github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #861] Support AppImage type 2 image format #584

New issue
Closed
opened 2026-05-05 06:13:13 -06:00 by gitea-mirror · 11 comments
gitea-mirror commented 2026-05-05 06:13:13 -06:00
Owner
Copy link

Originally created by @probonopd on GitHub (Oct 16, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/861

Please support the AppImage type 2 image format. This is the next-generation format that is using squashfs instead of ISO9660, and enables features such as embedded GPG signatures and other new functionality.

It should be pretty straightforward to use type 2 images, loop-mount them using the kernel with -o,offset=xxxxx. The offset is the length of the ELF file in bytes. Appended to the ELF is the squashfs image.

Tools to work with type 2 images:
https://github.com/probonopd/appimagetool

Example type 2 image:
https://bintray.com/probono/AppImages/download_file?file_path=Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage

Originally created by @probonopd on GitHub (Oct 16, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/861 Please support the AppImage [type 2 image format](https://github.com/AppImage/AppImageSpec/blob/master/draft.md#type-2-image-format). This is the next-generation format that is using squashfs instead of ISO9660, and enables features such as embedded GPG signatures and other new functionality. It should be pretty straightforward to use type 2 images, loop-mount them using the kernel with `-o,offset=xxxxx`. The offset is the [length of the ELF file](https://gist.github.com/probonopd/a490ba3401b5ef7b881d5e603fa20c93) in bytes. Appended to the ELF is the squashfs image. Tools to work with type 2 images: https://github.com/probonopd/appimagetool Example type 2 image: https://bintray.com/probono/AppImages/download_file?file_path=Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage
gitea-mirror 2026-05-05 06:13:13 -06:00
gitea-mirror commented 2026-05-05 06:13:19 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Oct 16, 2016):

Will do!

<!-- gh-comment-id:254045215 --> @netblue30 commented on GitHub (Oct 16, 2016): Will do!
gitea-mirror commented 2026-05-05 06:13:22 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Oct 23, 2016):

Looks pretty cool, you basically cut the size of the image in half! I have the support in, it will autodetect the type and mount iso or squashfs accordingly:

$ firejail --private --appimage appimage-name

For now use --private or a --profile command. I'll bring in support to pick up a profile automatically based on the application name.

<!-- gh-comment-id:255587445 --> @netblue30 commented on GitHub (Oct 23, 2016): Looks pretty cool, you basically cut the size of the image in half! I have the support in, it will autodetect the type and mount iso or squashfs accordingly: ``` $ firejail --private --appimage appimage-name ``` For now use --private or a --profile command. I'll bring in support to pick up a profile automatically based on the application name.
gitea-mirror commented 2026-05-05 06:13:25 -06:00
Author
Owner
Copy link

@probonopd commented on GitHub (Oct 23, 2016):

Cool, thanks, will test asap.

<!-- gh-comment-id:255587503 --> @probonopd commented on GitHub (Oct 23, 2016): Cool, thanks, will test asap.
gitea-mirror commented 2026-05-05 06:13:28 -06:00
Author
Owner
Copy link

@probonopd commented on GitHub (Oct 23, 2016):

Isn't it dangerous that the user can launch the app directly from /run/firejail/appimage/appimage-...?

<!-- gh-comment-id:255588882 --> @probonopd commented on GitHub (Oct 23, 2016): Isn't it dangerous that the user can launch the app directly from `/run/firejail/appimage/appimage-...`?
gitea-mirror commented 2026-05-05 06:13:30 -06:00
Author
Owner
Copy link

@probonopd commented on GitHub (Oct 23, 2016):

Do we really need that many processes around?

24121 ?        S      0:00 firejail --private --appimage /home/me/Downloads/Code::Blocks_IDE-16.01.glibc2.14-x86_64.AppImage
24122 ?        S<     0:00 [loop6]
24125 ?        S      0:00 firejail --private --appimage /home/me/Downloads/Code::Blocks_IDE-16.01.glibc2.14-x86_64.AppImage
24127 ?        S      0:00 /bin/bash /run/firejail/appimage/appimage-24121/AppRun
24131 ?        Sl     0:01 /run/firejail/appimage/appimage-24121/usr/bin/codeblocks
<!-- gh-comment-id:255589541 --> @probonopd commented on GitHub (Oct 23, 2016): Do we really need that many processes around? ``` 24121 ? S 0:00 firejail --private --appimage /home/me/Downloads/Code::Blocks_IDE-16.01.glibc2.14-x86_64.AppImage 24122 ? S< 0:00 [loop6] 24125 ? S 0:00 firejail --private --appimage /home/me/Downloads/Code::Blocks_IDE-16.01.glibc2.14-x86_64.AppImage 24127 ? S 0:00 /bin/bash /run/firejail/appimage/appimage-24121/AppRun 24131 ? Sl 0:01 /run/firejail/appimage/appimage-24121/usr/bin/codeblocks ```
gitea-mirror commented 2026-05-05 06:13:34 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Oct 23, 2016):

Do we really need that many processes around

You can get rid of 24127 if you use --shell=none. I don't know what that [loop6] process is.

Isn't it dangerous that the user can launch the app directly from /run/firejail/appimage/appimage-...?

The idea is to mount it under /run instead of /tmp because in /tmp everybody has write access, while in /run only root can write.

<!-- gh-comment-id:255590083 --> @netblue30 commented on GitHub (Oct 23, 2016): > Do we really need that many processes around You can get rid of 24127 if you use --shell=none. I don't know what that [loop6] process is. > Isn't it dangerous that the user can launch the app directly from /run/firejail/appimage/appimage-...? The idea is to mount it under /run instead of /tmp because in /tmp everybody has write access, while in /run only root can write.
gitea-mirror commented 2026-05-05 06:13:36 -06:00
Author
Owner
Copy link

@probonopd commented on GitHub (Oct 23, 2016):

How can we avoid the artefact that file managers show a new disk for a fraction of a second during mounting and unmounting?

peek 2016-10-23 16-10

Similarly, can it be that Firejail interferes (i.e., breaks) Startup Notifications? Note the two icons instead of one.

peek 2016-10-23 16-49

This is the relevant desktop file:

[Desktop Entry]
Name=Corebird
GenericName=Twitter Client
GenericName[ar]=عامل تويتر
GenericName[de]=Twitter Client
GenericName[es]=Cliente Twitter
GenericName[ja_JP]=Twitter Client
GenericName[nl]=Twitter-client
GenericName[pl]=Klient Twittera
Keywords=twitter;
Exec=firejail --env=DESKTOPINTEGRATION=appimaged --noprofile --appimage '/isodevice/Applications/Corebird-0.9.glibc2.14-x86_64.AppImage'
Type=Application
Icon=appimagekit_b92e28fe0a4b822555a829fe44a719af_corebird
Categories=Network;GTK;
Comment=Use Twitter from within a normal desktop application
Comment[es]=Usa Twitter desde una aplicación de escritorio común
Comment[nl]=Twitter gebruiken vanuit een normaal desktop-programma
Comment[pl]=Korzystanie z Twittera w zwykłym programie
TryExec=/isodevice/Applications/Corebird-0.9.glibc2.14-x86_64.AppImage
Actions=AppImageUpdate;
X-AppImage-Comment=Generated by appimaged a49019d
X-AppImage-Identifier=b92e28fe0a4b822555a829fe44a719af

[Desktop Action FirejailProfile]
Name=Run without sandbox profile
Exec=firejail --env=DESKTOPINTEGRATION=appimaged --private --appimage '/isodevice/Applications/Corebird-0.9.glibc2.14-x86_64.AppImage'
TryExec=firejail

[Desktop Action AppImageUpdate]
Name=Update
Exec=AppImageUpdate /isodevice/Applications/Corebird-0.9.glibc2.14-x86_64.AppImage
TryExec=AppImageUpdate

In case you wonder, these entries were generated by the appimaged daemon which now uses firejail if it is installed.

<!-- gh-comment-id:255590881 --> @probonopd commented on GitHub (Oct 23, 2016): How can we avoid the artefact that file managers show a new disk for a fraction of a second during mounting and unmounting? ![peek 2016-10-23 16-10](https://cloud.githubusercontent.com/assets/2480569/19626883/4f0f94fa-993b-11e6-8d28-5db903f41480.gif) Similarly, can it be that Firejail interferes (i.e., breaks) Startup Notifications? Note the two icons instead of one. ![peek 2016-10-23 16-49](https://cloud.githubusercontent.com/assets/2480569/19627151/bac00810-9940-11e6-89c8-4e3016b4537e.gif) This is the relevant desktop file: ``` [Desktop Entry] Name=Corebird GenericName=Twitter Client GenericName[ar]=عامل تويتر GenericName[de]=Twitter Client GenericName[es]=Cliente Twitter GenericName[ja_JP]=Twitter Client GenericName[nl]=Twitter-client GenericName[pl]=Klient Twittera Keywords=twitter; Exec=firejail --env=DESKTOPINTEGRATION=appimaged --noprofile --appimage '/isodevice/Applications/Corebird-0.9.glibc2.14-x86_64.AppImage' Type=Application Icon=appimagekit_b92e28fe0a4b822555a829fe44a719af_corebird Categories=Network;GTK; Comment=Use Twitter from within a normal desktop application Comment[es]=Usa Twitter desde una aplicación de escritorio común Comment[nl]=Twitter gebruiken vanuit een normaal desktop-programma Comment[pl]=Korzystanie z Twittera w zwykłym programie TryExec=/isodevice/Applications/Corebird-0.9.glibc2.14-x86_64.AppImage Actions=AppImageUpdate; X-AppImage-Comment=Generated by appimaged a49019d X-AppImage-Identifier=b92e28fe0a4b822555a829fe44a719af [Desktop Action FirejailProfile] Name=Run without sandbox profile Exec=firejail --env=DESKTOPINTEGRATION=appimaged --private --appimage '/isodevice/Applications/Corebird-0.9.glibc2.14-x86_64.AppImage' TryExec=firejail [Desktop Action AppImageUpdate] Name=Update Exec=AppImageUpdate /isodevice/Applications/Corebird-0.9.glibc2.14-x86_64.AppImage TryExec=AppImageUpdate ``` In case you wonder, these entries were generated by the `appimaged` daemon [which now uses firejail](https://github.com/probonopd/appimagetool/commit/1e804b1631a2698dfc070e1d3c48a110e1d70c01) if it is installed.
gitea-mirror commented 2026-05-05 06:13:40 -06:00
Author
Owner
Copy link

@probonopd commented on GitHub (Oct 23, 2016):

firejail --noprofile --shell=none --appimage ... results in Error: --shell=none configured, but no program specified

<!-- gh-comment-id:255591076 --> @probonopd commented on GitHub (Oct 23, 2016): `firejail --noprofile --shell=none --appimage ...` results in `Error: --shell=none configured, but no program specified`
gitea-mirror commented 2026-05-05 06:13:42 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Oct 23, 2016):

I think by mounting to a mountpoint starting with "."

Done, grab the latest from git. I'll look into --shell=none, it looks like a bug on my side.

<!-- gh-comment-id:255593189 --> @netblue30 commented on GitHub (Oct 23, 2016): > I think by mounting to a mountpoint starting with "." Done, grab the latest from git. I'll look into --shell=none, it looks like a bug on my side.
gitea-mirror commented 2026-05-05 06:13:44 -06:00
Author
Owner
Copy link

@probonopd commented on GitHub (Oct 23, 2016):

I think by mounting to a mountpoint starting with "."

Actually my mistake, having the mountpoint start with "." does not fix this. I currently don't know how to do this properly.

<!-- gh-comment-id:255593790 --> @probonopd commented on GitHub (Oct 23, 2016): > I think by mounting to a mountpoint starting with "." Actually my mistake, having the mountpoint start with "." does **not** fix this. I currently don't know how to do this properly.
gitea-mirror commented 2026-05-05 06:13:46 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Oct 23, 2016):

No problem.

<!-- gh-comment-id:255593909 --> @netblue30 commented on GitHub (Oct 23, 2016): No problem.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#584
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?