Comments (15)
Preparing a patch, should not take long.
from appimaged.
Current development version: 0.9.41 specifically adds an --appimage
parameter that lets us run AppImages very comfortably inside the sandbox.
https://github.com/netblue30/firejail
from appimaged.
appimaged
uses firejail
to run AppImages when it is installed.
from appimaged.
This is fantastic news. Of the many implementations, AppImage (Digikam AppImage precisely) is what I used first and really liked it. Today, I spent a good chunk of time exploring Flatpak and Snap.
Of the 3, I really love the simplicity AppImage has. The only thing concerning was sandboxing. I think sandboxing should be a pre-requisite for appimage. Or instead, every appimage appliance should have an option to be run with/without firejail/sandboxing.
Because AppImages will most commonly be used for 3rd party software or New/Unofficial/Pre-Release versions of software. Running such software should mostly happen in a jailed environment.
from appimaged.
True. appimaged
has the basic infrastructure for this in place. Add some signature checking and webs-of-trust, and we can make this happen. Do I hear a volunteer @rickysarraf?
from appimaged.
from appimaged.
I have been wanting to do this. But like I said, I'm pretty new to these tools.
Excellent, feel free to look around here, and ask questions if you find something is unclear. There is also a forum at http://discourse.appimage.org/
My intent also is to get appimaged and other helper tools, packaged for Debian. I'm a Debian Developer, love the concept of AppImage, and see these tools as a good fit to be packaged for Debian.
That would be very worthwhile. Also see this (although that ticket is about RPM most will be applicable for deb too).
I haven't looked into the implementation yet, but what I desire AppImage to do, is to stick to its ./foo.appimage way of execution, irrespective of running sandboxed (through firejail) or just plain. Within the appimages should be the logic to test if firejail is available, and if available, to use it by default. All of this should be transparent to the user.
Isn't that a logic problem?
The point of a sandbox is that the user does not fully trust the AppImage. Hence any mechanism that invokes the sandboxing from inside the AppImage itself is futile by definition, because the user can only trust a sandbox and its invocation if this happens from the (trusted) outside of the sandbox.
This is why I foresee two ways to execute a downloaded AppImage:
- By manually setting the executable bit and therefore marking the AppImage as fully trusted, or
- By using the optional appimaged daemon which does not set the executable bit when Firejail is installed, but runs the AppImage inside Firejail (this is already implemented, although without any restrictions in the Firejail profile so far; one could give a properly signed AppImage more permissions than an unsigned one or do something like Android which asks the user for specific permissions).
Or am I missing something there?
from appimaged.
If someone is interested in beefing up Firejail security in appimaged
, please discuss with us how we could get a good customer experience. @netblue30 could you recommend a few generic profiles (better than nothing) or would we have to integrate something like https://github.com/netblue30/firejail/tree/master/etc (sounds like a lot of work and cluttered user experience)?
How is Apple doing the sandboxing for the Mac App Store?
from appimaged.
What would be the upside/downside of using Firejail vs. AppArmor?
from appimaged.
When running AppImage archives, unless the user requests a specific profile, Firejail picks up /etc/firejail/default.profile. This is the most restrictive generic profile we have, it looks something like this:
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6
seccomp
"include /etc/firejail/disable-common.inc" disables all known password and encryption files in home directory, "include /etc/firejail/disable-programs.inc" disables program configuration for about 250 common programs such as Firefox and VLC, and "include /etc/firejail/disable-passwdmgr.inc" disables the storage files for several password managers.
This profile is also used for regular executables installed on the system. The way is working is if Firejail cannot figure out what program the user is requesting, it will use this profile - the name of the program is extracted from argc/argv params in main() function.
What we are missing for AppImage archives is a way for Firejail to extract the name of the real program. All I have in this moment is AppRun executable inside the image.
I can also try to guess it from the name of AppImage archive. For example Leafpad-0.8.17-x86_64.AppImage could become /etc/firejail/leafpad.profile - convert to lowercase and grab the first word.
Either way we go, it would be easy to implement on my side. I can even go with a combination of the two.
Re AppArmor:
Some people use Firejail on top of AppArmor or SELinux. There are only a few profiles for GUI programs available, about 5 of them for AppArmor and none for SELinux. Another problem is availability - basically you get SELinux on RedHat distros and AppArmor on Ubuntu distros. On all other distributions the user has to install them manually.
from appimaged.
Please move it to the appimaged repo
from appimaged.
Firejail support was lost at some point when moving to libappimage
from appimaged.
Firejail support was lost at some point when moving to
libappimage
Oops, what do you mean by "Firejail support was lost"? I mean, we never did anything specific to support it...
from appimaged.
From the readme
Optionally you can use a sandbox if you like: If the firejail sandbox is installed, it runs the AppImages with it.
That's exactly was was lost.
from appimaged.
Ah, I see what you mean. Can you restore it? (Shouldn't be too hard.)
from appimaged.
Related Issues (20)
- How to use right click update correctly HOT 4
- AppImage failed to load if using appimaged firejail integrated launchers HOT 2
- Not running from within an AppImage. This binary cannot be installed in this way. HOT 5
- Can I skip Downloads from monitored directories? HOT 3
- Is there a managed way to add the appimage to autostart on ubuntu 19.xx HOT 1
- [feature request] Support for runit (non-systemd init) HOT 2
- Can't install RPM due to conflict with hicolor-icon-theme HOT 9
- can i port .dmg to appimage HOT 1
- Failed to change to directory "~" (no such file or directory) HOT 1
- filename + version.... HOT 1
- Appimaged marked as "deprecated"
- I can't install it HOT 1
- snipped
- appimaged-x86_64.AppImage could not be executed HOT 1
- Tagged Releases HOT 4
- Question about a sensitive bug in appimaged HOT 1
- AppImageLauncher HOT 1
- Provide binaries for ARM HOT 2
- $HOME/Applications not monitored HOT 2
- can appimage be used to install appimaged to systemd HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from appimaged.