[GH-ISSUE #3871] vscodium: missing profile redirect: vscodium was renamed to codium

gitea-mirror commented

2026-05-05 09:06:42 -06:00

Owner

Originally created by @mYnDstrEAm on GitHub (Jan 5, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3871

I had a problem of not getting updates for the way to get Visual Studio Code on Debian via a repository instead of the GitHub releases: https://gitlab.com/paulcarroty/vscodium-deb-rpm-repo/-/issues/50

I did not get any error or alike and "solved" it by going through that repo's guide in the readme again which I installed VsCodium another time, now not called vscodium but "codium" and the latest version (now I have two VSCodiums installed).

However, when I run firejail --profile=/etc/firejail/vscodium.profile codium I now get this error message:

Unable to write program user data.

Please make sure the following directories are writeable:

/home/username/.config/VSCodium
/home/username/.vscode-oss/extensions
/run/user/1000

I already created a /home/username/.config/firejail/code.local with:

noblacklist ${HOME}/.config/VSCodium
noblacklist ${HOME}/.vscode-oss/extensions

At least two issues remain:

The vscodium profile (that's /etc/firejail/code.profile and /etc/firejail/vscodium.profile) seems to be broken/outdated
How to solve the problem with /run/user/1000?

echo $DBUS_SESSION_BUS_ADDRESS returns unix:path=/run/user/1000/bus

Also from the default vscodium profile it looks like it's not possible to install extensions. Is that correct? If so that should be changed too but it would be a separate issue.

System: Debian10/KDE
Firejail: 0.9.64 (latest from backports)

Originally created by @mYnDstrEAm on GitHub (Jan 5, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/3871 I had a problem of not getting updates for the way to get Visual Studio Code on Debian via a repository instead of the GitHub releases: https://gitlab.com/paulcarroty/vscodium-deb-rpm-repo/-/issues/50 I did not get any error or alike and "solved" it by going through that repo's guide in the readme again which I installed VsCodium another time, now not called vscodium but "codium" and the latest version (now I have two VSCodiums installed). However, when I run `firejail --profile=/etc/firejail/vscodium.profile codium` I now get this error message: ``` Unable to write program user data. Please make sure the following directories are writeable: /home/username/.config/VSCodium /home/username/.vscode-oss/extensions /run/user/1000 ``` I already created a /home/username/.config/firejail/code.local with: ``` noblacklist ${HOME}/.config/VSCodium noblacklist ${HOME}/.vscode-oss/extensions ``` At least two issues remain: * The vscodium profile (that's /etc/firejail/code.profile and /etc/firejail/vscodium.profile) seems to be broken/outdated * How to solve the problem with /run/user/1000? `echo $DBUS_SESSION_BUS_ADDRESS` returns `unix:path=/run/user/1000/bus` Also from the default vscodium profile it looks like it's not possible to install extensions. Is that correct? If so that should be changed too but it would be a separate issue. System: Debian10/KDE Firejail: 0.9.64 (latest from backports)

gitea-mirror closed this issue

2026-05-05 09:06:43 -06:00

gitea-mirror commented

2026-05-05 09:06:44 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 5, 2021):

Please make sure the following directories are writeable:
/run/user/1000

I did not read futher, but firejail --writable-run-user … shoulde solve at least this message.

@rusty-snake commented on GitHub (Jan 5, 2021): > Please make sure the following directories are writeable: > /run/user/1000 I did not read futher, but `firejail --writable-run-user …` shoulde solve at least this message.

gitea-mirror commented

2026-05-05 09:06:45 -06:00

Author

Owner

@mYnDstrEAm commented on GitHub (Jan 5, 2021):

It's solved now, sorry. Was a problem with local profiles.

@mYnDstrEAm commented on GitHub (Jan 5, 2021): It's solved now, sorry. Was a problem with local profiles.

gitea-mirror commented

2026-05-05 09:06:46 -06:00

Author

Owner

@mYnDstrEAm commented on GitHub (Jan 5, 2021):

Reopening because if the VsCodium is now called codium the profile's name needs to be changed to be used automatically when running firejail codium. One could also just copy the vscodium.profile to codium.profile.

(Currently it needs to be run like this: firejail --profile=/etc/firejail/vscodium.profile /usr/bin/codium.

firejail --profile=/etc/firejail/vscodium.profile /usr/share/codium/codium --unity-launch %F and firejail --profile=/etc/firejail/vscodium.profile /usr/share/codium/codium --new-window %F don't work because of:

FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/share/codium/chrome-sandbox is owned by root and has mode 4755.

See here for what seems to be the best improvised solution for this currently; I'm not sure how this could be implemented here and if it needs to be as it also runs without --no-sandbox when not adding any parameters. That part is probably unrelated to firejail but please comment if you know a way to make firejail work when using --new-window)

@mYnDstrEAm commented on GitHub (Jan 5, 2021): Reopening because if the VsCodium is now called codium the profile's name needs to be changed to be used automatically when running `firejail codium`. One could also just copy the vscodium.profile to codium.profile. (Currently it needs to be run like this: `firejail --profile=/etc/firejail/vscodium.profile /usr/bin/codium`. `firejail --profile=/etc/firejail/vscodium.profile /usr/share/codium/codium --unity-launch %F` and `firejail --profile=/etc/firejail/vscodium.profile /usr/share/codium/codium --new-window %F` don't work because of: `FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/share/codium/chrome-sandbox is owned by root and has mode 4755.` See [here](https://github.com/laurent22/joplin/issues/2246#issuecomment-740126395) for what seems to be the best improvised solution for this currently; I'm not sure how this could be implemented here and if it needs to be as it also runs without `--no-sandbox` when not adding any parameters. That part is probably unrelated to firejail but please comment if you know a way to make firejail work when using --new-window)

gitea-mirror commented

2026-05-05 09:06:47 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 5, 2021):

FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/share/codium/chrome-sandbox is owned by root and has mode 4755.

See here for what seems to be the best improvised solution for this currently; I'm not sure how this could be implemented here and if it needs to be as it also runs without --no-sandbox when not adding any parameters. That part is probably unrelated to firejail but please comment if you know a way to make firejail work when using --new-window)

See PRs #3688 and #3807. My suggestion sysctl kernel.unprivileged_userns_clone=1.

@rusty-snake commented on GitHub (Jan 5, 2021): > `FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/share/codium/chrome-sandbox is owned by root and has mode 4755.` > > See here for what seems to be the best improvised solution for this currently; I'm not sure how this could be implemented here and if it needs to be as it also runs without --no-sandbox when not adding any parameters. That part is probably unrelated to firejail but please comment if you know a way to make firejail work when using --new-window) See PRs #3688 and #3807. _My_ suggestion `sysctl kernel.unprivileged_userns_clone=1`.

gitea-mirror commented

2026-05-05 09:06:48 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 5, 2021):

Reopening because if the VsCodium is now called codium the profile's name needs to be changed to be used automatically when running firejail codium.

We should add a redirect/alias profile for it.

EDIT: And if writable-run-user is required, we should add it too.

@rusty-snake commented on GitHub (Jan 5, 2021): > Reopening because if the VsCodium is now called codium the profile's name needs to be changed to be used automatically when running firejail codium. We should add a redirect/alias profile for it. EDIT: And if `writable-run-user` is required, we should add it too.

gitea-mirror commented

2026-05-05 09:06:49 -06:00

Author

Owner

@mYnDstrEAm commented on GitHub (Jan 5, 2021):

Sounds good! writeable-run-user wasn't required.

Edit: only firejail --profile=/etc/firejail/vscodium.profile /usr/bin/codium works, but not firejail --profile=/etc/firejail/vscodium.profile /usr/share/codium/codium /usr/share/codium/codium is used in the default .desktop file after installation (it was /usr/share/codium/codium --no-sandbox --unity-launch %F).

Don't know about kernel.unprivileged_userns_clone - it seems to be disabled for security reasons and I don't know how it would be useful here.

@mYnDstrEAm commented on GitHub (Jan 5, 2021): Sounds good! `writeable-run-user` wasn't required. Edit: only `firejail --profile=/etc/firejail/vscodium.profile /usr/bin/codium` works, but not `firejail --profile=/etc/firejail/vscodium.profile /usr/share/codium/codium` `/usr/share/codium/codium` is used in the default .desktop file after installation (it was `/usr/share/codium/codium --no-sandbox --unity-launch %F`). Don't know about kernel.unprivileged_userns_clone - [it seems to be disabled for security reasons](https://security.stackexchange.com/questions/209529/what-does-enabling-kernel-unprivileged-userns-clone-do) and I don't know how it would be useful here.

gitea-mirror commented

2026-05-05 09:06:50 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 6, 2021):

Don't know about kernel.unprivileged_userns_clone - it seems to be disabled for security reasons and I don't know how it would be useful here.

Maybe read #3754.

Edit: only firejail --profile=/etc/firejail/vscodium.profile /usr/bin/codium works, but not firejail --profile=/etc/firejail/vscodium.profile /usr/share/codium/codium /usr/share/codium/codium is used in the default .desktop file after installation (it was /usr/share/codium/codium --no-sandbox --unity-launch %F).

Is /usr/bin/codium a wrapper script for /usr/share/codium/codium?

@rusty-snake commented on GitHub (Jan 6, 2021): > Don't know about kernel.unprivileged_userns_clone - it seems to be disabled for security reasons and I don't know how it would be useful here. Maybe read #3754. > Edit: only `firejail --profile=/etc/firejail/vscodium.profile /usr/bin/codium` works, but not `firejail --profile=/etc/firejail/vscodium.profile /usr/share/codium/codium` `/usr/share/codium/codium` is used in the default .desktop file after installation (it was `/usr/share/codium/codium --no-sandbox --unity-launch %F`). Is `/usr/bin/codium` a wrapper script for `/usr/share/codium/codium`?

gitea-mirror commented

2026-05-05 09:06:51 -06:00

Author

Owner

@mYnDstrEAm commented on GitHub (Jan 6, 2021):

Is /usr/bin/codium a wrapper script for /usr/share/codium/codium?

It points to /usr/share/codium/bin/codium (ln -s says "codium -> /usr/share/codium/bin/codium" so I guess a symbolic link?) which is a very short wrapper script. Strangely, if I read it right that script should only run /usr/share/codium/codium. The relevant part is:

if [ ! -L "$0" ]; then
	# if path is not a symlink, find relatively
	VSCODE_PATH="$(dirname "$0")/.."
else
	if command -v readlink >/dev/null; then
		# if readlink exists, follow the symlink and find relatively
		VSCODE_PATH="$(dirname "$(readlink -f "$0")")/.."
	else
		# else use the standard install location
		VSCODE_PATH="/usr/share/codium"
	fi
fi

ELECTRON="$VSCODE_PATH/codium"

@mYnDstrEAm commented on GitHub (Jan 6, 2021): > Is `/usr/bin/codium` a wrapper script for `/usr/share/codium/codium`? It points to /usr/share/codium/bin/codium (`ln -s` says "codium -> /usr/share/codium/bin/codium" so I guess a symbolic link?) which is a very short wrapper script. Strangely, if I read it right that script should only run `/usr/share/codium/codium`. The relevant part is: ``` if [ ! -L "$0" ]; then # if path is not a symlink, find relatively VSCODE_PATH="$(dirname "$0")/.." else if command -v readlink >/dev/null; then # if readlink exists, follow the symlink and find relatively VSCODE_PATH="$(dirname "$(readlink -f "$0")")/.." else # else use the standard install location VSCODE_PATH="/usr/share/codium" fi fi ELECTRON="$VSCODE_PATH/codium" ```

gitea-mirror commented

2026-05-05 09:06:52 -06:00

Author

Owner

@mYnDstrEAm commented on GitHub (Jan 8, 2021):

There's probably some permissions set that allows /usr/bin/ but not /usr/share - firejail --profile=/etc/firejail/vscodium.profile /usr/share/codium/codium should work with the profile too.

@mYnDstrEAm commented on GitHub (Jan 8, 2021): There's probably some permissions set that allows /usr/bin/ but not /usr/share - `firejail --profile=/etc/firejail/vscodium.profile /usr/share/codium/codium` should work with the profile too.

gitea-mirror commented

2026-05-05 09:06:53 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 9, 2021):

Just to be sure, firejail --noprofile /usr/share/codium/codium works?

@rusty-snake commented on GitHub (Jan 9, 2021): Just to be sure, `firejail --noprofile /usr/share/codium/codium` works?

gitea-mirror commented

2026-05-05 09:06:54 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 6, 2021):

Any progress here?

@rusty-snake commented on GitHub (Apr 6, 2021): Any progress here?

gitea-mirror commented

2026-05-05 09:06:55 -06:00

Author

Owner

@kmk3 commented on GitHub (Oct 4, 2021):

@rusty-snake commented on Apr 6:

Any progress here?

I think I got it; will submit a PR later.

@kmk3 commented on GitHub (Oct 4, 2021): @rusty-snake commented [on Apr 6](https://github.com/netblue30/firejail/issues/3871#issuecomment-814170488): > Any progress here? I think I got it; will submit a PR later.

gitea-mirror commented

2026-05-05 09:06:56 -06:00

Author

Owner

@kmk3 commented on GitHub (Oct 5, 2021):

Quoting the first post of the following discussion (as a sort of +1):

https://github.com/VSCodium/vscodium/discussions/776

@henrythebuilder on Jul 26:

Hi,

Following the latest problems detected with marketplace
(VSCodium/vscodium#746), I tried to use Firejail to increase security but in
my computer the default profile does not work, so I tried to create a new
local profile following information/instructions on how to manage
Chromium/Electron applications.
Referring especially on firejail repo (issue 2949 > netblue30/firejail#2946 )
I created the profile I attach stored locally at
~/.config/firejail/codium.profile

I use it from my shell through an alias for the executable codium
(./bin/codium) as:

alias codium='firejail /my/local/installation/path/vscodium/bin/codium'

Not knowing how to share it I used this channel hoping to have help to
correct/extend it to get best result

Enrico

codium.profile:
# Firejail profile for codium
# Description: main entry point for VSCodium from shell (./bin/codium)

# Persistent local customizations
include codium.local

noblacklist ${HOME}/.VSCodium
noblacklist ${HOME}/.config/VSCodium
noblacklist ${HOME}/.vscode-oss

### from https://github.com/netblue30/firejail/issues/2946
#seccomp !chroot
#ignore seccomp
seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice

# Redirect
include ${CFG}/code.profile

@kmk3 commented on GitHub (Oct 5, 2021): Quoting the first post of the following discussion (as a sort of +1): * <https://github.com/VSCodium/vscodium/discussions/776> @henrythebuilder [on Jul 26](https://github.com/VSCodium/vscodium/discussions/776#discussion-3477542): > Hi, > > Following the latest problems detected with marketplace > (VSCodium/vscodium#746), I tried to use Firejail to increase security but in > my computer the default profile does not work, so I tried to create a new > local profile following information/instructions on how to manage > Chromium/Electron applications. > Referring especially on [firejail repo](https://github.com/netblue30/firejail) ([issue 2949](https://github.com/netblue30/firejail/issues/2946) > [netblue30/firejail#2946](https://github.com/netblue30/firejail/issues/2946) ) > I created the profile I attach stored locally at > `~/.config/firejail/codium.profile` > > I use it from my shell through an alias for the executable `codium` > (`./bin/codium`) as: > > `alias codium='firejail /my/local/installation/path/vscodium/bin/codium'` > > Not knowing how to share it I used this channel hoping to have help to > correct/extend it to get best result > > Enrico > > **codium.profile:** > > ``` > # Firejail profile for codium > # Description: main entry point for VSCodium from shell (./bin/codium) > > # Persistent local customizations > include codium.local > > noblacklist ${HOME}/.VSCodium > noblacklist ${HOME}/.config/VSCodium > noblacklist ${HOME}/.vscode-oss > > ### from https://github.com/netblue30/firejail/issues/2946 > #seccomp !chroot > #ignore seccomp > seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice > > # Redirect > include ${CFG}/code.profile > ```

gitea-mirror commented

2026-05-05 09:06:56 -06:00

Author

Owner

@kmk3 commented on GitHub (Oct 5, 2021):

vscodium was renamed to codium

Potentially caused by:

https://github.com/VSCodium/vscodium/pull/176

Kind of relates to:

https://github.com/VSCodium/vscodium/pull/293

@kmk3 commented on GitHub (Oct 5, 2021): > vscodium was renamed to codium Potentially caused by: * <https://github.com/VSCodium/vscodium/pull/176> Kind of relates to: * <https://github.com/VSCodium/vscodium/pull/293>

Rows
Columns

[GH-ISSUE #3871] vscodium: missing profile redirect: vscodium was renamed to codium #2434