molotov: cannot run AppImage with custom profile

[esp13]

Hi,

Like many, I got the permission denied while trying to run an .AppImage
This happened to MolotovTV app findable here

Here I read that we should use this for appimages but it doesn't solve the problem:

blacklist ${PATH}/fusermount
?HAS_APPIMAGE: noblacklist ${PATH}/fusermount

As I am too novice (and English isn't my fluent language) to understand all the discussion, could you help to solve the problem for my case?

Here is the profile established from profile.template :

#ME : I give a name to be able to kill the sandbox easily with --shutdown=molotov
name molotov
#ME : to be able to access to the folder on /home even if the folder isn't inside personal current user's home folder 
allusers
#ME : Fake personal user home folder only for molotov
private /home/thefolderIwantnotinsideuserhome/FireJail/MolotovTVHome/
#ME : Forbidden to be able to go on other folders on /home except the fake home folder from previous line
noblacklist ~
blacklist /home/*
#ME : To disable the access to other disks
disable-mnt
#ME : For testing access rights visually with nemo (without this, nemo inside firejail can communicate with an other nemo instance outside the sandbox)
nodbus
#ME for appimages
blacklist ${PATH}/fusermount
?HAS_APPIMAGE: noblacklist ${PATH}/fusermount


# Firejail profile for PROGRAM_NAME
# Description: DESCRIPTION
# This file is overwritten after every install/update
# --- CUT HERE ---
# This is a generic template to help you with creation of profiles
# for new programs. PRs welcome at https://github.com/netblue30/firejail/.
#
# Rules to follow:
#  - lines with one # are often used in profiles
#  - lines with two ## are only needed in special situations
#  - make the profile as restrictive as possible while still keeping the program useful
#    (e. g. a program that is unable to save user's work is considered bad practice)
#  - dedicate some time (based on the complexity of the application) to profile testing before raising
#    a pull request
#  - keep the sections structure, use a single empty line as separator
#  - entries within sections are alphabetically sorted
#  - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware
#    to not do this for essential utilities as this may *break* your OS! (related discussion:
#    https://github.com/netblue30/firejail/issues/2507)
#  - remove this comment section and any generic comment past 'Persistent global definitions'
#
# Sections structure
#   HEADER
#   COMMENTS
#   IGNORES
#   NOBLACKLISTS
#   ALLOW INCLUDES
#   BLACKLISTS
#   DISABLE INCLUDES
#   NOWHITELISTS
#   MKDIRS
#   WHITELISTS
#   WHITELIST INCLUDES
#   OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog)
#   PRIVATE OPTIONS (disable-mnt, private-*, writable-*)
#   DBUS FILTER
#   SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start)
#   REDIRECT INCLUDES
#
# The following macros may be used in path names to substitute common locations:
#  ${DESKTOP}
#  ${DOCUMENTS}
#  ${DOWNLOADS}
#  ${HOME} (user's home)
#  ${PATH} (contents of PATH envvar)
#  ${MUSIC}
#  ${RUNUSER} (/run/user/UID)
#  ${VIDEOS}
#
# Check contents of ~/.config/user-dirs.dirs to see how they translate to actual paths.
#
# --- CUT HERE ---
##quiet
# Persistent local customizations
include PROFILE.local
# Persistent global definitions
include globals.local

##ignore noexec ${HOME}
##ignore noexec /tmp

##blacklist PATH
# Disable X11 (CLI only), see also 'x11 none' below
#blacklist /tmp/.X11-unix
# Disable Wayland
#blacklist ${RUNUSER}/wayland-*
# Disable RUNUSER (cli only)
#blacklist ${RUNUSER}

# It is common practice to add files/dirs containing program-specific configuration
# (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc
# (keep list sorted) and then disable blacklisting below.
# One way to retrieve the files a program uses is:
#  - launch binary with --private naming a sandbox
#      `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY`
#  - work with the program, make some configuration changes and save them, open new documents,
#    install plugins if they exists, etc.
#  - join the sandbox with bash:
#      `firejail --join=test bash`
#  - look what has changed and use that information to populate blacklist and whitelist sections
#      `ls -aR`
#noblacklist PATH

# Allow python (blacklisted by disable-interpreters.inc)
#include allow-python2.inc
#include allow-python3.inc

# Allow perl (blacklisted by disable-interpreters.inc)
#include allow-perl.inc

# Allow java (blacklisted by disable-devel.inc)
#include allow-java.inc

# Allow lua (blacklisted by disable-interpreters.inc)
#include allow-lua.inc

# Allow ruby (blacklisted by disable-interpreters.inc)
#include allow-ruby.inc

# Allow gjs (blacklisted by disable-interpreters.inc)
#include allow-gjs.inc

# Allows files commonly used by IDEs
#include allow-common-devel.inc

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
#include disable-shell.inc
#include disable-write-mnt.inc
include disable-xdg.inc

# This section often mirrors noblacklist section above. The idea is
# that if a user feels too restricted (he's unable to save files into
# home directory for instance) he/she may disable whitelist (nowhitelist)
# in PROFILE.local but still be protected by BLACKLISTS section
# (further explanation at https://github.com/netblue30/firejail/issues/1569)
#mkdir PATH
##mkfile PATH
#whitelist PATH
#include whitelist-common.inc
#include whitelist-runuser-common.inc
#include whitelist-usr-share-common.inc
#include whitelist-var-common.inc

##allusers
apparmor
caps.drop all
##caps.keep CAPS
##hostname NAME
# CLI only
##ipc-namespace
# breaks sound and sometime dbus related functions
machine-id
# 'net none' or 'netfilter'
#net none
#netfilter
#no3d
##nodbus (deprecated, use 'dbus-user none' and 'dbus-system none', see below)
nodvd
nogroups
nonewprivs
noroot
#nosound
notv
nou2f
novideo
# Remove each unneeded protocol:
#  - unix is usually needed
#  - inet,inet6 only if internet access is required (see 'net none'/'netfilter' above)
#  - netlink is rarely needed
#  - packet almost never
#protocol unix,inet,inet6,netlink,packet
protocol unix,inet
seccomp
##seccomp !chroot
##seccomp.drop SYSCALLS (see syscalls.txt)
#seccomp.block-secondary
#shell none
#tracelog
# Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set
##x11 none

disable-mnt
##private
# It's common practice to refer to the python executable(s) in private-bin with `python*`, which covers both v2 and v3
#private-bin PROGRAMS
private-cache
private-dev
#private-etc FILES
# private-etc templates (see also #1734, #2093)
#  Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg
#    Extra: magic,magic.mgc,passwd,group
#  Networking: ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf,hosts,host.conf,hostname,protocols,services,rpc
#    Extra: proxychains.conf,gai.conf
#  Sound: alsa,asound.conf,pulse,machine-id
#  GUI: fonts,pango,X11
#  GTK: dconf,gconf,gtk-2.0,gtk-3.0
#  Qt: Trolltech.conf
#  KDE: kde4rc,kde5rc
#  3D: drirc,glvnd,bumblebee,nvidia
#  D-Bus: dbus-1,machine-id
##private-lib LIBS
##private-opt NAME
private-tmp
##writable-etc
##writable-run-user
##writable-var
##writable-var-log

# Since 0.9.63 also a more granular regulation of dbus is supported.
# To get the dbus-addresses to which an application needs access to.
# You can look at flatpak if the application is also distriputed via flatpak:
#    flatpak remote-info --show-metadata flathub <APP-ID>
# Notes:
#  - flatpak implicitly allows an app to own <APP-ID> on the session bus
#  - In order to make dconf work (if it is used by the app) you need to allow
#    'ca.desrt.dconf' even if it is not allowed by flatpak.
# Notes and Policiy about addresses can be found at
# <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus>
#dbus-user filter
#dbus-user.own com.github.netblue30.firejail
#dbus-user.talk ca.desrt.dconf
#dbus-user.talk org.freedesktop.Notifications
#dbus-system none

##env VAR=VALUE
#memory-deny-write-execute
##noexec PATH
##read-only ${HOME}
##join-or-start NAME

[rusty-snake]

blacklist ${PATH}/fusermount
?HAS_APPIMAGE: noblacklist ${PATH}/fusermount

The second command has no effect. fusermount will always be blacklisted. A noblacklist command must come before it's corresponding blacklist command. Flip these lines.

[rusty-snake]

How do you start? firejail --appiamge --profile=/path/to/your/profile /path/to/molotovtv.AppImage/outside/the/sandbox?

---

IDK what the current state in #3910 is but AFAICT there are AIs which don't work with --appimage ATM.

[esp13]

How do you start? firejail --appiamge --profile=/path/to/your/profile /path/to/molotovtv.AppImage/outside/the/sandbox?

I gone with this:
firejail --profile=/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/molotov.profile --appimage

For the moment I try to launch it manually inside the sandbox:
./molotov.AppImage

I tried without --appimage option too but same result:
firejail --profile=/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/molotov.profile

IDK what the current state in #3910 is but AFAICT there are AIs which don't work with --appimage ATM.

And without --appimage option?

[esp13]

blacklist ${PATH}/fusermount
?HAS_APPIMAGE: noblacklist ${PATH}/fusermount

The second command has no effect. fusermount will always be blacklisted. A noblacklist command must come before it's corresponding blacklist command. Flip these lines.

So I tried this instead:

?HAS_APPIMAGE: noblacklist ${PATH}/fusermount
blacklist ${PATH}/fusermount

but same result

[esp13]

I tried to comment
#include disable-common.inc

but same result

[rusty-snake]

firejail --profile=/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/molotov.profile --appimage

--appiamge should be the last firejail argument and must be the first (if --profile is used) IIRC. 🥴

For the moment I try to launch it manually inside the sandbox:
./molotov.AppImage

The you need to allow to execute files in $HOME.

ignore noexec ${HOME}
ignore apparmor

^ at the top of your profile (e.g. after include globals.local)

IDK what the current state in #3910 is but AFAICT there are AIs which don't work with --appimage ATM.

And without --appimage option?

#3910 only happens with --appiage IIRC.

So I tried this instead:

This snipped works only if --appimage comes before --profile. Anyway you could simply add noblacklist ${PATH}/fusermount before include disable-common.inc for your profile.

However "I tried to comment #include disable-common.inc but same result" …

---

If you use --appimage you need to use the path to the AI outside the sandbox. W/o --appiamge, you need to use the path to the AI inside the sandbox.

[rusty-snake]

Does firejail --noprofile --allusers /path/to/AppImage work?

[esp13]

Does firejail --noprofile --allusers /path/to/AppImage work?

Before reinstalling my distro from scratch I was using it like this inside a dedicated folder itself inside my home folder:
firejail --noprofile --private=. --appimage "./molotov.AppImage"
And that was working well.
But as I realise --noprofile option isn't secure at all I'm trying to do better

--appiamge should be the last firejail argument and must be the first (if --profile is used) IIRC. woozy_face

Ok so I go with this:
firejail --appimage --profile=/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/molotov.profile

For the moment I try to launch it manually inside the sandbox:
./molotov.AppImage

The you need to allow to execute files in $HOME.

ignore noexec ${HOME}
ignore apparmor

^ at the top of your profile (e.g. after include globals.local)

By adding this just before globals.local I get this error instead permission one :

./molotov.AppImage 
fuse: device not found, try 'modprobe fuse' first

Cannot mount AppImage, please check your FUSE setup.
You might still be able to extract the contents of this AppImage 
if you run it with the --appimage-extract option. 
See https://github.com/AppImage/AppImageKit/wiki/FUSE 
for more information
open dir error: No such file or directory

I keep this but don't understand what it is for:

# Persistent local customizations
include PROFILE.local
# Persistent global definitions
include globals.local

Anyway you could simply add noblacklist ${PATH}/fusermount before include disable-common.inc for your profile.

Ok I will do so

If you use --appimage you need to use the path to the AI outside the sandbox. W/o --appiamge, you need to use the path to the AI inside the sandbox.

I got a permission issue with this:
exec /home/thefolderIwantnotinsideuserhome/FireJail/molotovHome/molotov.AppImage

And with this:
exec /home/myuser/molotov.AppImage
i get this error again:

fuse: device not found, try 'modprobe fuse' first

Cannot mount AppImage, please check your FUSE setup.
You might still be able to extract the contents of this AppImage 
if you run it with the --appimage-extract option. 
See https://github.com/AppImage/AppImageKit/wiki/FUSE 
for more information
open dir error: No such file or directory

Parent is shutting down, bye...

[esp13]

To avoid fuse error, I tried :
./molotov.AppImage --appimage-extract-and-run

but I got this error:
Failed to run /tmp/appimage_extracted_f3117eebfc709bd30ace1a4b481f4010/AppRun: Permission denied

[esp13]

I don't understand all that is explained here, is it possible that using 0.9.63 could solve this problem? (My distro repo as 0.9.62-3 version instead)

[rusty-snake]

Failed to run /tmp/appimage_extracted_f3117eebfc709bd30ace1a4b481f4010/AppRun: Permission denied

Add ignore noexec /tmp

[esp13]

Failed to run /tmp/appimage_extracted_f3117eebfc709bd30ace1a4b481f4010/AppRun: Permission denied

Add ignore noexec /tmp

Thanks, this time no error, but nothing happens/appears after extraction

[esp13]

./molotov.AppImage --appimage-extract
./squashfs-root/AppRun

Result in :
Trappe pour point d'arrêt et de trace (core dumped)

[esp13]

./molotov.AppImage 
fuse: device not found, try 'modprobe fuse' first

Cannot mount AppImage, please check your FUSE setup.
You might still be able to extract the contents of this AppImage 
if you run it with the --appimage-extract option. 
See https://github.com/AppImage/AppImageKit/wiki/FUSE 
for more information
open dir error: No such file or directory

Could this help? :

$ fusermount -V
fusermount version: 2.9.9

[rusty-snake]

any progress?

[esp13]

any progress?

Hi,
Thanks for asking :)
Unfortunately no :/
Today I was trying with an other appimage (OpenHV) and for the moment I get the same issues.

[glitsj16]

Today I was trying with an other appimage (OpenHV) and for the moment I get the same issues.

Downloaded that AppImage and running firejail --appimage --ignore=quiet ./OpenHV-20210321-x86_64.AppImage works for me on Arch Linux. Can't find specifics on your OS or firejail, but it might be wise to review this without all the prior (FUSE related) references mentioned in this thread. No guarantees though, not all AppImages are created Equal...

[esp13]

ALLELUIA!!! Today this worked:

firejail --appimage --profile=/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/molotov.profile
./molotov.AppImage --appimage-extract-and-run --no-sandbox

I don't understand what changed I didn't get same results in february
The Fuse version and the FireJail version are still the same:

fusermount -V
fusermount version: 2.9.9

firejail --version
firejail version 0.9.62

But I still can't get it working with the simpler:

firejail --appimage --profile=/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/molotov.profile
./molotov.AppImage --no-sandbox

I still get this error:

fuse: device not found, try 'modprobe fuse' first

Cannot mount AppImage, please check your FUSE setup.
You might still be able to extract the contents of this AppImage 
if you run it with the --appimage-extract option. 
See https://github.com/AppImage/AppImageKit/wiki/FUSE 
for more information
open dir error: No such file or directory`

Today I was trying with an other appimage (OpenHV) and for the moment I get the same issues.

Downloaded that AppImage and running firejail --appimage --ignore=quiet ./OpenHV-20210321-x86_64.AppImage works for me on Arch Linux. Can't find specifics on your OS or firejail, but it might be wise to review this without all the prior (FUSE related) references mentioned in this thread. No guarantees though, not all AppImages are created Equal...

Thank you, I will give a new try for OpenHV too
-Edit :-

firejail --appimage --profile=/home/thefolderIwantnotinsideuserhome/FireJail/CustomProfiles/openhv.profile
./OpenHV-20210401-x86_64.AppImage --appimage-extract-and-run
Platform is Linux
Engine version is 52d39db84aa8baf5e5b1f979bcd32fad9822b3b9
Runtime: .NET CLR 5.0.5

And one core of the CPU go 100% and stay 100% and nothing happens
I used the same profile that for molotov, maybe too restrictiv

-Edit2 :-
I tried on other computer with other distribution (with LMDE4 instead of last LM) and got it working but without sound for now.

On the computer where it doesn't work I think the game is running but nothing appears on screen. I have two screens, maybe could it related to.

[rusty-snake]

Do you still need help?