Firejail: AppImage doesn't seem to work (ImageMagick)

Created on 1 Nov 2019  路  5Comments  路  Source: netblue30/firejail

Just trying to run the latest version of ImageMagick which comes as AppImage:

$ firejail --appimage --noprofile ./ImageMagick-a481ea5-clang-x86_64.AppImage identify index.png 
Mounting appimage type 2
Parent pid 32076, child pid 32079

**     Warning: dropping all Linux capabilities     **
Child process initialized in 30.31 ms
/run/firejail/appimage/.appimage-32076/AppRun: line 25: /run/firejail/appimage/.appimage-32076/usr/bin/: Is a directory
/run/firejail/appimage/.appimage-32076/AppRun: line 25: exec: /run/firejail/appimage/.appimage-32076/usr/bin/: cannot execute: Is a directory

Parent is shutting down, bye...
AppImage unmounted
picture kravietz

Most helpful comment

@rusty-snake I can't see any difference in your command line as compared to mine - apart from the order of options? In any case, with your command line I get the same result unfortunately.

$ firejail --noprofile --appimage ./ImageMagick-a481ea5-clang-x86_64.AppImage identify index.png
Mounting appimage type 2
Parent pid 5511, child pid 5514

**     Warning: dropping all Linux capabilities     **
Child process initialized in 126.15 ms
/run/firejail/appimage/.appimage-5511/AppRun: line 25: /run/firejail/appimage/.appimage-5511/usr/bin/: Is a directory
/run/firejail/appimage/.appimage-5511/AppRun: line 25: exec: /run/firejail/appimage/.appimage-5511/usr/bin/: cannot execute: Is a directory

Parent is shutting down, bye...
AppImage unmounted

With debug:

$ firejail --debug --noprofile --appimage ./ImageMagick-a481ea5-clang-x86_64.AppImage identify index.png
Autoselecting /bin/bash as shell
Configuring appimage environment
AppImage ELF size 188392
Mounting appimage type 2
appimage mounted on /run/firejail/appimage/.appimage-5900
Building AppImage command line: /run/firejail/appimage/.appimage-5900/AppRun
AppImage quoted command line: '/run/firejail/appimage/.appimage-5900/AppRun' 'identify' 'index.png' 
Command name #./ImageMagick-a481ea5-clang-x86_64.AppImage#
DISPLAY=:0 parsed as 0
Using the local network stack
Parent pid 5900, child pid 5903
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
IBUS_ADDRESS=unix:abstract=/tmp/ibus/dbus-LWVkcNJV,guid=c4c2b12742419542177af0e85dbaf68f
IBUS_DAEMON_PID=3130

**     Warning: dropping all Linux capabilities     **
Basic read-only filesystem:
Mounting read-only /etc
Mounting noexec /etc
Mounting read-only /var
Mounting noexec /var
Mounting read-only /bin
Mounting read-only /sbin
Mounting read-only /lib
Mounting read-only /lib64
Mounting read-only /lib32
Mounting read-only /libx32
Mounting read-only /usr
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/snmp
Mounting tmpfs on /var/lib/sudo
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/x11
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /lib/modules
Disable /usr/lib/debug
Disable /boot
Disable /dev/port
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /dev/kmsg
Disable /proc/kmsg
Disable /sys/fs
Disable /sys/module
Mounting noexec /run/firejail/mnt/pulse
6278 6253 0:101 /pulse /home/kravietz/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755
mountid=6278 fsname=/pulse dir=/home/kravietz/.config/pulse fstype=tmpfs
Current directory: /home/kravietz/Downloads
DISPLAY=:0 parsed as 0
Mounting read-only /run/firejail/mnt/seccomp
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1000, gid 1000, nogroups 1
No supplementary groups
starting application
LD_PRELOAD=(null)
Running '/run/firejail/appimage/.appimage-5900/AppRun' 'identify' 'index.png'  command through /bin/bash
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: '/run/firejail/appimage/.appimage-5900/AppRun' 'identify' 'index.png' 
Child process initialized in 104.53 ms
monitoring pid 2

/run/firejail/appimage/.appimage-5900/AppRun: line 25: /run/firejail/appimage/.appimage-5900/usr/bin/: Is a directory
/run/firejail/appimage/.appimage-5900/AppRun: line 25: exec: /run/firejail/appimage/.appimage-5900/usr/bin/: cannot execute: Is a directory
Sandbox monitor: waitpid 2 retval 2 status 32256

Parent is shutting down, bye...
AppImage unmounted
picture kravietz on 1 Nov 2019
👍2

All 5 comments

It should work with

firejail --noprofile --appimage ./ImageMagick-a481ea5-clang-x86_64.AppImage identify index.png

Can you confirm?

rusty-snake picture rusty-snake on 1 Nov 2019

@rusty-snake I can't see any difference in your command line as compared to mine - apart from the order of options? In any case, with your command line I get the same result unfortunately.

$ firejail --noprofile --appimage ./ImageMagick-a481ea5-clang-x86_64.AppImage identify index.png
Mounting appimage type 2
Parent pid 5511, child pid 5514

**     Warning: dropping all Linux capabilities     **
Child process initialized in 126.15 ms
/run/firejail/appimage/.appimage-5511/AppRun: line 25: /run/firejail/appimage/.appimage-5511/usr/bin/: Is a directory
/run/firejail/appimage/.appimage-5511/AppRun: line 25: exec: /run/firejail/appimage/.appimage-5511/usr/bin/: cannot execute: Is a directory

Parent is shutting down, bye...
AppImage unmounted

With debug:

$ firejail --debug --noprofile --appimage ./ImageMagick-a481ea5-clang-x86_64.AppImage identify index.png
Autoselecting /bin/bash as shell
Configuring appimage environment
AppImage ELF size 188392
Mounting appimage type 2
appimage mounted on /run/firejail/appimage/.appimage-5900
Building AppImage command line: /run/firejail/appimage/.appimage-5900/AppRun
AppImage quoted command line: '/run/firejail/appimage/.appimage-5900/AppRun' 'identify' 'index.png' 
Command name #./ImageMagick-a481ea5-clang-x86_64.AppImage#
DISPLAY=:0 parsed as 0
Using the local network stack
Parent pid 5900, child pid 5903
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
IBUS_ADDRESS=unix:abstract=/tmp/ibus/dbus-LWVkcNJV,guid=c4c2b12742419542177af0e85dbaf68f
IBUS_DAEMON_PID=3130

**     Warning: dropping all Linux capabilities     **
Basic read-only filesystem:
Mounting read-only /etc
Mounting noexec /etc
Mounting read-only /var
Mounting noexec /var
Mounting read-only /bin
Mounting read-only /sbin
Mounting read-only /lib
Mounting read-only /lib64
Mounting read-only /lib32
Mounting read-only /libx32
Mounting read-only /usr
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/snmp
Mounting tmpfs on /var/lib/sudo
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/x11
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /lib/modules
Disable /usr/lib/debug
Disable /boot
Disable /dev/port
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /dev/kmsg
Disable /proc/kmsg
Disable /sys/fs
Disable /sys/module
Mounting noexec /run/firejail/mnt/pulse
6278 6253 0:101 /pulse /home/kravietz/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755
mountid=6278 fsname=/pulse dir=/home/kravietz/.config/pulse fstype=tmpfs
Current directory: /home/kravietz/Downloads
DISPLAY=:0 parsed as 0
Mounting read-only /run/firejail/mnt/seccomp
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1000, gid 1000, nogroups 1
No supplementary groups
starting application
LD_PRELOAD=(null)
Running '/run/firejail/appimage/.appimage-5900/AppRun' 'identify' 'index.png'  command through /bin/bash
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: '/run/firejail/appimage/.appimage-5900/AppRun' 'identify' 'index.png' 
Child process initialized in 104.53 ms
monitoring pid 2

/run/firejail/appimage/.appimage-5900/AppRun: line 25: /run/firejail/appimage/.appimage-5900/usr/bin/: Is a directory
/run/firejail/appimage/.appimage-5900/AppRun: line 25: exec: /run/firejail/appimage/.appimage-5900/usr/bin/: cannot execute: Is a directory
Sandbox monitor: waitpid 2 retval 2 status 32256

Parent is shutting down, bye...
AppImage unmounted
kravietz picture kravietz on 1 Nov 2019
👍2

I found a work around: add --rmenv=APPIMAGE.

AppRun:

#!/bin/bash 

# The purpose of this custom AppRun script is 
# to allow symlinking the AppImage and invoking 
# the corresponding binary depending on which 
# symlink was used to invoke the AppImage 

HERE="$(dirname "$(readlink -f "${0}")")" 

export MAGICK_HOME="$HERE/usr:$MAGICK_HOME" # https://imagemagick.org/QuickStart.txt 
export MAGICK_CONFIGURE_PATH=$(readlink -f "$HERE/usr/lib/ImageMagick-7.0.7/config-Q16"):$(readlink -f "$HERE/usr/lib/ImageMagick-7.0.7/config-Q16HDRI"):$(readlink -f "$HERE/usr/share/ImageMagick-7"):$(readlink -f "$HERE/usr/etc/ImageMagick-7"):$MAGICK_CONFIGURE_PATH #Wildcards don't work 

export LD_LIBRARY_PATH=$(readlink -f "$HERE/usr/lib"):$LD_LIBRARY_PATH 
export LD_LIBRARY_PATH=${HERE}/usr/lib/ImageMagick-7.0.7/modules-Q16HDRI/coders:$LD_LIBRARY_PATH 

if [ "$1" == "man" ] ; then 
  export MANPATH="$HERE/usr/share/man:$MANPATH" ; exec "$@" ; exit $? 
elif [ "$1" == "info" ] ; then 
  export INFOPATH="$HERE/usr/share/info:$INFOPATH" ; exec "$@" ; exit $? 
fi 

if [ ! -z $APPIMAGE ] ; then 
  BINARY_NAME=$(basename "$ARGV0") 
  if [ -e "$HERE/usr/bin/$BINARY_NAME" ] ; then 
    exec "$HERE/usr/bin/$BINARY_NAME" "$@" 
  else 
    exec "$HERE/usr/bin/magick" "$@" 
  fi 
else 
  exec "$HERE/usr/bin/magick" "$@" 
fi
rusty-snake picture rusty-snake on 1 Nov 2019
👍1

I can't see any difference in your command line as compared to mine - apart from the order of options?

--appimage should be the last firejail argumen.

   Start an AppImage program:

         firejail [OPTIONS] --appimage [appimage-file and arguments]
rusty-snake picture rusty-snake on 1 Nov 2019

@rusty-snake Yeah, this solves the problem! Not sure if you want to close the ticket now, or improve on the firejail side but that's a working solution.

kravietz picture kravietz on 12 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

fl-chris picture fl-chris  路  4Comments
kmotoko picture kmotoko  路  3Comments
semente picture semente  路  4Comments
reinerh picture reinerh  路  3Comments
bryce-lynch picture bryce-lynch  路  4Comments