ElectronMail icon indicating copy to clipboard operation
ElectronMail copied to clipboard

Published 20 hours ago verified publisher icon vladimiry

Appimage not working with firejail

Open EdiDD opened this issue 3 years ago • 13 comments

firejail --profile=electron-mail --appimage electron-mail-4.15.0-linux-x86_64.AppImage

Error: /bin/bash: line 1: /run/firejail/appimage/AppRun: permission denied

EdiDD avatar May 29 '22 13:05 EdiDD

I'm not going to look into it in the near future. Maybe someone else will. The workaround is using another package type.

vladimiry avatar May 29 '22 19:05 vladimiry

I was able to replicate and fix this issue. Long term solution is to use newest appimagetool when creating package.

You can fix the AppImage as according to this example.

First:

chmod +x electron-mail-4.15.0-linux-x86_64.AppImage

Then: (replace Foo.AppImage in this example with electron-mail-4.15.0-linux-x86_64.AppImage)

./Foo.AppImage --appimage-extract
sudo chmod 755 squashfs-root
find ./squashfs-root -type d -exec sudo chmod 755 {} \;
mv squashfs-root Foo.AppDir

Install newest version of appimagetool, then:

$ appimagetool ./Foo.AppDir

Then finally run the new AppImage created in the same directory with original firejail command.

The long-term solution is to package AppImage with the newest version of of appimagetool:

use appimagetool newer than commit f79c15d to prevent problem from coming back

Solution from: https://github.com/AppImage/AppImageKit/issues/1032#issuecomment-857296004

arch-btw avatar May 29 '22 22:05 arch-btw

The app uses https://github.com/AppImage/AppImageKit/releases/tag/13 for packaging. The data of this release is Dec 31 2020, so quite old.

The https://github.com/AppImage/AppImageKit/releases/tag/continuous won't work since I need a static binary due to the hash sum check. Some trustworthy binary download source with a new binary releases other than https://github.com/AppImage/AppImageKit/releases/ is needed in order to update the tool version used by the app.

vladimiry avatar May 29 '22 23:05 vladimiry

The https://github.com/AppImage/AppImageKit/releases/tag/continuous won't work since I need a static binary due to the hash sum check.

The long-standing upstream/blocker issue is here https://github.com/AppImage/AppImageKit/issues/849.

vladimiry avatar May 30 '22 07:05 vladimiry

By the way, just curious, why would anyone prefer appimage app package over the other Linux options (especially flatpak/snap)? I understand that it's about portability across different OS, but flatpak is also about isolation (so generally provides better security).

vladimiry avatar May 30 '22 07:05 vladimiry

By the way, just curious, why would anyone prefer appimage app package over the other Linux options (especially flatpak/snap)?

Because it is most convenience solution. It doesn't need to download all runtime environment like flatpak does. It doesn't need to load and run system services. It is also best for fast and simple test if app is what you are looking for.

EdiDD avatar May 30 '22 09:05 EdiDD

It is also best for fast and simple test if app is what you are looking for.

Using appimage for test purposes makes sense to me. Afaik, there is no isolation capabilities in appimage like flatpak comes with (I've updated my previous comment just before you posted the update). But you handle isolation using firejail tool, which is a good option overall.

vladimiry avatar May 30 '22 09:05 vladimiry

Any luck with this build? The only change in relation to appimage is tweaking the permissions before repackaging.

Starting it using firejail --profile=electron-mail --appimage electron-mail-5.0.1-linux-x86_64.AppImage command ends up for me with the following console output:

Reading profile /etc/firejail/electron-mail.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 8292, child pid 8306

** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl **

Mounting appimage type 2
Private /opt installed in 1022.33 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping crypto-policies for private /etc
Warning fcopy: skipping /etc/fonts/conf.d/65-non-latin-ms.conf, cannot find inode
Warning fcopy: skipping /etc/fonts/conf.d/66-aliases-wine-ms.conf, cannot find inode
Warning fcopy: skipping /etc/fonts/conf.d/60-latin-ms.conf, cannot find inode
Warning fcopy: skipping /etc/fonts/conf.d/30-metric-aliases-ms.conf, cannot find inode
Warning fcopy: skipping /etc/fonts/conf.d/37-repl-global-ms.conf, cannot find inode
Warning: skipping pki for private /etc
Warning: skipping selinux for private /etc
Private /etc installed in 115.25 ms
Private /usr/etc installed in 0.01 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: cleaning all supplementary groups
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 1510.76 ms

Parent is shutting down, bye...
AppImage detached

So it looks like a need to configure firejail somehow.

vladimiry avatar Jun 09 '22 06:06 vladimiry

Did you try loading apparmor firejail-default profile? I don't know if it was critical but apparmor is used in electron-mail.profile

EdiDD avatar Jun 09 '22 07:06 EdiDD

Yes, have tried the default profile and noprofile option. Much less stuff gets printed to the console, but the outcome is the same - Parent is shutting down, bye... message.

vladimiry avatar Jun 09 '22 08:06 vladimiry

FYI: firejail --appimage + electron-program.AppImage does not work if unprivileged userns clone is disabled. You will either need to directly run the appimage (firejail --ignore='noexec ${HOME}' --ignore=apparmor --profile=electron-mail ./electron-mail-4.15.0-linux-x86_64.AppImage) or pass --no-sandbox what you should not do(!).

rusty-snake avatar Jun 09 '22 08:06 rusty-snake

firejail version 0.9.68

firejail --ignore='noexec ${HOME}' --ignore=apparmor --profile=electron-mail ./electron-mail-5.0.1-linux-x86_64.AppImage (same without --ignore='noexec ${HOME}' part):

Reading profile /etc/firejail/electron-mail.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 22249, child pid 22250
Private /opt installed in 863.05 ms
1 program installed in 1.05 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping crypto-policies for private /etc
Warning fcopy: skipping /etc/fonts/conf.d/65-non-latin-ms.conf, cannot find inode
Warning fcopy: skipping /etc/fonts/conf.d/66-aliases-wine-ms.conf, cannot find inode
Warning fcopy: skipping /etc/fonts/conf.d/60-latin-ms.conf, cannot find inode
Warning fcopy: skipping /etc/fonts/conf.d/30-metric-aliases-ms.conf, cannot find inode
Warning fcopy: skipping /etc/fonts/conf.d/37-repl-global-ms.conf, cannot find inode
Warning: skipping pki for private /etc
Warning: skipping selinux for private /etc
Private /etc installed in 33.49 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: cleaning all supplementary groups
Child process initialized in 1030.40 ms
fuse: device not found, try 'modprobe fuse' first

Cannot mount AppImage, please check your FUSE setup.
You might still be able to extract the contents of this AppImage 
if you run it with the --appimage-extract option. 
See https://github.com/AppImage/AppImageKit/wiki/FUSE 
for more information
open dir error: No such file or directory

Parent is shutting down, bye...

pass --no-sandbox what you should not do(!)

Actually, the app embeds it into the AppRun script since at that time I didn't find a better workaround for running AppImage without a headache for those who have unprivileged userns clone disabled.

vladimiry avatar Jun 09 '22 08:06 vladimiry

Actually, the app embeds it into the AppRun script

Then is at least this not an issue here.

rusty-snake avatar Jun 09 '22 08:06 rusty-snake