appimage enhancements

netblue30 · netblue30 · commit 1738bbf7181d · 2018-02-27T07:52:49.000-05:00
diff --git a/README.md b/README.md
@@ -98,6 +98,20 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
 `````
 # Current development version: 0.9.53
 
+## AppImage development
+
+Support for private-bin, private-lib and shell none has been disabled while running AppImage archives.
+This allows us to use our regular profile files for appimages. We don't have a way to extract the name
+of the executable, so the profile will have to be passed on the command line. Example:
+`````
+$ firejail --profile=/etc/firejail/kdenlive.profile --appimage --apparmor ~/bin/Kdenlive-17.12.0d-x86_64.AppImage
+`````
+Also, we have full AppArmor support for AppImages:
+`````
+
+$ firejail --apparmor --appimage ~/bin/Kdenlive-17.12.0d-x86_64.AppImage
+`````
+
 ## Seccomp development
 
 Replaced the our seccomp disassembler with a real disassembler lifted from
diff --git a/RELNOTES b/RELNOTES
@@ -1,12 +1,16 @@
 firejail (0.9.53) baseline; urgency=low
   * work in progress
+  * modif: support for private-bin, private-lib and shell none has been
+     disabled while running AppImage archives in order to be able to use
+     our regular profile files with AppImages.
   * modif: restrictions for /proc, /sys and /run/user directories
      are moved from AppArmor profile into firejail executable
   * modif: unifying Chromium and Firefox browsers profiles.
      All users of Firefox-based browsers who use addons and plugins
      that read/write from ${HOME} will need to uncomment the includes for
      firefox-common-addons.inc in firefox-common.profile.
   * AppArmor support for overlayfs and chroot sandboxes
+  * AppArmor support for AppImages
   * Enable AppArmor by default for Firefox, Chromium, Transmission
      VLC and mpv
   * firejail --apparmor.print option
diff --git a/src/firejail/main.c b/src/firejail/main.c
@@ -2321,6 +2321,9 @@ int main(int argc, char **argv) {
 				cfg.command_name = strdup(argv[i]);
 				if (!cfg.command_name)
 					errExit("strdup");
+
+				// disable shell=* for appimages
+				arg_shell_none = 0;
 			}
 			else
 				extract_command_name(i, argv);
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
@@ -799,7 +799,8 @@ int sandbox(void* sandbox_arg) {
 		}
 	}
 
-	if (arg_private_bin) {
+	// private-bin is disabled for appimages
+	if (arg_private_bin && !arg_appimage) {
 		if (cfg.chrootdir)
 			fwarning("private-bin feature is disabled in chroot\n");
 		else if (arg_overlay)
@@ -818,7 +819,8 @@ int sandbox(void* sandbox_arg) {
 		}
 	}
 
-	if (arg_private_lib) {
+	// private-lib is disabled for appimages
+	if (arg_private_lib && !arg_appimage) {
 		if (cfg.chrootdir)
 			fwarning("private-lib feature is disabled in chroot\n");
 		else if (arg_overlay)

Original file line number	Diff line number	Diff line change
`@@ -799,7 +799,8 @@ int sandbox(void* sandbox_arg) {`
`799`	`799`	`}`
`800`	`800`	`}`
`801`	`801`
`802`		`- if (arg_private_bin) {`
	`802`	`+ // private-bin is disabled for appimages`
	`803`	`+ if (arg_private_bin && !arg_appimage) {`
`803`	`804`	`if (cfg.chrootdir)`
`804`	`805`	`fwarning("private-bin feature is disabled in chroot\n");`
`805`	`806`	`else if (arg_overlay)`
`@@ -818,7 +819,8 @@ int sandbox(void* sandbox_arg) {`
`818`	`819`	`}`
`819`	`820`	`}`
`820`	`821`
`821`		`- if (arg_private_lib) {`
	`822`	`+ // private-lib is disabled for appimages`
	`823`	`+ if (arg_private_lib && !arg_appimage) {`
`822`	`824`	`if (cfg.chrootdir)`
`823`	`825`	`fwarning("private-lib feature is disabled in chroot\n");`
`824`	`826`	`else if (arg_overlay)`