From 1738bbf7181d6c3b6d9f82bfa5b3f6d21ad503c3 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 27 Feb 2018 07:52:49 -0500 Subject: appimage enhancements --- README.md | 14 ++++++++++++++ RELNOTES | 4 ++++ src/firejail/main.c | 3 +++ src/firejail/sandbox.c | 6 ++++-- 4 files changed, 25 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 240455ee5..2fe11be06 100644 --- a/README.md +++ b/README.md @@ -98,6 +98,20 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir ````` # Current development version: 0.9.53 +## AppImage development + +Support for private-bin, private-lib and shell none has been disabled while running AppImage archives. +This allows us to use our regular profile files for appimages. We don't have a way to extract the name +of the executable, so the profile will have to be passed on the command line. Example: +````` +$ firejail --profile=/etc/firejail/kdenlive.profile --appimage --apparmor ~/bin/Kdenlive-17.12.0d-x86_64.AppImage +````` +Also, we have full AppArmor support for AppImages: +````` + +$ firejail --apparmor --appimage ~/bin/Kdenlive-17.12.0d-x86_64.AppImage +````` + ## Seccomp development Replaced the our seccomp disassembler with a real disassembler lifted from diff --git a/RELNOTES b/RELNOTES index 3a7819514..3288730b4 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,5 +1,8 @@ firejail (0.9.53) baseline; urgency=low * work in progress + * modif: support for private-bin, private-lib and shell none has been + disabled while running AppImage archives in order to be able to use + our regular profile files with AppImages. * modif: restrictions for /proc, /sys and /run/user directories are moved from AppArmor profile into firejail executable * modif: unifying Chromium and Firefox browsers profiles. @@ -7,6 +10,7 @@ firejail (0.9.53) baseline; urgency=low that read/write from ${HOME} will need to uncomment the includes for firefox-common-addons.inc in firefox-common.profile. * AppArmor support for overlayfs and chroot sandboxes + * AppArmor support for AppImages * Enable AppArmor by default for Firefox, Chromium, Transmission VLC and mpv * firejail --apparmor.print option diff --git a/src/firejail/main.c b/src/firejail/main.c index 7543c5f4b..e8556de2d 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -2321,6 +2321,9 @@ int main(int argc, char **argv) { cfg.command_name = strdup(argv[i]); if (!cfg.command_name) errExit("strdup"); + + // disable shell=* for appimages + arg_shell_none = 0; } else extract_command_name(i, argv); diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 503d822a9..96b7b267b 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -799,7 +799,8 @@ int sandbox(void* sandbox_arg) { } } - if (arg_private_bin) { + // private-bin is disabled for appimages + if (arg_private_bin && !arg_appimage) { if (cfg.chrootdir) fwarning("private-bin feature is disabled in chroot\n"); else if (arg_overlay) @@ -818,7 +819,8 @@ int sandbox(void* sandbox_arg) { } } - if (arg_private_lib) { + // private-lib is disabled for appimages + if (arg_private_lib && !arg_appimage) { if (cfg.chrootdir) fwarning("private-lib feature is disabled in chroot\n"); else if (arg_overlay) -- cgit v1.2.3-70-g09d2