A tool to easily run appimages and other programs in Firejail sandbox.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

7.6 KiB

                            
fireinvoke - easily run appimages and other programs in firejail sandbox.

Fireinvoke is a program that allows to easily run appimages and programs extracted from archives in the firejail sandbox. It allows to run appimages in firejail sandbox by running simple command or by just double clicking it in file manager. When programs are executed this way, fireinvoke creates separate home directory in the same directory where the appimage is located (or in case of program from archive, in the directory above). This allows to create strict sandbox with acces only to this program's home directory, unless you add new permissions to its firejail profile. This aproach also allows to have multiple instances of each program, cause every one will have its own home directory, and each instance also can have different firejail profile.

Author: Radosław-RPS

-------------------------------------------------------------------------------

REQUIREMENTS:

GNU/Linux system with:
bash
gnu coreutils
sed
grep
gawk (gnu awk)
getopt (from util-linux package)
firejail



Optional:

You can also install xpra for gui isolation to work. However it has to be enabled in fireinvoke profiles in order to work. You likely also want iproute2 package, which should be already installed.



-------------------------------------------------------------------------------

BUILDING AND INSTALLATION:


1.Building and installalation of fireinvoke:

$ cd fireinvoke
$ sudo make install



-------------------------------------------------------------------------------

USAGE:


1.Running Commands

To run appimages use command:

$ fire filename

or

$ fire [options] -- filename [arguments]

This will automatically create profile for application, and create .home directory alongside it.

You can also configure your file manager to open appimages by default with "fire" command (located in /usr/local/bin/fire or /usr/bin/fire). However, to run appimages by double clicking them in most file managers, you have to UNSET executable permission, so running with fire command will be default action, not normal execution.

If the program does not start, it probably means that firejail profile needs to be modified. Profiles are located in "${HOME}/.config/fire/", and are named after location of that program (path).


To run normal programs extracted from archives, you first have to create profile for directory containg it. To do this use command:

$ add-fire-profile directory_name_or_path

then you can run program that exists in this directory:

$ fire filename

or

$ fire [options] -- filename [arguments]


To delete profile for directory:

$ remove-fire-profile directory_name


You can also disable automatic profile creation for appimages to achieve similar behavior like for extracted programs which requires to first use "add-fire-profile" in order to use it, by disabling "appimage-auto-profile-create yes" in "~/.config/fire/fire.cfg"


You can use "fire --option firejail_option" to pass options to firejail:

example:

$ fire --option whitelist=/home/user/Documents someprogram.apppimage


You can use --option many times.



2.Profiles:

Profiles are located in $HOME/.config/fire/

They are named after path to program/directory, with slashes replaced by greater than (>) sign. This allows to identify each program based on their path.


All new profiles are created based on template profile which can be located in $HOME/.config/fire/template.profile or if that does not exist it is read either from /usr/local/etc/fire/template.profile or /etc/fire/template.profile.



3.Configuration:

the config file is located in $HOME/.config/fire.cfg, or if that does not exists, either in /usr/local/etc/fire/fire.cfg or /etc/fire/fire.cfg, depending on where the program was installed.


Currently there are following configuration entries:


attach-network-interface yes

this enables automatic attaching of currently connected network interface to this program using firejail's "--net=" option.


appimage-auto-profile-create yes

this enables automatic creation of profiles for appimages


option

this enables custom firejail options, example:
"option whitelist=/home/user/Documents" which allows program to access "Documents" directory, see firejail man page for other options, but use format described here.




4.Gui Isolation:

In order to protect against keylogging and screenshot programs, you should do three steps:

1. Make sure the option "restricted-network yes" is disabled in
firejail.config, or its value is set to "no"

2. Add to fire-globals.local the following line:
x11 xpra

3. To protect against programs reading keyboard,mouse and screen input and output on X11 socket you should also in fire.cfg enable this line: attach-network interface yes

This causes fire command to use --net= firejail switch with currently connected network interface as value, or if you have all network disconnected, with first network interface. If you have no network card on your computer, it uses --net=none. For this to work you need to have "ip" command from iproute2 package, this should be installed on your system by default. This protects from reading gui i/o by creating separate network namespace, where there is no access to those X11 sockets.


You should also enable "xpra-attach yes" in /etc/firejail/firejail.config, to avoid some bugs that ocassionally cause failure of xpra...


Wayland...

If you use wayland you should also enable "xpra-attach yes" in firejail.config, otherwise fire wont work. However as of firejail version 0.9.58.2 there is a bug in firejail that when "xpra-attach yes" is enabled and either path with spaces, or options containg spaces i used, causes firejail to fail to run program, because it interprets text after space as name of program to run. So if you use wayland, remember not to run programs from directories containg spaces or to use any options with spaces!



-------------------------------------------------------------------------------

OTHER TOOLS:

There exists a tool that allows to install programs into one place in $HOME, set up firejail sandbox for them, and create launchers. Useful for browsers, appimages etc:

https://codeberg.org/rps/fire-install



-------------------------------------------------------------------------------

UNINSTALL:

WARNING!: This will remove config files: template.profile and fire.cfg located in /usr/local/etc/fire/. If you want to keep your changes, you are advised to backup them before uninstalling.

1.To uninstall fireinvoke:

$ cd fireinvoke
$ sudo make uninstall



-------------------------------------------------------------------------------

LICENSE:

This software is licensed under GNU General Public License version 3, or (at your option) any later version of the License.

Unless otherwise noted, the following copyright and license notice applies to files that are part of this software:

# Copyright (C) 2020 Radosław-RPS
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#

-------------------------------------------------------------------------------