorizing the execution of **fusermount**, the two lines below are added in this profile file: ``` noblacklist /bin/ noblacklist /usr/share/bash-completion/completions ``` `$ firejail --profile=tutanota-desktop-linux.AppImage.profile ./tutanota-desktop-linux.AppImage --appimage-extract-and-run` is **OK** **Remark:** On a site, I had read that the command should be $ firejail --appimage ................ but if I add --appimage it does not work. I don't understand why we have to move the profile to the Tuta directory. I searched in the blacklists and didn't see a .config/firejail directory. I don't have an explanation. To allow the execution of fusermount, I put an override in the profile for in the two files where I found it. There may be a better method......

gitea-mirror commented

2026-05-05 08:52:45 -06:00

Author

Owner

@CocoR55 commented on GitHub (Jul 7, 2020):

A last small issue:Error message: EROFS: read-only file system, open '/home/michaou/.local/share/applications/tutanota-desktop.desktop'
Stacktrace:
Error: EROFS: read-only file system, open '/home/michaou/.local/share/applications/tutanota-desktop.desktop'
Solved by chmod 555 tutanota-desktop.desktop
Thank you all for your help.
CocoR55

@CocoR55 commented on GitHub (Jul 7, 2020): **A last small issue**:Error message: EROFS: read-only file system, open '/home/michaou/.local/share/applications/tutanota-desktop.desktop' Stacktrace: Error: EROFS: read-only file system, open '/home/michaou/.local/share/applications/tutanota-desktop.desktop' **Solved** by `chmod 555 tutanota-desktop.deskto`p **Thank you all for your help. CocoR55**

gitea-mirror referenced this issue

2026-05-05 10:16:00 -06:00

[PR #2201] [MERGED] Add nou2f to all profiles #4221

Rows
Columns

[GH-ISSUE #3485] [Solved] Impossible to inclure tutanota-desktop-linux.AppImage in a sandbox with firejail #2194

force-nonewprivs no