How can I properly sandbox an appimage using firejail?

I just downloaded the appimage for Freetube and have tried to run it within firejail using --appimage flag but the application fails to start up:

$ firejail --appimage ./freetube_0.11.2_amd64.AppImage 
Mounting appimage type 2
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 3671, child pid 3674

**     Warning: dropping all Linux capabilities     **

Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 80.97 ms

Parent is shutting down, bye...
AppImage unmounted

However using --noprofile will launch the app and it seems to run as expected but I am not sure if it is properly sandboxed or not.

$ firejail --appimage --noprofile ./freetube_0.11.2_amd64.AppImage --noprofile 
Mounting appimage type 2
Parent pid 3794, child pid 3797

**     Warning: dropping all Linux capabilities     **

Child process initialized in 28.44 ms
(node:2) electron: The default of contextIsolation is deprecated and will be changing from false to true in a future release of Electron.  See https://github.com/electron/electron/issues/23506 for more information

I would really appreciate if anyone could shed some light on this.

I am not a firejail expert but by dropping the default profile, you are dropping all the blacklisting rules. You certainly aren’t getting the full benefit of firejail that way.

The easiest solution is probably to use the built-in profile for freetube. Like this:

firejail --appimage --profile=/etc/firejail/freetube.profile ./freetube_0.11.2_amd64.AppImage

As a side note, you have --noprofile in the command line twice. :nerd_face: