Anyone know how to contain (sandbox) .appimage files on Linux?
I have certain game launcher (I don’t wanna disclose which) that spreads through appimage. And I don’t feel comfortable game having full r/w on my /home dir.
Any advices?
P.S: what do you think about something like this?
I have all my AppImages sandboxed using bwrap.
I’ve found it’s easiest to start by extracting the appimage file using:
./YourAppImage.AppImage --appimage-extract
then make a launch file that points to the AppRun file in the extracted AppImage. With that launch file, you can define what the appimage has access to using bwrap
Then change the exec= line in the .desktop file you use to launch the AppImage to point to the bwrap launch file, and you’re done!
this sounds like it would be a wonderful community wiki / guide if you ever have the time.
Yeah it’s basically a DIY flatpak 
I’d be interested in finding out if there’s a more user-friendly way to do this, since managing bwrap permissions without a GUI is a pain.
I’d be happy to hear if anyone has any suggestions here, so we could potentially implement this to the site!
Could something like GitHub - netblue30/firejail: Linux namespaces and seccomp-bpf sandbox · GitHub be used?
Firejail would work here, but I prefer the more minimal approach of bwrap.
Here’s a short read that explains the difference more in depth:
Can you explain further?
Firejail runs from root, which opens it to possible privilege escalation vulns and other nasty stuff (see this thread for more information)
Which Appimage on which OS?
Two: Mint and Fedora (dualboot). But now mostly Mint.
Game launcher. I do not feel comfortable revealing it’s name
Do you use X11 on Mint? If you do, you need Xephyr, Xpra or similar to even lay the basis for sandboxing gui applications, otherwise X11 will be a sandbox escape.
Just be aware that Bubblejail is unsuited for GUI applications on X11 DEs
Fine with me, Kicksecure and Whonix 18 use LXQt and Wayland now.
There is also the package manager AM (aka AppMan) that allows you to easily install, update and sandbox a wide range of AppImage applications.
The sandbox utility simple-appimage-sandbox (sas), which depends on Bubblewrap, is used by AM when the “–sandbox” flag is supplied.
It should be noted that the created sandbox is somewhat permissive by default; it doesn’t unshare the network socket with the application. It’s possible to configure access to the home directory, but I haven’t found a way to fine-tune the sandbox’s other permissions. I don’t know how difficult it would be for an application to escape that sandbox, but I guess it’s better than nothing..
If you decide to use AM, please be aware that its database of app installation scripts is similiar to the design of the Arch User Repository (AUR). If an app isn’t distributed as an AppImages by its developer, then it may be provided as an unofficial, community-built AppImage.