TLDR

Introduction

AppImage is a universal software packaging format developed by Simon Peter. The package is a regular ISO 9660 file containing all binaries, libraries and resources necessary to run the application. You are likely to find this type of packaging used by open-source projects trying to reach a large audience during fundraising campaigns.

Firajail provides native support for AppImage applications. These are the main features of AppImage/Firejail combo:

state of the art software packaging and seccomp/namespaces sandboxing technology

the only requirement to run the application is a Linux kernel version 3 or newer – there are no dependencies, no 200MB runtimes to download and install

network and X11 sandboxing support

monitoring and auditing capabilities

low runtime overhead, no daemons running in the background, all security features are implemented in Linux kernel

it can be used in parallel with other security frameworks such as Grsecurity, AppArmor, SELinux

Usage

Start your AppImage application in Firajail using –appimage command line option:

$ firejail --appimage krita-3.0-x86_64.appimage

All sandboxing options should be available. A private home directory:

$ firejail --appimage --private krita-3.0-x86_64.appimage

or some basic X11 sandboxing:

$ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage

A Full Example

I download Firefox Developer Edition from AppImage project repository, and I start the sandbox:



$ firejail --appimage --private --net=eth0 --x11 ~/Downloads/Firefox-Dev-48.0a2.en.glibc2.3.3-x86_64.AppImage

I use –appimage to enter appimage mode, –private to create an empty home directory, –net=eth0 to create a new network namespace, and –x11 for X11 sandboxing based on Xpra.

Next, I start the graphical user interface to verify some of the security parameters:

I have two sandboxes running in this moment, Firefox AppImage and Transmission BitTorrent client. I click on Firefox sandbox to get the stats:

In the stats window I look at seccomp status (enabled) and the capability field (all zero). These are the two most important settings for a sandbox, everything else is built on top of them.

Since I also have a BitTorrent download going on, I also keep an eye on the network traffic. If needed, I can limit the traffic for each sandbox using the bandwidth limiting capabilities in Firejail:

$ firejail --bandwidth=32119 set eth0 80 20

In this example I use Firefox PID (32119) and limit the sandbox traffic on interface eth0 to 80 KB/s in receive direction, and 20 KB/s in transmit direction.

More information