How to improve Signal Desktop's usability under Firejail

Posted by Diego Assencio on 2020.08.19 under Linux (Security)

If you use Firejail to run Signal Desktop in a sandboxed environment on Linux, you will likely be surprised by the fact that a new application instance is opened every time you execute the firejail signal-desktop command. Attempting to open a second instance of Signal Deskop should simply cause the existing one to be activated instead, but Firejail breaks this default behavior.

On top of that, if you use the --use-tray-icon parameter to have Signal Desktop place an icon on your desktop environment's icon tray, the icon may not only be displayed incorrectly, but each new opened instance will place an additional (incorrect) icon there as well, making things even worse.

Addressing these issues is fortunately easy. All you need to do is create a Firejail profile file named signal-desktop.profile inside the ~/.config/firejail/ directory containing the following:

ignore private-tmp
include /etc/firejail/signal-desktop.profile

Whenever you run Signal Desktop with Firejail, this profile will be automatically loaded to define the sandboxed environment in which the application will be executed.

The second line on the file instructs Firejail to load its default profile for the Signal Desktop application. This is necessary because Firejail will not do that automatically whenever it detects a user-provided profile file (which is our case). In order to load the default security settings for Signal Desktop, we therefore need to have them explicitly added to our profile.

Within Firejail's default profile for Signal Deskop, there is a directive (private-tmp) which instructs Firejail to present an empty temporary filesystem on top of the /tmp directory to the application. Within that temporary filesystem, all files stored in the system's /tmp directory are not present except for perhaps X11 and PulseAudio sockets which need to be whitelisted for Signal Desktop to run properly. This increases the system's security by preventing a running instance of Signal Desktop from accessing files which other processes store at /tmp , but since Signal Desktop itself stores data at that location to indicate that an instance is currently running, its ability to prevent multiple concurrent instances is lost as a side effect of this security setting. The ignore private-tmp directive tells Firejail to present the system's actual /tmp directory to Signal Desktop instead of a temporary filesystem mounted over it, thereby addressing the problem (but at the cost of a lower system security level, of course). As a bonus, the tray icon issues are resolved as well.