vscodium: missing profile redirect: vscodium was renamed to codium

[mYnDstrEAm]

I had a problem of not getting updates for the way to get Visual Studio Code on Debian via a repository instead of the GitHub releases: https://gitlab.com/paulcarroty/vscodium-deb-rpm-repo/-/issues/50

I did not get any error or alike and "solved" it by going through that repo's guide in the readme again which I installed VsCodium another time, now not called vscodium but "codium" and the latest version (now I have two VSCodiums installed).

However, when I run firejail --profile=/etc/firejail/vscodium.profile codium I now get this error message:

Unable to write program user data.

Please make sure the following directories are writeable:

/home/username/.config/VSCodium
/home/username/.vscode-oss/extensions
/run/user/1000

I already created a /home/username/.config/firejail/code.local with:

noblacklist ${HOME}/.config/VSCodium
noblacklist ${HOME}/.vscode-oss/extensions

At least two issues remain:

• The vscodium profile (that's /etc/firejail/code.profile and /etc/firejail/vscodium.profile) seems to be broken/outdated
• How to solve the problem with /run/user/1000?

echo $DBUS_SESSION_BUS_ADDRESS returns unix:path=/run/user/1000/bus

Also from the default vscodium profile it looks like it's not possible to install extensions. Is that correct? If so that should be changed too but it would be a separate issue.

System: Debian10/KDE
Firejail: 0.9.64 (latest from backports)

[rusty-snake]

Please make sure the following directories are writeable:
/run/user/1000

I did not read futher, but firejail --writable-run-user … shoulde solve at least this message.

[mYnDstrEAm]

It's solved now, sorry. Was a problem with local profiles.

[mYnDstrEAm]

Reopening because if the VsCodium is now called codium the profile's name needs to be changed to be used automatically when running firejail codium. One could also just copy the vscodium.profile to codium.profile.

(Currently it needs to be run like this: firejail --profile=/etc/firejail/vscodium.profile /usr/bin/codium.

firejail --profile=/etc/firejail/vscodium.profile /usr/share/codium/codium --unity-launch %F and firejail --profile=/etc/firejail/vscodium.profile /usr/share/codium/codium --new-window %F don't work because of:

FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/share/codium/chrome-sandbox is owned by root and has mode 4755.

See here for what seems to be the best improvised solution for this currently; I'm not sure how this could be implemented here and if it needs to be as it also runs without --no-sandbox when not adding any parameters. That part is probably unrelated to firejail but please comment if you know a way to make firejail work when using --new-window)

[rusty-snake]

FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/share/codium/chrome-sandbox is owned by root and has mode 4755.

See here for what seems to be the best improvised solution for this currently; I'm not sure how this could be implemented here and if it needs to be as it also runs without --no-sandbox when not adding any parameters. That part is probably unrelated to firejail but please comment if you know a way to make firejail work when using --new-window)

See PRs #3688 and #3807. My suggestion sysctl kernel.unprivileged_userns_clone=1.

[rusty-snake]

Reopening because if the VsCodium is now called codium the profile's name needs to be changed to be used automatically when running firejail codium.

We should add a redirect/alias profile for it.

EDIT: And if writable-run-user is required, we should add it too.

[mYnDstrEAm]

Sounds good! writeable-run-user wasn't required.

Edit: only firejail --profile=/etc/firejail/vscodium.profile /usr/bin/codium works, but not firejail --profile=/etc/firejail/vscodium.profile /usr/share/codium/codium /usr/share/codium/codium is used in the default .desktop file after installation (it was /usr/share/codium/codium --no-sandbox --unity-launch %F).

Don't know about kernel.unprivileged_userns_clone - it seems to be disabled for security reasons and I don't know how it would be useful here.

[rusty-snake]

Don't know about kernel.unprivileged_userns_clone - it seems to be disabled for security reasons and I don't know how it would be useful here.

Maybe read #3754.

Edit: only firejail --profile=/etc/firejail/vscodium.profile /usr/bin/codium works, but not firejail --profile=/etc/firejail/vscodium.profile /usr/share/codium/codium /usr/share/codium/codium is used in the default .desktop file after installation (it was /usr/share/codium/codium --no-sandbox --unity-launch %F).

Is /usr/bin/codium a wrapper script for /usr/share/codium/codium?

[mYnDstrEAm]

Is /usr/bin/codium a wrapper script for /usr/share/codium/codium?

It points to /usr/share/codium/bin/codium (ln -s says "codium -> /usr/share/codium/bin/codium" so I guess a symbolic link?) which is a very short wrapper script. Strangely, if I read it right that script should only run /usr/share/codium/codium. The relevant part is:

if [ ! -L "$0" ]; then
	# if path is not a symlink, find relatively
	VSCODE_PATH="$(dirname "$0")/.."
else
	if command -v readlink >/dev/null; then
		# if readlink exists, follow the symlink and find relatively
		VSCODE_PATH="$(dirname "$(readlink -f "$0")")/.."
	else
		# else use the standard install location
		VSCODE_PATH="/usr/share/codium"
	fi
fi

ELECTRON="$VSCODE_PATH/codium"

[mYnDstrEAm]

There's probably some permissions set that allows /usr/bin/ but not /usr/share - firejail --profile=/etc/firejail/vscodium.profile /usr/share/codium/codium should work with the profile too.

[rusty-snake]

Just to be sure, firejail --noprofile /usr/share/codium/codium works?

[rusty-snake]

Any progress here?

[kmk3]

@rusty-snake commented on Apr 6:

Any progress here?

I think I got it; will submit a PR later.

[kmk3]

Quoting the first post of the following discussion (as a sort of +1):

• Custom Firejail profile as security increase VSCodium/vscodium#776

@henrythebuilder on Jul 26:

Hi,

Following the latest problems detected with marketplace
(VSCodium/vscodium#746), I tried to use Firejail to increase security but in
my computer the default profile does not work, so I tried to create a new
local profile following information/instructions on how to manage
Chromium/Electron applications.
Referring especially on firejail repo (issue 2949 > netblue30/firejail#2946 )
I created the profile I attach stored locally at
~/.config/firejail/codium.profile

I use it from my shell through an alias for the executable codium
(./bin/codium) as:

alias codium='firejail /my/local/installation/path/vscodium/bin/codium'

Not knowing how to share it I used this channel hoping to have help to
correct/extend it to get best result

Enrico

codium.profile:

# Firejail profile for codium
# Description: main entry point for VSCodium from shell (./bin/codium)

# Persistent local customizations
include codium.local

noblacklist ${HOME}/.VSCodium
noblacklist ${HOME}/.config/VSCodium
noblacklist ${HOME}/.vscode-oss

### from https://github.com/netblue30/firejail/issues/2946
#seccomp !chroot
#ignore seccomp
seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice

# Redirect
include ${CFG}/code.profile

[kmk3]

vscodium was renamed to codium

Potentially caused by:

• Launch the IDE with codium (instead of vscodium) VSCodium/vscodium#176

Kind of relates to:

• Rename VSCodium to Codium VSCodium/vscodium#293