You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
AppImage is a bundling format that compared to alternatives (Flatpak, Snap) does not impose any restriction for running program to the resources on the host (user home, services on dbus, network, etc.) apart from the obvious restriction that linux processes have given their global uid/gid and in some other cases as SELinux/Apparmor - nothing beyond what Linux distribution provides.
As many of the software provided as AppImages are proprietary (arguable it's more popular for distributing proprietary software than Flatpak) and for increasing runtime security for open source apps I find myself running AppImages with firejail.
firejail a versatile sandboxing solution for binaries on Linux that uses the underlying kernel technologies in similar vein to container runtimes. I'm using this setup all the time and find myself running (in this case to have a private home directory and restrictions on dbus services access):
Over the years there have been discussions and some proposed solution to streamline firejail-ing appimages, for example here - discourse thread and here - another thread.
I propose to add that functionality within GearLever. As firejail has plethora of cli options controlling separation from host for different resources I think that user should be given the option to construct cli themselves. That's a general enough solution to encompass any possible "wrapper" for the appimage file - for ease of use for the firejail usecase a template can be provided that user can start with.
The text was updated successfully, but these errors were encountered:
AppImage is a bundling format that compared to alternatives (Flatpak, Snap) does not impose any restriction for running program to the resources on the host (user home, services on dbus, network, etc.) apart from the obvious restriction that linux processes have given their global uid/gid and in some other cases as SELinux/Apparmor - nothing beyond what Linux distribution provides.
As many of the software provided as AppImages are proprietary (arguable it's more popular for distributing proprietary software than Flatpak) and for increasing runtime security for open source apps I find myself running AppImages with firejail.
firejail a versatile sandboxing solution for binaries on Linux that uses the underlying kernel technologies in similar vein to container runtimes. I'm using this setup all the time and find myself running (in this case to have a private home directory and restrictions on dbus services access):
Over the years there have been discussions and some proposed solution to streamline firejail-ing appimages, for example here - discourse thread and here - another thread.
I propose to add that functionality within GearLever. As firejail has plethora of cli options controlling separation from host for different resources I think that user should be given the option to construct cli themselves. That's a general enough solution to encompass any possible "wrapper" for the appimage file - for ease of use for the firejail usecase a template can be provided that user can start with.
The text was updated successfully, but these errors were encountered: