appimage enhancements

4 files changed, 25 insertions, 2 deletions

diff --git a/README.md b/README.md
index 240455ee5..2fe11be06 100644
--- a/README.md
+++ b/README.md
@@ -98,6 +98,20 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
 `````
 # Current development version: 0.9.53
 
+## AppImage development
+
+Support for private-bin, private-lib and shell none has been disabled while running AppImage archives.
+This allows us to use our regular profile files for appimages. We don't have a way to extract the name
+of the executable, so the profile will have to be passed on the command line. Example:
+`````
+$ firejail --profile=/etc/firejail/kdenlive.profile --appimage --apparmor ~/bin/Kdenlive-17.12.0d-x86_64.AppImage
+`````
+Also, we have full AppArmor support for AppImages:
+`````
+
+$ firejail --apparmor --appimage ~/bin/Kdenlive-17.12.0d-x86_64.AppImage
+`````
+
 ## Seccomp development
 
 Replaced the our seccomp disassembler with a real disassembler lifted from
diff --git a/RELNOTES b/RELNOTES
index 3a7819514..3288730b4 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,5 +1,8 @@
 firejail (0.9.53) baseline; urgency=low
   * work in progress
+  * modif: support for private-bin, private-lib and shell none has been
+     disabled while running AppImage archives in order to be able to use
+     our regular profile files with AppImages.
   * modif: restrictions for /proc, /sys and /run/user directories
      are moved from AppArmor profile into firejail executable
   * modif: unifying Chromium and Firefox browsers profiles.
@@ -7,6 +10,7 @@ firejail (0.9.53) baseline; urgency=low
      that read/write from ${HOME} will need to uncomment the includes for
      firefox-common-addons.inc in firefox-common.profile.
   * AppArmor support for overlayfs and chroot sandboxes
+  * AppArmor support for AppImages
   * Enable AppArmor by default for Firefox, Chromium, Transmission
      VLC and mpv
   * firejail --apparmor.print option
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 7543c5f4b..e8556de2d 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -2321,6 +2321,9 @@ int main(int argc, char **argv) {
                                 cfg.command_name = strdup(argv[i]);
                                 if (!cfg.command_name)
                                         errExit("strdup");
+
+                                // disable shell=* for appimages
+                                arg_shell_none = 0;
                         }
                         else
                                 extract_command_name(i, argv);
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 503d822a9..96b7b267b 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -799,7 +799,8 @@ int sandbox(void* sandbox_arg) {
                 }
         }
 
-        if (arg_private_bin) {
+        // private-bin is disabled for appimages
+        if (arg_private_bin && !arg_appimage) {
                 if (cfg.chrootdir)
                         fwarning("private-bin feature is disabled in chroot\n");
                 else if (arg_overlay)
@@ -818,7 +819,8 @@ int sandbox(void* sandbox_arg) {
                 }
         }
 
-        if (arg_private_lib) {
+        // private-lib is disabled for appimages
+        if (arg_private_lib && !arg_appimage) {
                 if (cfg.chrootdir)
                         fwarning("private-lib feature is disabled in chroot\n");
                 else if (arg_overlay)