Appimage not working with firejail

[EdiDD]

firejail --profile=electron-mail --appimage electron-mail-4.15.0-linux-x86_64.AppImage

Error:
/bin/bash: line 1: /run/firejail/appimage/AppRun: permission denied

[vladimiry]

I'm not going to look into it in the near future. Maybe someone else will. The workaround is using another package type.

[arch-btw]

I was able to replicate and fix this issue.
Long term solution is to use newest appimagetool when creating package.

You can fix the AppImage as according to this example.

First:

chmod +x electron-mail-4.15.0-linux-x86_64.AppImage

Then: (replace Foo.AppImage in this example with electron-mail-4.15.0-linux-x86_64.AppImage)

./Foo.AppImage --appimage-extract
sudo chmod 755 squashfs-root
find ./squashfs-root -type d -exec sudo chmod 755 {} \;
mv squashfs-root Foo.AppDir

Install newest version of appimagetool, then:

$ appimagetool ./Foo.AppDir 

Then finally run the new AppImage created in the same directory with original firejail command.

The long-term solution is to package AppImage with the newest version of of appimagetool:

use appimagetool newer than commit f79c15d to prevent problem from coming back

Solution from: AppImage/AppImageKit#1032 (comment)

[vladimiry]

The app uses https://github.com/AppImage/AppImageKit/releases/tag/13 for packaging. The data of this release is Dec 31 2020, so quite old.

The https://github.com/AppImage/AppImageKit/releases/tag/continuous won't work since I need a static binary due to the hash sum check. Some trustworthy binary download source with a new binary releases other than https://github.com/AppImage/AppImageKit/releases/ is needed in order to update the tool version used by the app.

[vladimiry]

The https://github.com/AppImage/AppImageKit/releases/tag/continuous won't work since I need a static binary due to the hash sum check.

The long-standing upstream/blocker issue is here AppImage/AppImageKit#849.

[vladimiry]

By the way, just curious, why would anyone prefer appimage app package over the other Linux options (especially flatpak/snap)? I understand that it's about portability across different OS, but flatpak is also about isolation (so generally provides better security).

[EdiDD]

By the way, just curious, why would anyone prefer appimage app package over the other Linux options (especially flatpak/snap)?

Because it is most convenience solution. It doesn't need to download all runtime environment like flatpak does. It doesn't need to load and run system services. It is also best for fast and simple test if app is what you are looking for.

[vladimiry]

It is also best for fast and simple test if app is what you are looking for.

Using appimage for test purposes makes sense to me. Afaik, there is no isolation capabilities in appimage like flatpak comes with (I've updated my previous comment just before you posted the update). But you handle isolation using firejail tool, which is a good option overall.

[vladimiry]

Any luck with this build? The only change in relation to appimage is tweaking the permissions before repackaging.

Starting it using firejail --profile=electron-mail --appimage electron-mail-5.0.1-linux-x86_64.AppImage command ends up for me with the following console output:

Reading profile /etc/firejail/electron-mail.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 8292, child pid 8306

** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl **

Mounting appimage type 2
Private /opt installed in 1022.33 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping crypto-policies for private /etc
Warning fcopy: skipping /etc/fonts/conf.d/65-non-latin-ms.conf, cannot find inode
Warning fcopy: skipping /etc/fonts/conf.d/66-aliases-wine-ms.conf, cannot find inode
Warning fcopy: skipping /etc/fonts/conf.d/60-latin-ms.conf, cannot find inode
Warning fcopy: skipping /etc/fonts/conf.d/30-metric-aliases-ms.conf, cannot find inode
Warning fcopy: skipping /etc/fonts/conf.d/37-repl-global-ms.conf, cannot find inode
Warning: skipping pki for private /etc
Warning: skipping selinux for private /etc
Private /etc installed in 115.25 ms
Private /usr/etc installed in 0.01 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: cleaning all supplementary groups
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 1510.76 ms

Parent is shutting down, bye...
AppImage detached

So it looks like a need to configure firejail somehow.

[EdiDD]

Did you try loading apparmor firejail-default profile? I don't know if it was critical but apparmor is used in electron-mail.profile

[vladimiry]

Yes, have tried the default profile and noprofile option. Much less stuff gets printed to the console, but the outcome is the same - Parent is shutting down, bye... message.

[rusty-snake]

FYI: firejail --appimage + electron-program.AppImage does not work if unprivileged userns clone is disabled. You will either need to directly run the appimage (firejail --ignore='noexec ${HOME}' --ignore=apparmor --profile=electron-mail ./electron-mail-4.15.0-linux-x86_64.AppImage) or pass --no-sandbox what you should not do(!).

[vladimiry]

firejail version 0.9.68

firejail --ignore='noexec ${HOME}' --ignore=apparmor --profile=electron-mail ./electron-mail-5.0.1-linux-x86_64.AppImage (same without --ignore='noexec ${HOME}' part):

Reading profile /etc/firejail/electron-mail.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 22249, child pid 22250
Private /opt installed in 863.05 ms
1 program installed in 1.05 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping crypto-policies for private /etc
Warning fcopy: skipping /etc/fonts/conf.d/65-non-latin-ms.conf, cannot find inode
Warning fcopy: skipping /etc/fonts/conf.d/66-aliases-wine-ms.conf, cannot find inode
Warning fcopy: skipping /etc/fonts/conf.d/60-latin-ms.conf, cannot find inode
Warning fcopy: skipping /etc/fonts/conf.d/30-metric-aliases-ms.conf, cannot find inode
Warning fcopy: skipping /etc/fonts/conf.d/37-repl-global-ms.conf, cannot find inode
Warning: skipping pki for private /etc
Warning: skipping selinux for private /etc
Private /etc installed in 33.49 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: cleaning all supplementary groups
Child process initialized in 1030.40 ms
fuse: device not found, try 'modprobe fuse' first

Cannot mount AppImage, please check your FUSE setup.
You might still be able to extract the contents of this AppImage 
if you run it with the --appimage-extract option. 
See https://github.com/AppImage/AppImageKit/wiki/FUSE 
for more information
open dir error: No such file or directory

Parent is shutting down, bye...

pass --no-sandbox what you should not do(!)

Actually, the app embeds it into the AppRun script since at that time I didn't find a better workaround for running AppImage without a headache for those who have unprivileged userns clone disabled.

[rusty-snake]

Actually, the app embeds it into the AppRun script

Then is at least this not an issue here.