How to improve Signal Desktop's usability under Firejail


Posted by Diego Assencio on 2020.08.19 under Linux (Security)

If you use Firejail to run Signal Desktop in a sandboxed environment on Linux, you will likely be surprised by the fact that a new application instance is opened every time you execute the firejail signal-desktop command. Attempting to open a second instance of Signal Deskop should simply cause the existing one to be activated instead, but Firejail breaks this default behavior.

On top of that, if you use the --use-tray-icon parameter to have Signal Desktop place an icon on your desktop environment's icon tray, the icon may not only be displayed incorrectly, but each new opened instance will place an additional (incorrect) icon there as well, making things even worse.

Addressing these issues is fortunately easy. All you need to do is create a Firejail profile file named signal-desktop.profile inside the ~/.config/firejail/ directory containing the following:

ignore private-tmp
include /etc/firejail/signal-desktop.profile

Whenever you run Signal Desktop with Firejail, this profile will be automatically loaded to define the sandboxed environment in which the application will be executed.

The second line on the file instructs Firejail to load its default profile for the Signal Desktop application. This is necessary because Firejail will not do that automatically whenever it detects a user-provided profile file (which is our case). In order to load the default security settings for Signal Desktop, we therefore need to have them explicitly added to our profile.

Within Firejail's default profile for Signal Deskop, there is a directive (private-tmp) which instructs Firejail to present an empty temporary filesystem on top of the /tmp directory to the application. Within that temporary filesystem, all files stored in the system's /tmp directory are not present except for perhaps X11 and PulseAudio sockets which need to be whitelisted for Signal Desktop to run properly. This increases the system's security by preventing a running instance of Signal Desktop from accessing files which other processes store at /tmp , but since Signal Desktop itself stores data at that location to indicate that an instance is currently running, its ability to prevent multiple concurrent instances is lost as a side effect of this security setting. The ignore private-tmp directive tells Firejail to present the system's actual /tmp directory to Signal Desktop instead of a temporary filesystem mounted over it, thereby addressing the problem (but at the cost of a lower system security level, of course). As a bonus, the tray icon issues are resolved as well.

Comments

MichealKer on Jul 30, 2021:
Kết Quả đá Bóng Hôm Nay<a href="https://liverpoolwin365.com/">tin tức chuyển nhượng liverpool</a>Chúng tôi có những ý tưởng phát minh và plan mới, cả đội cần thiết cố gắng nhằm thực hiện nay nó 1 cơ hội chất lượng nhất lúc trận đấu ra mắt. Trước trận đấu quan lại trọng này, HLV Ramiro Lopez của Lebanon tuyên bố, “Chúng tôi đã được
Jamescak on Aug 01, 2021:
Giày Bóng Rổ Giá Tiền Rẻ Bền đẹp Nhất, Giá Tiền Sốc, Nên Mua Ở Đâu<a href="https://chiefscreolecafe.com/detail/viettel-dau-voi-hoang-anh-gia-lai-34172.html">viettel đấu với hoàng anh gia lai</a>Lần trước tiên ra đôi mắt thì giầy Jordan 1 có màu đỏ, white và đen phối với nhau. Với upper mỏng dính nhẹ nhõm và đế bền hơn cùng cỗ đệm lấy thẳng kể từ Crazylight Boost 2016, trong hoàn cảnh tạm thời Rose 8 cũng rất xứng đáng để demo.
MichealKer on Aug 01, 2021:
Kết Quả đá Bóng Thời Điểm Hôm Nay<a href="https://realmadrid24.football/">cf tin tuc</a>Chúng tôi có những ý tưởng phát minh và plan mới, cả đội muốn cố gắng nhằm thực hiện nó 1 cơ hội chất lượng nhất lúc trận đấu diễn ra. Trước trận đấu quan lại trọng này, HLV Ramiro Lopez của Lebanon tuyên bố, “Chúng tôi đã có được

Leave a reply

NOTE: A name and a comment (max. 1024 characters) must be provided; all other fields are optional. Equations will be processed if surrounded with dollar signs (as in LaTeX). You can post up to 5 comments per day.

Preview: