Firejail profile for vesktop

README.md

Firejail profile request for vesktop netblue30/firejail#1139 (comment)

I've installed vesktop-bin for creating/testing a profile for vesktop. Here are instructions to test that on your system with Firejail 0.9.72.

(1) Copy vesktop.profile to your ~/.config/firejail directory (which might need to be created if that doesn't exist).

(2) Check if your kernel supports unprivileged user namespaces:

$ unshare -U echo enabled

If that outputs enabled, you can activate extra sandbox hardenings by additionally placing electron.local in ~/.config/firejail.

IMPORTANT

I only tested this superficially, so there might be additional things needed. But vesktop did start properly, including tray support. If someone who actively uses Discord can confirm the vesktop profile is functional (screen sharing, opening links with Firefox etcetera) we can bring it in on the next Firejail release.

Regards

electron.local

# Firejail profile for electron
# Persistent local customizations

# If your kernel allows the creation of user namespaces by unprivileged users
# (for example, if running `unshare -U echo enabled` prints "enabled"), you
# can add the next line to your electron-common.local.
include chromium-common-hardened.inc.profile

vesktop.profile

# Firejail profile for vesktop
# Description: Custom Discord App
# This file is overwritten after every install/update
# Persistent local customizations
include vesktop.local
# Persistent global definitions
include globals.local

# The lines below are needed to find the default Firefox profile name, to allow
# opening links in an existing instance of Firefox (note that it still fails if
# there isn't a Firefox instance running with the default profile; see #5352)
noblacklist ${HOME}/.mozilla
whitelist ${HOME}/.mozilla/firefox/profiles.ini

noblacklist ${HOME}/.config/vesktop

mkdir ${HOME}/.config/vesktop
whitelist ${HOME}/.config/vesktop

private-bin vesktop
private-opt vesktop

dbus-user filter
dbus-user.talk org.freedesktop.Notifications
# Add the next line to your vesktop.local to allow screen sharing under wayland.
#dbus-user.talk org.freedesktop.portal.Desktop
# Add the next line to your vesktop.local if screen sharing sharing still does not work
# with the above lines (might depend on the portal implementation).
#ignore noroot
# Allow D-Bus communication with Firefox for opening links
dbus-user.talk org.mozilla.*
ignore dbus-user none

join-or-start vesktop

include discord-common.profile

Thanks for your help!
Unfortunately, I'm having trouble launching the app for some reason. It seems like firejail can't seem to find vesktop despite the fact its clearly installed both in /bin/vesktop and /usr/bin/vesktop.

Reading profile /home/andrew/.config/firejail/vesktop.profile
Reading profile /etc/firejail/discord-common.profile
Reading profile /etc/firejail/electron.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 258640, child pid 258644
Warning: skipping vesktop for private /opt
Private /opt installed in 0.08 ms
19 programs installed in 43.94 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping crypto-policies for private /etc
Warning: skipping ld.so.preload for private /etc
Warning: skipping password for private /etc
Private /etc installed in 53.82 ms
Private /usr/etc installed in 0.01 ms
Warning: not remounting /run/user/1000/doc
Child process initialized in 203.87 ms
Error: no suitable vesktop executable found

with --debug I can see its searching for it but having issues:

Searching $PATH for vesktop
trying #/home/andrew/.local/share/mise/installs/python/3.8.10/bin/vesktop#
trying #/home/andrew/.local/share/mise/installs/node/22.0.0/bin/vesktop#
trying #/usr/local/go/bin/vesktop#
trying #/home/andrew/.local/bin/vesktop#
trying #/home/andrew/.cargo/bin/vesktop#
trying #/usr/local/sbin/vesktop#
trying #/usr/local/bin/vesktop#
trying #/usr/sbin/vesktop#
trying #/usr/bin/vesktop#
trying #/sbin/vesktop#
trying #/bin/vesktop#
trying #/usr/games/vesktop#
trying #/usr/local/games/vesktop#
trying #/snap/bin/vesktop#
Error: no suitable vesktop executable found

I am on firejail 0.9.72:

firejail version 0.9.72

Compile time support:
        - always force nonewprivs support is disabled
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - D-BUS proxy support is enabled
        - file transfer support is enabled
        - firetunnel support is disabled
        - IDS support is enabled
        - networking support is enabled
        - output logging is enabled
        - overlayfs support is disabled
        - private-home support is enabled
        - private-cache and tmpfs as user enabled
        - SELinux support is enabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

Warning: networking feature is disabled in Firejail configuration file

Have you changed defaults in /etc/firejail/firejail.config by any chance? Not that it relates to the Error: no suitable vesktop executable found, but something you might want to double-check regardless.

Not sure yet about that vesktop executable, but you can use ignore private-bin to test if we need something additionally there. So comment the private-bin vesktop line and put in the ignore.

I have not. Just in case, I went and completely purged firejail before reinstalling.
I'm not sure why it would make a difference but I am on Ubuntu 24.04 if that matters.
Unfortunately after commenting out that line and adding the ignore its still having issues.

For reference here's the diff of changes for ~/.config/firejail/vesktop.profile:

19c19
< private-bin vesktop
---
> # private-bin vesktop
20a21
> ignore private-bin

Here's the full runtime log: https://gist.github.com/imgurbot12/1b8800915679fe5591f80e57618e1007

I'm not sure why it would make a difference but I am on Ubuntu 24.04 if that matters.

Thanks for the info. Shouldn't matter as long as you're using Firejail 0.9.72. There are known issues on Ubuntu, that's why we recommend using the PPA (maintained by the Debian firejail dev and collaborator on the Firejail project):

https://github.com/netblue30/firejail#ubuntu

I'm assuming vesktop isn't something you've installed from Ubuntu repo's, correct? If you can provide some details on that (like installed from a PPA, manual build, etc.) I can try to reproduce on a machine running Ubuntu 22.04 LTS. That might speed up things, as for now I'm not sure my testing with the vesktop package from the AUR is keeping us from being on the same page...

Thanks for the debug log by the way. Looks pretty clean. Alas nothing jumping out to suggest a quick fix.

Interesting, ok thanks.

It is not installed or downloaded via a repo yes.
I installed Vesktop via a downloaded deb directly from their github releases:
https://github.com/Vencord/Vesktop/releases/tag/v1.5.2
https://github.com/Vencord/Vesktop/releases/download/v1.5.2/vesktop_1.5.2_amd64.deb

I just used sudo dpkg -i ~/Downloads/vesktop_1.5.2_amd64.deb
I appreciate the help and support, thanks again!