AppImage is a universal software packaging format developed by Simon Peter. The package is a regular ISO 9660 file containing all binaries, libraries and resources necessary to run the application. You are likely to find this type of packaging used by open-source projects trying to reach a large audience during fundraising campaigns.
Firajail provides native support for AppImage applications. These are the main features of AppImage/Firejail combo:
- state of the art software packaging and seccomp/namespaces sandboxing technology
- the only requirement to run the application is a Linux kernel version 3 or newer – there are no dependencies, no 200MB runtimes to download and install
- network and X11 sandboxing support
- monitoring and auditing capabilities
- low runtime overhead, no daemons running in the background, all security features are implemented in Linux kernel
- it can be used in parallel with other security frameworks such as Grsecurity, AppArmor, SELinux
Start your AppImage application in Firajail using –appimage command line option:
All sandboxing options should be available. A private home directory:
or some basic X11 sandboxing:
A Full Example
I download Firefox Developer Edition from AppImage project repository, and I start the sandbox:
I use –appimage to enter appimage mode, –private to create an empty home directory, –net=eth0 to create a new network namespace, and –x11 for X11 sandboxing based on Xpra.
Next, I start the graphical user interface to verify some of the security parameters:
I have two sandboxes running in this moment, Firefox AppImage and Transmission BitTorrent client. I click on Firefox sandbox to get the stats:
In the stats window I look at seccomp status (enabled) and the capability field (all zero). These are the two most important settings for a sandbox, everything else is built on top of them.
Since I also have a BitTorrent download going on, I also keep an eye on the network traffic. If needed, I can limit the traffic for each sandbox using the bandwidth limiting capabilities in Firejail:
In this example I use Firefox PID (32119) and limit the sandbox traffic on interface eth0 to 80 KB/s in receive direction, and 20 KB/s in transmit direction.