github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3910] molotov: cannot run AppImage with custom profile #2450

New issue
Open
opened 2026-05-05 09:08:11 -06:00 by gitea-mirror · 19 comments
gitea-mirror commented 2026-05-05 09:08:11 -06:00
Owner
Copy link

Originally created by @esp13 on GitHub (Jan 22, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3910

Hi,

Like many, I got the permission denied while trying to run an .AppImage
This happened to MolotovTV app findable here

Here I read that we should use this for appimages but it doesn't solve the problem:

blacklist ${PATH}/fusermount
?HAS_APPIMAGE: noblacklist ${PATH}/fusermount

As I am too novice (and English isn't my fluent language) to understand all the discussion, could you help to solve the problem for my case?

Here is the profile established from profile.template :

#ME : I give a name to be able to kill the sandbox easily with --shutdown=molotov
name molotov
#ME : to be able to access to the folder on /home even if the folder isn't inside personal current user's home folder 
allusers
#ME : Fake personal user home folder only for molotov
private /home/thefolderIwantnotinsideuserhome/FireJail/MolotovTVHome/
#ME : Forbidden to be able to go on other folders on /home except the fake home folder from previous line
noblacklist ~
blacklist /home/*
#ME : To disable the access to other disks
disable-mnt
#ME : For testing access rights visually with nemo (without this, nemo inside firejail can communicate with an other nemo instance outside the sandbox)
nodbus
#ME for appimages
blacklist ${PATH}/fusermount
?HAS_APPIMAGE: noblacklist ${PATH}/fusermount


# Firejail profile for PROGRAM_NAME
# Description: DESCRIPTION
# This file is overwritten after every install/update
# --- CUT HERE ---
# This is a generic template to help you with creation of profiles
# for new programs. PRs welcome at https://github.com/netblue30/firejail/.
#
# Rules to follow:
#  - lines with one # are often used in profiles
#  - lines with two ## are only needed in special situations
#  - make the profile as restrictive as possible while still keeping the program useful
#    (e. g. a program that is unable to save user's work is considered bad practice)
#  - dedicate some time (based on the complexity of the application) to profile testing before raising
#    a pull request
#  - keep the sections structure, use a single empty line as separator
#  - entries within sections are alphabetically sorted
#  - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware
#    to not do this for essential utilities as this may *break* your OS! (related discussion:
#    https://github.com/netblue30/firejail/issues/2507)
#  - remove this comment section and any generic comment past 'Persistent global definitions'
#
# Sections structure
#   HEADER
#   COMMENTS
#   IGNORES
#   NOBLACKLISTS
#   ALLOW INCLUDES
#   BLACKLISTS
#   DISABLE INCLUDES
#   NOWHITELISTS
#   MKDIRS
#   WHITELISTS
#   WHITELIST INCLUDES
#   OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog)
#   PRIVATE OPTIONS (disable-mnt, private-*, writable-*)
#   DBUS FILTER
#   SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start)
#   REDIRECT INCLUDES
#
# The following macros may be used in path names to substitute common locations:
#  ${DESKTOP}
#  ${DOCUMENTS}
#  ${DOWNLOADS}
#  ${HOME} (user's home)
#  ${PATH} (contents of PATH envvar)
#  ${MUSIC}
#  ${RUNUSER} (/run/user/UID)
#  ${VIDEOS}
#
# Check contents of ~/.config/user-dirs.dirs to see how they translate to actual paths.
#
# --- CUT HERE ---
##quiet
# Persistent local customizations
include PROFILE.local
# Persistent global definitions
include globals.local

##ignore noexec ${HOME}
##ignore noexec /tmp

##blacklist PATH
# Disable X11 (CLI only), see also 'x11 none' below
#blacklist /tmp/.X11-unix
# Disable Wayland
#blacklist ${RUNUSER}/wayland-*
# Disable RUNUSER (cli only)
#blacklist ${RUNUSER}

# It is common practice to add files/dirs containing program-specific configuration
# (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc
# (keep list sorted) and then disable blacklisting below.
# One way to retrieve the files a program uses is:
#  - launch binary with --private naming a sandbox
#      `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY`
#  - work with the program, make some configuration changes and save them, open new documents,
#    install plugins if they exists, etc.
#  - join the sandbox with bash:
#      `firejail --join=test bash`
#  - look what has changed and use that information to populate blacklist and whitelist sections
#      `ls -aR`
#noblacklist PATH

# Allow python (blacklisted by disable-interpreters.inc)
#include allow-python2.inc
#include allow-python3.inc

# Allow perl (blacklisted by disable-interpreters.inc)
#include allow-perl.inc

# Allow java (blacklisted by disable-devel.inc)
#include allow-java.inc

# Allow lua (blacklisted by disable-interpreters.inc)
#include allow-lua.inc

# Allow ruby (blacklisted by disable-interpreters.inc)
#include allow-ruby.inc

# Allow gjs (blacklisted by disable-interpreters.inc)
#include allow-gjs.inc

# Allows files commonly used by IDEs
#include allow-common-devel.inc

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
#include disable-shell.inc
#include disable-write-mnt.inc
include disable-xdg.inc

# This section often mirrors noblacklist section above. The idea is
# that if a user feels too restricted (he's unable to save files into
# home directory for instance) he/she may disable whitelist (nowhitelist)
# in PROFILE.local but still be protected by BLACKLISTS section
# (further explanation at https://github.com/netblue30/firejail/issues/1569)
#mkdir PATH
##mkfile PATH
#whitelist PATH
#include whitelist-common.inc
#include whitelist-runuser-common.inc
#include whitelist-usr-share-common.inc
#include whitelist-var-common.inc

##allusers
apparmor
caps.drop all
##caps.keep CAPS
##hostname NAME
# CLI only
##ipc-namespace
# breaks sound and sometime dbus related functions
machine-id
# 'net none' or 'netfilter'
#net none
#netfilter
#no3d
##nodbus (deprecated, use 'dbus-user none' and 'dbus-system none', see below)
nodvd
nogroups
nonewprivs
noroot
#nosound
notv
nou2f
novideo
# Remove each unneeded protocol:
#  - unix is usually needed
#  - inet,inet6 only if internet access is required (see 'net none'/'netfilter' above)
#  - netlink is rarely needed
#  - packet almost never
#protocol unix,inet,inet6,netlink,packet
protocol unix,inet
seccomp
##seccomp !chroot
##seccomp.drop SYSCALLS (see syscalls.txt)
#seccomp.block-secondary
#shell none
#tracelog
# Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set
##x11 none

disable-mnt
##private
# It's common practice to refer to the python executable(s) in private-bin with `python*`, which covers both v2 and v3
#private-bin PROGRAMS
private-cache
private-dev
#private-etc FILES
# private-etc templates (see also #1734, #2093)
#  Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg
#    Extra: magic,magic.mgc,passwd,group
#  Networking: ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf,hosts,host.conf,hostname,protocols,services,rpc
#    Extra: proxychains.conf,gai.conf
#  Sound: alsa,asound.conf,pulse,machine-id
#  GUI: fonts,pango,X11
#  GTK: dconf,gconf,gtk-2.0,gtk-3.0
#  Qt: Trolltech.conf
#  KDE: kde4rc,kde5rc
#  3D: drirc,glvnd,bumblebee,nvidia
#  D-Bus: dbus-1,machine-id
##private-lib LIBS
##private-opt NAME
private-tmp
##writable-etc
##writable-run-user
##writable-var
##writable-var-log

# Since 0.9.63 also a more granular regulation of dbus is supported.
# To get the dbus-addresses to which an application needs access to.
# You can look at flatpak if the application is also distriputed via flatpak:
#    flatpak remote-info --show-metadata flathub <APP-ID>
# Notes:
#  - flatpak implicitly allows an app to own <APP-ID> on the session bus
#  - In order to make dconf work (if it is used by the app) you need to allow
#    'ca.desrt.dconf' even if it is not allowed by flatpak.
# Notes and Policiy about addresses can be found at
# <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus>
#dbus-user filter
#dbus-user.own com.github.netblue30.firejail
#dbus-user.talk ca.desrt.dconf
#dbus-user.talk org.freedesktop.Notifications
#dbus-system none

##env VAR=VALUE
#memory-deny-write-execute
##noexec PATH
##read-only ${HOME}
##join-or-start NAME
Originally created by @esp13 on GitHub (Jan 22, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/3910 Hi, Like many, I got the permission denied while trying to run an .AppImage This happened to MolotovTV app findable [here](https://www.molotov.tv/download) [Here ](https://github.com/netblue30/firejail/issues/2690#issuecomment-592274833) I read that we should use this for appimages but it doesn't solve the problem: ``` blacklist ${PATH}/fusermount ?HAS_APPIMAGE: noblacklist ${PATH}/fusermount ``` As I am too novice (and English isn't my fluent language) to understand all the discussion, could you help to solve the problem for my case? Here is the profile established from profile.template : ``` #ME : I give a name to be able to kill the sandbox easily with --shutdown=molotov name molotov #ME : to be able to access to the folder on /home even if the folder isn't inside personal current user's home folder allusers #ME : Fake personal user home folder only for molotov private /home/thefolderIwantnotinsideuserhome/FireJail/MolotovTVHome/ #ME : Forbidden to be able to go on other folders on /home except the fake home folder from previous line noblacklist ~ blacklist /home/* #ME : To disable the access to other disks disable-mnt #ME : For testing access rights visually with nemo (without this, nemo inside firejail can communicate with an other nemo instance outside the sandbox) nodbus #ME for appimages blacklist ${PATH}/fusermount ?HAS_APPIMAGE: noblacklist ${PATH}/fusermount # Firejail profile for PROGRAM_NAME # Description: DESCRIPTION # This file is overwritten after every install/update # --- CUT HERE --- # This is a generic template to help you with creation of profiles # for new programs. PRs welcome at https://github.com/netblue30/firejail/. # # Rules to follow: # - lines with one # are often used in profiles # - lines with two ## are only needed in special situations # - make the profile as restrictive as possible while still keeping the program useful # (e. g. a program that is unable to save user's work is considered bad practice) # - dedicate some time (based on the complexity of the application) to profile testing before raising # a pull request # - keep the sections structure, use a single empty line as separator # - entries within sections are alphabetically sorted # - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware # to not do this for essential utilities as this may *break* your OS! (related discussion: # https://github.com/netblue30/firejail/issues/2507) # - remove this comment section and any generic comment past 'Persistent global definitions' # # Sections structure # HEADER # COMMENTS # IGNORES # NOBLACKLISTS # ALLOW INCLUDES # BLACKLISTS # DISABLE INCLUDES # NOWHITELISTS # MKDIRS # WHITELISTS # WHITELIST INCLUDES # OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog) # PRIVATE OPTIONS (disable-mnt, private-*, writable-*) # DBUS FILTER # SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start) # REDIRECT INCLUDES # # The following macros may be used in path names to substitute common locations: # ${DESKTOP} # ${DOCUMENTS} # ${DOWNLOADS} # ${HOME} (user's home) # ${PATH} (contents of PATH envvar) # ${MUSIC} # ${RUNUSER} (/run/user/UID) # ${VIDEOS} # # Check contents of ~/.config/user-dirs.dirs to see how they translate to actual paths. # # --- CUT HERE --- ##quiet # Persistent local customizations include PROFILE.local # Persistent global definitions include globals.local ##ignore noexec ${HOME} ##ignore noexec /tmp ##blacklist PATH # Disable X11 (CLI only), see also 'x11 none' below #blacklist /tmp/.X11-unix # Disable Wayland #blacklist ${RUNUSER}/wayland-* # Disable RUNUSER (cli only) #blacklist ${RUNUSER} # It is common practice to add files/dirs containing program-specific configuration # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc # (keep list sorted) and then disable blacklisting below. # One way to retrieve the files a program uses is: # - launch binary with --private naming a sandbox # `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY` # - work with the program, make some configuration changes and save them, open new documents, # install plugins if they exists, etc. # - join the sandbox with bash: # `firejail --join=test bash` # - look what has changed and use that information to populate blacklist and whitelist sections # `ls -aR` #noblacklist PATH # Allow python (blacklisted by disable-interpreters.inc) #include allow-python2.inc #include allow-python3.inc # Allow perl (blacklisted by disable-interpreters.inc) #include allow-perl.inc # Allow java (blacklisted by disable-devel.inc) #include allow-java.inc # Allow lua (blacklisted by disable-interpreters.inc) #include allow-lua.inc # Allow ruby (blacklisted by disable-interpreters.inc) #include allow-ruby.inc # Allow gjs (blacklisted by disable-interpreters.inc) #include allow-gjs.inc # Allows files commonly used by IDEs #include allow-common-devel.inc include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc #include disable-shell.inc #include disable-write-mnt.inc include disable-xdg.inc # This section often mirrors noblacklist section above. The idea is # that if a user feels too restricted (he's unable to save files into # home directory for instance) he/she may disable whitelist (nowhitelist) # in PROFILE.local but still be protected by BLACKLISTS section # (further explanation at https://github.com/netblue30/firejail/issues/1569) #mkdir PATH ##mkfile PATH #whitelist PATH #include whitelist-common.inc #include whitelist-runuser-common.inc #include whitelist-usr-share-common.inc #include whitelist-var-common.inc ##allusers apparmor caps.drop all ##caps.keep CAPS ##hostname NAME # CLI only ##ipc-namespace # breaks sound and sometime dbus related functions machine-id # 'net none' or 'netfilter' #net none #netfilter #no3d ##nodbus (deprecated, use 'dbus-user none' and 'dbus-system none', see below) nodvd nogroups nonewprivs noroot #nosound notv nou2f novideo # Remove each unneeded protocol: # - unix is usually needed # - inet,inet6 only if internet access is required (see 'net none'/'netfilter' above) # - netlink is rarely needed # - packet almost never #protocol unix,inet,inet6,netlink,packet protocol unix,inet seccomp ##seccomp !chroot ##seccomp.drop SYSCALLS (see syscalls.txt) #seccomp.block-secondary #shell none #tracelog # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set ##x11 none disable-mnt ##private # It's common practice to refer to the python executable(s) in private-bin with `python*`, which covers both v2 and v3 #private-bin PROGRAMS private-cache private-dev #private-etc FILES # private-etc templates (see also #1734, #2093) # Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg # Extra: magic,magic.mgc,passwd,group # Networking: ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf,hosts,host.conf,hostname,protocols,services,rpc # Extra: proxychains.conf,gai.conf # Sound: alsa,asound.conf,pulse,machine-id # GUI: fonts,pango,X11 # GTK: dconf,gconf,gtk-2.0,gtk-3.0 # Qt: Trolltech.conf # KDE: kde4rc,kde5rc # 3D: drirc,glvnd,bumblebee,nvidia # D-Bus: dbus-1,machine-id ##private-lib LIBS ##private-opt NAME private-tmp ##writable-etc ##writable-run-user ##writable-var ##writable-var-log # Since 0.9.63 also a more granular regulation of dbus is supported. # To get the dbus-addresses to which an application needs access to. # You can look at flatpak if the application is also distriputed via flatpak: # flatpak remote-info --show-metadata flathub <APP-ID> # Notes: # - flatpak implicitly allows an app to own <APP-ID> on the session bus # - In order to make dconf work (if it is used by the app) you need to allow # 'ca.desrt.dconf' even if it is not allowed by flatpak. # Notes and Policiy about addresses can be found at # <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus> #dbus-user filter #dbus-user.own com.github.netblue30.firejail #dbus-user.talk ca.desrt.dconf #dbus-user.talk org.freedesktop.Notifications #dbus-system none ##env VAR=VALUE #memory-deny-write-execute ##noexec PATH ##read-only ${HOME} ##join-or-start NAME ```
gitea-mirror commented 2026-05-05 09:08:12 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jan 22, 2021):

blacklist ${PATH}/fusermount
?HAS_APPIMAGE: noblacklist ${PATH}/fusermount

The second command has no effect. fusermount will always be blacklisted. A noblacklist command must come before it's corresponding blacklist command. Flip these lines.

<!-- gh-comment-id:765671829 --> @rusty-snake commented on GitHub (Jan 22, 2021): > ``` > blacklist ${PATH}/fusermount > ?HAS_APPIMAGE: noblacklist ${PATH}/fusermount > ``` The second command has no effect. fusermount will _always_ be blacklisted. A `noblacklist` command **must** come before it's corresponding `blacklist` command. Flip these lines.
gitea-mirror commented 2026-05-05 09:08:14 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jan 22, 2021):

How do you start? firejail --appiamge --profile=/path/to/your/profile /path/to/molotovtv.AppImage/outside/the/sandbox?

IDK what the current state in #3910 is but AFAICT there are AIs which don't work with --appimage ATM.

<!-- gh-comment-id:765673483 --> @rusty-snake commented on GitHub (Jan 22, 2021): How do you start? `firejail --appiamge --profile=/path/to/your/profile /path/to/molotovtv.AppImage/outside/the/sandbox`? ---- IDK what the current state in #3910 is but AFAICT there are AIs which don't work with `--appimage` ATM.
gitea-mirror commented 2026-05-05 09:08:14 -06:00
Author
Owner
Copy link

@esp13 commented on GitHub (Jan 22, 2021):

How do you start? firejail --appiamge --profile=/path/to/your/profile /path/to/molotovtv.AppImage/outside/the/sandbox?

I gone with this:
firejail --profile=/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/molotov.profile --appimage

For the moment I try to launch it manually inside the sandbox:
./molotov.AppImage

I tried without --appimage option too but same result:
firejail --profile=/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/molotov.profile

IDK what the current state in #3910 is but AFAICT there are AIs which don't work with --appimage ATM.

And without --appimage option?

<!-- gh-comment-id:765678857 --> @esp13 commented on GitHub (Jan 22, 2021): > How do you start? `firejail --appiamge --profile=/path/to/your/profile /path/to/molotovtv.AppImage/outside/the/sandbox`? I gone with this: `firejail --profile=/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/molotov.profile --appimage` For the moment I try to launch it manually inside the sandbox: `./molotov.AppImage` I tried without --appimage option too but same result: `firejail --profile=/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/molotov.profile` > IDK what the current state in #3910 is but AFAICT there are AIs which don't work with `--appimage` ATM. And without --appimage option?
gitea-mirror commented 2026-05-05 09:08:14 -06:00
Author
Owner
Copy link

@esp13 commented on GitHub (Jan 22, 2021):

blacklist ${PATH}/fusermount
?HAS_APPIMAGE: noblacklist ${PATH}/fusermount

The second command has no effect. fusermount will always be blacklisted. A noblacklist command must come before it's corresponding blacklist command. Flip these lines.

So I tried this instead:

?HAS_APPIMAGE: noblacklist ${PATH}/fusermount
blacklist ${PATH}/fusermount

but same result

<!-- gh-comment-id:765679456 --> @esp13 commented on GitHub (Jan 22, 2021): > > ``` > > blacklist ${PATH}/fusermount > > ?HAS_APPIMAGE: noblacklist ${PATH}/fusermount > > ``` > > The second command has no effect. fusermount will _always_ be blacklisted. A `noblacklist` command **must** come before it's corresponding `blacklist` command. Flip these lines. So I tried this instead: ``` ?HAS_APPIMAGE: noblacklist ${PATH}/fusermount blacklist ${PATH}/fusermount ``` but same result
gitea-mirror commented 2026-05-05 09:08:15 -06:00
Author
Owner
Copy link

@esp13 commented on GitHub (Jan 22, 2021):

I tried to comment
#include disable-common.inc

but same result

<!-- gh-comment-id:765680593 --> @esp13 commented on GitHub (Jan 22, 2021): I tried to comment `#include disable-common.inc` but same result
gitea-mirror commented 2026-05-05 09:08:15 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jan 22, 2021):

firejail --profile=/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/molotov.profile --appimage

--appiamge should be the last firejail argument and must be the first (if --profile is used) IIRC. 🥴

For the moment I try to launch it manually inside the sandbox:
./molotov.AppImage

The you need to allow to execute files in $HOME.

ignore noexec ${HOME}
ignore apparmor

^ at the top of your profile (e.g. after include globals.local)

IDK what the current state in #3910 is but AFAICT there are AIs which don't work with --appimage ATM.

And without --appimage option?

#3910 only happens with --appiage IIRC.

So I tried this instead:

This snipped works only if --appimage comes before --profile. Anyway you could simply add noblacklist ${PATH}/fusermount before include disable-common.inc for your profile.

However "I tried to comment #include disable-common.inc but same result" …

If you use --appimage you need to use the path to the AI outside the sandbox. W/o --appiamge, you need to use the path to the AI inside the sandbox.

<!-- gh-comment-id:765684908 --> @rusty-snake commented on GitHub (Jan 22, 2021): > firejail --profile=/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/molotov.profile --appimage `--appiamge` should be the last firejail argument and must be the first (if `--profile` is used) IIRC. :woozy_face: > For the moment I try to launch it manually inside the sandbox: ./molotov.AppImage The you need to allow to execute files in $HOME. ``` ignore noexec ${HOME} ignore apparmor ``` ^ at the top of your profile (e.g. after `include globals.local`) > > IDK what the current state in #3910 is but AFAICT there are AIs which don't work with --appimage ATM. > > And without --appimage option? #3910 only happens with --appiage IIRC. > So I tried this instead: This snipped works only if `--appimage` comes before `--profile`. Anyway you could simply add `noblacklist ${PATH}/fusermount` before `include disable-common.inc` for your profile. However "I tried to comment `#include disable-common.inc` but same result" … ---- If you use `--appimage` you need to use the path to the AI outside the sandbox. W/o `--appiamge`, you need to use the path to the AI inside the sandbox.
gitea-mirror commented 2026-05-05 09:08:16 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jan 22, 2021):

Does firejail --noprofile --allusers /path/to/AppImage work?

<!-- gh-comment-id:765685226 --> @rusty-snake commented on GitHub (Jan 22, 2021): Does `firejail --noprofile --allusers /path/to/AppImage` work?
gitea-mirror commented 2026-05-05 09:08:16 -06:00
Author
Owner
Copy link

@esp13 commented on GitHub (Jan 22, 2021):

Does firejail --noprofile --allusers /path/to/AppImage work?

Before reinstalling my distro from scratch I was using it like this inside a dedicated folder itself inside my home folder:
firejail --noprofile --private=. --appimage "./molotov.AppImage"
And that was working well.
But as I realise --noprofile option isn't secure at all I'm trying to do better

--appiamge should be the last firejail argument and must be the first (if --profile is used) IIRC. woozy_face

Ok so I go with this:
firejail --appimage --profile=/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/molotov.profile

For the moment I try to launch it manually inside the sandbox:
./molotov.AppImage

The you need to allow to execute files in $HOME.

ignore noexec ${HOME}
ignore apparmor

^ at the top of your profile (e.g. after include globals.local)

By adding this just before globals.local I get this error instead permission one :

./molotov.AppImage 
fuse: device not found, try 'modprobe fuse' first

Cannot mount AppImage, please check your FUSE setup.
You might still be able to extract the contents of this AppImage 
if you run it with the --appimage-extract option. 
See https://github.com/AppImage/AppImageKit/wiki/FUSE 
for more information
open dir error: No such file or directory

I keep this but don't understand what it is for:

# Persistent local customizations
include PROFILE.local
# Persistent global definitions
include globals.local

Anyway you could simply add noblacklist ${PATH}/fusermount before include disable-common.inc for your profile.

Ok I will do so

If you use --appimage you need to use the path to the AI outside the sandbox. W/o --appiamge, you need to use the path to the AI inside the sandbox.

I got a permission issue with this:
exec /home/thefolderIwantnotinsideuserhome/FireJail/molotovHome/molotov.AppImage

And with this:
exec /home/myuser/molotov.AppImage
i get this error again:

fuse: device not found, try 'modprobe fuse' first

Cannot mount AppImage, please check your FUSE setup.
You might still be able to extract the contents of this AppImage 
if you run it with the --appimage-extract option. 
See https://github.com/AppImage/AppImageKit/wiki/FUSE 
for more information
open dir error: No such file or directory

Parent is shutting down, bye...
<!-- gh-comment-id:765697815 --> @esp13 commented on GitHub (Jan 22, 2021): > Does `firejail --noprofile --allusers /path/to/AppImage` work? Before reinstalling my distro from scratch I was using it like this inside a dedicated folder itself inside my home folder: `firejail --noprofile --private=. --appimage "./molotov.AppImage"` And that was working well. But as I realise --noprofile option isn't secure at all I'm trying to do better > `--appiamge` should be the last firejail argument and must be the first (if `--profile` is used) IIRC. woozy_face Ok so I go with this: `firejail --appimage --profile=/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/molotov.profile` > > For the moment I try to launch it manually inside the sandbox: > > ./molotov.AppImage > > The you need to allow to execute files in $HOME. > > ``` > ignore noexec ${HOME} > ignore apparmor > ``` > ^ at the top of your profile (e.g. after `include globals.local`) > By adding this just before globals.local I get this error instead permission one : ``` ./molotov.AppImage fuse: device not found, try 'modprobe fuse' first Cannot mount AppImage, please check your FUSE setup. You might still be able to extract the contents of this AppImage if you run it with the --appimage-extract option. See https://github.com/AppImage/AppImageKit/wiki/FUSE for more information open dir error: No such file or directory ``` I keep this but don't understand what it is for: ``` # Persistent local customizations include PROFILE.local # Persistent global definitions include globals.local ``` > Anyway you could simply add `noblacklist ${PATH}/fusermount` before `include disable-common.inc` for your profile. Ok I will do so > If you use `--appimage` you need to use the path to the AI outside the sandbox. W/o `--appiamge`, you need to use the path to the AI inside the sandbox. I got a permission issue with this: `exec /home/thefolderIwantnotinsideuserhome/FireJail/molotovHome/molotov.AppImage` And with this: `exec /home/myuser/molotov.AppImage ` i get this error again: ``` fuse: device not found, try 'modprobe fuse' first Cannot mount AppImage, please check your FUSE setup. You might still be able to extract the contents of this AppImage if you run it with the --appimage-extract option. See https://github.com/AppImage/AppImageKit/wiki/FUSE for more information open dir error: No such file or directory Parent is shutting down, bye... ```
gitea-mirror commented 2026-05-05 09:08:17 -06:00
Author
Owner
Copy link

@esp13 commented on GitHub (Jan 23, 2021):

To avoid fuse error, I tried :
./molotov.AppImage --appimage-extract-and-run

but I got this error:
Failed to run /tmp/appimage_extracted_f3117eebfc709bd30ace1a4b481f4010/AppRun: Permission denied

<!-- gh-comment-id:765923032 --> @esp13 commented on GitHub (Jan 23, 2021): To avoid fuse error, I tried : `./molotov.AppImage --appimage-extract-and-run` but I got this error: `Failed to run /tmp/appimage_extracted_f3117eebfc709bd30ace1a4b481f4010/AppRun: Permission denied`
gitea-mirror commented 2026-05-05 09:08:17 -06:00
Author
Owner
Copy link

@esp13 commented on GitHub (Jan 23, 2021):

I don't understand all that is explained here, is it possible that using 0.9.63 could solve this problem? (My distro repo as 0.9.62-3 version instead)

<!-- gh-comment-id:765927242 --> @esp13 commented on GitHub (Jan 23, 2021): I don't understand all that is explained [here](https://dirkmittler.homeip.net/blog/archives/9334), is it possible that using 0.9.63 could solve this problem? (My distro repo as 0.9.62-3 version instead)
gitea-mirror commented 2026-05-05 09:08:17 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jan 23, 2021):

Failed to run /tmp/appimage_extracted_f3117eebfc709bd30ace1a4b481f4010/AppRun: Permission denied

Add ignore noexec /tmp

<!-- gh-comment-id:765957551 --> @rusty-snake commented on GitHub (Jan 23, 2021): > Failed to run /tmp/appimage_extracted_f3117eebfc709bd30ace1a4b481f4010/AppRun: Permission denied Add `ignore noexec /tmp`
gitea-mirror commented 2026-05-05 09:08:18 -06:00
Author
Owner
Copy link

@esp13 commented on GitHub (Jan 23, 2021):

Failed to run /tmp/appimage_extracted_f3117eebfc709bd30ace1a4b481f4010/AppRun: Permission denied

Add ignore noexec /tmp

Thanks, this time no error, but nothing happens/appears after extraction

<!-- gh-comment-id:765970848 --> @esp13 commented on GitHub (Jan 23, 2021): > > Failed to run /tmp/appimage_extracted_f3117eebfc709bd30ace1a4b481f4010/AppRun: Permission denied > > Add `ignore noexec /tmp` Thanks, this time no error, but nothing happens/appears after extraction
gitea-mirror commented 2026-05-05 09:08:18 -06:00
Author
Owner
Copy link

@esp13 commented on GitHub (Jan 23, 2021):

./molotov.AppImage --appimage-extract
./squashfs-root/AppRun

Result in :
Trappe pour point d'arrêt et de trace (core dumped)

<!-- gh-comment-id:765977611 --> @esp13 commented on GitHub (Jan 23, 2021): `./molotov.AppImage --appimage-extract` `./squashfs-root/AppRun ` Result in : `Trappe pour point d'arrêt et de trace (core dumped)`
gitea-mirror commented 2026-05-05 09:08:19 -06:00
Author
Owner
Copy link

@esp13 commented on GitHub (Jan 31, 2021):

./molotov.AppImage 
fuse: device not found, try 'modprobe fuse' first

Cannot mount AppImage, please check your FUSE setup.
You might still be able to extract the contents of this AppImage 
if you run it with the --appimage-extract option. 
See https://github.com/AppImage/AppImageKit/wiki/FUSE 
for more information
open dir error: No such file or directory

Could this help? :

$ fusermount -V
fusermount version: 2.9.9
<!-- gh-comment-id:770429807 --> @esp13 commented on GitHub (Jan 31, 2021): > ``` > ./molotov.AppImage > fuse: device not found, try 'modprobe fuse' first > > Cannot mount AppImage, please check your FUSE setup. > You might still be able to extract the contents of this AppImage > if you run it with the --appimage-extract option. > See https://github.com/AppImage/AppImageKit/wiki/FUSE > for more information > open dir error: No such file or directory > ``` Could this help? : ``` $ fusermount -V fusermount version: 2.9.9 ```
gitea-mirror commented 2026-05-05 09:08:19 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 27, 2021):

any progress?

<!-- gh-comment-id:808770216 --> @rusty-snake commented on GitHub (Mar 27, 2021): any progress?
gitea-mirror commented 2026-05-05 09:08:19 -06:00
Author
Owner
Copy link

@esp13 commented on GitHub (Apr 12, 2021):

any progress?

Hi,
Thanks for asking :)
Unfortunately no :/
Today I was trying with an other appimage (OpenHV) and for the moment I get the same issues.

<!-- gh-comment-id:818024256 --> @esp13 commented on GitHub (Apr 12, 2021): > any progress? Hi, Thanks for asking :) Unfortunately no :/ Today I was trying with an other appimage (OpenHV) and for the moment I get the same issues.
gitea-mirror commented 2026-05-05 09:08:20 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 16, 2021):

Today I was trying with an other appimage (OpenHV) and for the moment I get the same issues.

Downloaded that AppImage and running firejail --appimage --ignore=quiet ./OpenHV-20210321-x86_64.AppImage works for me on Arch Linux. Can't find specifics on your OS or firejail, but it might be wise to review this without all the prior (FUSE related) references mentioned in this thread. No guarantees though, not all AppImages are created Equal...

<!-- gh-comment-id:821117203 --> @ghost commented on GitHub (Apr 16, 2021): > Today I was trying with an other appimage (OpenHV) and for the moment I get the same issues. Downloaded that AppImage and running `firejail --appimage --ignore=quiet ./OpenHV-20210321-x86_64.AppImage` works for me on Arch Linux. Can't find specifics on your OS or firejail, but it might be wise to review this without all the prior (FUSE related) references mentioned in this thread. No guarantees though, not all AppImages are created Equal...
gitea-mirror commented 2026-05-05 09:08:20 -06:00
Author
Owner
Copy link

@esp13 commented on GitHub (May 1, 2021):

ALLELUIA!!! Today this worked:

firejail --appimage --profile=/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/molotov.profile
./molotov.AppImage --appimage-extract-and-run --no-sandbox

I don't understand what changed I didn't get same results in february
The Fuse version and the FireJail version are still the same:

fusermount -V
fusermount version: 2.9.9

firejail --version
firejail version 0.9.62

But I still can't get it working with the simpler:

firejail --appimage --profile=/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/molotov.profile
./molotov.AppImage --no-sandbox

I still get this error:

fuse: device not found, try 'modprobe fuse' first

Cannot mount AppImage, please check your FUSE setup.
You might still be able to extract the contents of this AppImage 
if you run it with the --appimage-extract option. 
See https://github.com/AppImage/AppImageKit/wiki/FUSE 
for more information
open dir error: No such file or directory`

Today I was trying with an other appimage (OpenHV) and for the moment I get the same issues.

Downloaded that AppImage and running firejail --appimage --ignore=quiet ./OpenHV-20210321-x86_64.AppImage works for me on Arch Linux. Can't find specifics on your OS or firejail, but it might be wise to review this without all the prior (FUSE related) references mentioned in this thread. No guarantees though, not all AppImages are created Equal...

Thank you, I will give a new try for OpenHV too
-Edit :-

firejail --appimage --profile=/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/openhv.profile
./OpenHV-20210401-x86_64.AppImage --appimage-extract-and-run
Platform is Linux
Engine version is 52d39db84aa8baf5e5b1f979bcd32fad9822b3b9
Runtime: .NET CLR 5.0.5

And one core of the CPU go 100% and stay 100% and nothing happens
I used the same profile that for molotov, maybe too restrictiv

-Edit2 :-
I tried on other computer with other distribution (with LMDE4 instead of last LM) and got it working but without sound for now.

On the computer where it doesn't work I think the game is running but nothing appears on screen. I have two screens, maybe could it related to.

<!-- gh-comment-id:830654710 --> @esp13 commented on GitHub (May 1, 2021): ALLELUIA!!! Today this worked: ``` firejail --appimage --profile=/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/molotov.profile ./molotov.AppImage --appimage-extract-and-run --no-sandbox ``` I don't understand what changed I didn't get same results in february The Fuse version and the FireJail version are still the same: ``` fusermount -V fusermount version: 2.9.9 ``` ``` firejail --version firejail version 0.9.62 ``` But I still can't get it working with the simpler: ``` firejail --appimage --profile=/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/molotov.profile ./molotov.AppImage --no-sandbox ``` I still get this error: ``` fuse: device not found, try 'modprobe fuse' first Cannot mount AppImage, please check your FUSE setup. You might still be able to extract the contents of this AppImage if you run it with the --appimage-extract option. See https://github.com/AppImage/AppImageKit/wiki/FUSE for more information open dir error: No such file or directory` ``` > > Today I was trying with an other appimage (OpenHV) and for the moment I get the same issues. > > Downloaded that AppImage and running `firejail --appimage --ignore=quiet ./OpenHV-20210321-x86_64.AppImage` works for me on Arch Linux. Can't find specifics on your OS or firejail, but it might be wise to review this without all the prior (FUSE related) references mentioned in this thread. No guarantees though, not all AppImages are created Equal... Thank you, I will give a new try for OpenHV too -Edit :- ``` firejail --appimage --profile=/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/openhv.profile ./OpenHV-20210401-x86_64.AppImage --appimage-extract-and-run Platform is Linux Engine version is 52d39db84aa8baf5e5b1f979bcd32fad9822b3b9 Runtime: .NET CLR 5.0.5 ``` And one core of the CPU go 100% and stay 100% and nothing happens I used the same profile that for molotov, maybe too restrictiv -Edit2 :- I tried on other computer with other distribution (with LMDE4 instead of last LM) and got it working but without sound for now. On the computer where it doesn't work I think the game is running but nothing appears on screen. I have two screens, maybe could it related to.
gitea-mirror commented 2026-05-05 09:08:21 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Aug 4, 2021):

Do you still need help?

<!-- gh-comment-id:892703319 --> @rusty-snake commented on GitHub (Aug 4, 2021): Do you still need help?
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2450
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?