[Question] Strange socket name and compatibility with firejail

[IlyaIndigo]

If I launch telegram-desktop via firejail from any browser (firefox, chromium) via firejail (previously enabling dbus), a problem appears, the 2nd instance is launched.
This is due to the directive include whitelist-runuser-common.inc in the browsers profile.
The contents of this file.

whitelist ${RUNUSER}/bus
whitelist ${RUNUSER}/dconf
whitelist ${RUNUSER}/gdm/Xauthority
whitelist ${RUNUSER}/ICEauthority
whitelist ${RUNUSER}/.mutter-Xwaylandauth.*
whitelist ${RUNUSER}/pulse/native
whitelist ${RUNUSER}/wayland-0
whitelist ${RUNUSER}/wayland-1
whitelist ${RUNUSER}/xauth_*

It would seem that one should simply ask the firejail developer to add something to this list
whitelist ${RUNUSER}/telegram-desktop
But the socket name isn't telegram-desktop at all, but some ugly windows registry-style d937f37639639c4916b9e587fdf17f18985-{87A94AB0-E370-4cde-98D3-ACC110C5967D}.
Everyone else in /run/user/1000/ has nice, short and clear names everywhere but this one.

Why is it like that?
How is it formed?
Is it always like this for everybody, or it depends on something?

P.S. I did not immediately determine that this is a bug, maybe I do not understand something?

[Aokromes]

english only plz.

[ilya-fedin]

Why is it like that?

tdesktop IPC, used for single instance implementation

[IlyaIndigo]

Why is it like that?

tdesktop IPC, used for single instance implementation

What prevents it from being called TelegramDesktop or telegram-desktop or telegram.desktop?

[ilya-fedin]

What prevents it from being called TelegramDesktop or telegram-desktop or telegram.desktop?

tdesktop can have multiple instances if you specify a different profile directory

[IlyaIndigo]

What prevents it from being called TelegramDesktop or telegram-desktop or telegram.desktop?

tdesktop can have multiple instances if you specify a different profile directory

telegram-desktop-1
telegram-desktop-2
...
telegram-desktop-1234 (pid)
telegram-desktop-1235 (pid)

This would allow a universal rule to be written like this
whitelist ${RUNUSER}/telegram-desktop-*.

[ilya-fedin]

telegram-desktop-1
telegram-desktop-2
...
telegram-desktop-1234 (pid)
telegram-desktop-1235 (pid)

How do you imagine multiple processes will find the right socket?

[IlyaIndigo]

How do you imagine multiple processes will find the right socket?

A socket with that name it somehow finds.
Other applications also cope with normal names.
And how do you expect me now to write an allow rule for firejail with this name, which it is unclear what depends on and can be different for each user?
Or at least create a directory ${RUNUSER}/telegram-desktop, so you can write a rule whitelist ${RUNUSER}/telegram-desktop/*, and name it whatever you want.

[ilya-fedin]

A socket with that name it somehow finds.

Currently it uses a hash of path to the profile directory. I don't think complicating the logic and going through all the sockets with PIDs is something that should be done.

And how do you expect me now to write an allow rule for firejail with this name, which it is unclear what depends on and can be different for each user?

whitelist ${RUNUSER}/*-{87A94AB0-E370-4cde-98D3-ACC110C5967D}

[IlyaIndigo]

whitelist ${RUNUSER}/*-{87A94AB0-E370-4cde-98D3-ACC110C5967D}

1 {} Bad symbols
2 87A94AB0-E370-4cde-98D3-ACC110C5967D What is it?
Will all users of all operating systems and future versions have it?
3 How are firejail users who read such a rule supposed to know that it applies to telegram-desktop?

[ilya-fedin]

What is it?

I don't honestly know, only @john-preston knows that. It's named like GUIDStr.

Will all users of all operating systems and future versions have it?

From what I see, it can be different between different builds (installation sources), but it shouldn't change until you change installation source.

How are firejail users who read such a rule supposed to know that it applies to telegram-desktop?

Ask the author of the rules. Probably they should comment them.

[IlyaIndigo]

From what I see, it can be different between different builds (installation sources), but it shouldn't change until you change installation source.

So this option is not good for the universal rule.
Maybe just create a directory /run/user/1000/telegram-desktop/ (if necessary, the directory name can be linked to the executable file name), and leave the socket name as it is, and this will not be a problem.

[ilya-fedin]

So this option is not good for the universal rule.

You can't do universal rule for all the builds. Even with your variant they would need a way to differentiate and you still won't be able to create an universal rule.

Maybe just create a directory /run/user/1000/telegram-desktop/ (if necessary, the directory name can be linked to the executable file name), and leave the socket name as it is, and this will not be a problem.

Maximum path length (including file name) for socket on *nix is 108 bytes, no, thanks.

[IlyaIndigo]

You can't do universal rule for all the builds.

For the reason I described (dynamic socket name without static directory name) or some other?

Maximum path length (including file name) for socket on *nix is 108 bytes, no, thanks.

/run/user/1000/telegram-desktop/d937f37639c4916b9e587fdf17f18985-{87A94AB0-E370-4cde-98D3-ACC110C5967D} (103 < 108)
/run/user/1000/telegram/d937f37639c4916b9e587fdf17f18985-{87A94AB0-E370-4cde-98D3-ACC110C5967D} (95 < 108)

Well you or your colleagues themselves gave such a long and uninformative name.

[ilya-fedin]

/run/user/1000/telegram-desktop/d937f37639c4916b9e587fdf17f18985-{87A94AB0-E370-4cde-98D3-ACC110C5967D} (103 < 108)
/run/user/1000/telegram/d937f37639c4916b9e587fdf17f18985-{87A94AB0-E370-4cde-98D3-ACC110C5967D} (95 < 108)

It's not like that for everyone. flatpak and snap add their subdirectories to the path. The path can point to $HOME/.cache in some scenarios (e.g. non-systemd distros). Not to mention that UID can have more numbers.

[ilya-fedin]

Sorry, but I don't think any change is needed here. Just use GUID, it should fit your needs.

[IlyaIndigo]

/run/user/1000/telegram-desktop/d937f37639c4916b9e587fdf17f18985-{87A94AB0-E370-4cde-98D3-ACC110C5967D} (103 < 108)
/run/user/1000/telegram/d937f37639c4916b9e587fdf17f18985-{87A94AB0-E370-4cde-98D3-ACC110C5967D} (95 < 108)

It's not like that for everyone. flatpak and snap add their subdirectories to the path. The path can point to $HOME/.cache in some scenarios (e.g. non-systemd systemd). Not to mention that UID can have more numbers.

Well, then all the more reason to do something with it (with the name of the socket), you have created yourself a time bomb and do not see it and think that everything is fine and there are no problems and do not need to do anything.

[ilya-fedin]

@Aokromes can you close the issue since the question is answered?