Skip to content

Commit

Permalink
appimage enhancements
Browse files Browse the repository at this point in the history
  • Loading branch information
netblue30 committed Feb 27, 2018
1 parent 63d455f commit 1738bbf
Show file tree
Hide file tree
Showing 4 changed files with 25 additions and 2 deletions.
14 changes: 14 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,20 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
`````
# Current development version: 0.9.53

## AppImage development

Support for private-bin, private-lib and shell none has been disabled while running AppImage archives.
This allows us to use our regular profile files for appimages. We don't have a way to extract the name
of the executable, so the profile will have to be passed on the command line. Example:
`````
$ firejail --profile=/etc/firejail/kdenlive.profile --appimage --apparmor ~/bin/Kdenlive-17.12.0d-x86_64.AppImage
`````
Also, we have full AppArmor support for AppImages:
`````
$ firejail --apparmor --appimage ~/bin/Kdenlive-17.12.0d-x86_64.AppImage
`````

## Seccomp development

Replaced the our seccomp disassembler with a real disassembler lifted from
Expand Down
4 changes: 4 additions & 0 deletions RELNOTES
Original file line number Diff line number Diff line change
@@ -1,12 +1,16 @@
firejail (0.9.53) baseline; urgency=low
* work in progress
* modif: support for private-bin, private-lib and shell none has been
disabled while running AppImage archives in order to be able to use
our regular profile files with AppImages.
* modif: restrictions for /proc, /sys and /run/user directories
are moved from AppArmor profile into firejail executable
* modif: unifying Chromium and Firefox browsers profiles.
All users of Firefox-based browsers who use addons and plugins
that read/write from ${HOME} will need to uncomment the includes for
firefox-common-addons.inc in firefox-common.profile.
* AppArmor support for overlayfs and chroot sandboxes
* AppArmor support for AppImages
* Enable AppArmor by default for Firefox, Chromium, Transmission
VLC and mpv
* firejail --apparmor.print option
Expand Down
3 changes: 3 additions & 0 deletions src/firejail/main.c
Original file line number Diff line number Diff line change
Expand Up @@ -2321,6 +2321,9 @@ int main(int argc, char **argv) {
cfg.command_name = strdup(argv[i]);
if (!cfg.command_name)
errExit("strdup");

// disable shell=* for appimages
arg_shell_none = 0;
}
else
extract_command_name(i, argv);
Expand Down
6 changes: 4 additions & 2 deletions src/firejail/sandbox.c
Original file line number Diff line number Diff line change
Expand Up @@ -799,7 +799,8 @@ int sandbox(void* sandbox_arg) {
}
}

if (arg_private_bin) {
// private-bin is disabled for appimages
if (arg_private_bin && !arg_appimage) {
if (cfg.chrootdir)
fwarning("private-bin feature is disabled in chroot\n");
else if (arg_overlay)
Expand All @@ -818,7 +819,8 @@ int sandbox(void* sandbox_arg) {
}
}

if (arg_private_lib) {
// private-lib is disabled for appimages
if (arg_private_lib && !arg_appimage) {
if (cfg.chrootdir)
fwarning("private-lib feature is disabled in chroot\n");
else if (arg_overlay)
Expand Down

0 comments on commit 1738bbf

Please sign in to comment.