AppImage is a universal software packaging format developed by Simon Peter. The package is a regular ISO 9660 file containing all binaries, libraries and resources necessary to run the application. You are likely to find this type of packaging used by open-source projects trying to reach a large audience during fundraising campaigns.
Firajail provides native support for AppImage applications. These are the main features of AppImage/Firejail combo:
- state of the art software packaging and seccomp/namespaces sandboxing technology
- the only requirement to run the application is a Linux kernel version 3 or newer – there are no dependencies, no 200MB runtimes to download and install
- network and X11 sandboxing support
- monitoring and auditing capabilities
- low runtime overhead, no daemons running in the background, all security features are implemented in Linux kernel
- it can be used in parallel with other security frameworks such as Grsecurity, AppArmor, SELinux
Start your AppImage application in Firajail using –appimage command line option:
$ firejail --appimage krita-3.0-x86_64.appimage
All sandboxing options should be available. A private home directory:
$ firejail --appimage --private krita-3.0-x86_64.appimage
or some basic X11 sandboxing:
$ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage
A full example
I download Firefox Developer Edition from AppImage project repository, and I start the sandbox:
$ firejail --appimage --private --net=eth0 --x11 ~/Downloads/Firefox-Dev-48.0a2.en.glibc2.3.3-x86_64.AppImage
I use –appimage to enter appimage mode, –private to create an empty home directory, –net=eth0 to create a new network namespace, and –x11 for X11 sandboxing based on Xpra.
Next, I start the graphical user interface to verify some of the security parameters:
I have two sandboxes running in this moment, Firefox AppImage and Transmission BitTorrent client. I click on Firefox sandbox to get the stats:
In the stats window I look at seccomp status (enabled) and the capability field (all zero). These are the two most important settings for a sandbox, everything else is built on top of them.
Since I also have a BitTorrent download going on, I also keep an eye on the network traffic. If needed, I can limit the traffic for each sandbox using the bandwidth limiting capabilities in Firejail:
$ firejail --bandwidth=32119 set eth0 80 20
In this example I use Firefox PID (32119) and limit the sandbox traffic on interface eth0 to 80 KB/s in receive direction, and 20 KB/s in transmit direction.