NOTE

For some reason, Lemmy isn’t allowing me to upload more than 11 images. I will try to add the missing images after posting. It will take a while.

Edit: It isn’t allowing me to add more images. If anyone is interested, I will upload the images elsewhere.

Introduction

Setting up a secure coding environment for the Rust programming language on secureblue isn’t hard to do, but it’s difficult to figure out on your own. That is why I am making a guide explaining how to do it yourself.

For this tutorial, I will be using the silverblue-main-hardened:latest image of secureblue. For this tutorial, I am also assuming you have enabled Flatpak permission lockdown by running ujust flatpak-permissions-lockdown.

Install a code editor

You can install whichever code editor you want, but for this tutorial I will be using VSCodium which is an open source binary of Microsoft’s Visual Studio Code without telemetry.

Command-line instructions

Open the terminal.

VScodium can be installed using the following command:

flatpak install com.vscodium.codium

Sources: 1, 2

You will be prompted to proceed with changes to the user installation. After reviewing the changes, you can press enter. VSCodium will be downloaded and installed for the current user.

You may close the terminal now.

User-interface instructions

1. Open GNOME Software.

2. Type VSCodium. This should begin typing in a search bar, and VSCodium should show up as a search result.

3. Select VSCodium (the blue one). VSCodium - Insiders (the orange one) is the nightly release of VSCodium, and is not recommended for daily use.

4. Click the blue Install button on the top right. VSCodium will be downloaded and installed for the current user.

You may close GNOME Software now.

Install the Rust SDK

Rust provides multiple ways of installing. On secureblue, things are more locked down, especially with VSCodium being installed as a Flatpak. Rather than layering Rust as a system package and giving VSCodium invasive permissions to make it work, there is a much more elegant way to install Rust that isn’t mentioned in their install instructions.

Flathub provides an SDK Extension for Rust that can be used for Flatpak code editors, such as VSCodium. This can only be installed from the command line. Trying to install it from GNOME Software will install an outdated version of the Rust SDK.

Open the terminal.

First, we need to find the branch of org.freedesktop.Sdk. This will allow us to install the correct version of the Rust SDK.

The branch of org.freedesktop.Sdk can be found using the following command:

flatpak info org.freedesktop.Sdk

Make a note of the version number next to the Branch: section. In my case, it is 24.08.

The Rust SDK can be installed using the following command:

flatpak install org.freedesktop.Sdk.Extension.rust-stable

You will be prompted to select which ref you would like to install. Find the version that matches the branch of org.freedesktop.Sdk. Type the number corresponding with the version (in my case, 5), and press enter.

You will be prompted to proceed with changes to the user installation. After reviewing the changes, you can press enter. The Rust SDK will be downloaded and installed for the current user.

You may close the terminal now.

Grant Flatpak permissions

Assuming you enabled Flatpak permission lockdown, VSCodium won’t have permission to access everything it needs to work properly. We need to grant these permissions manually.

We will need to create a directory to act as your project directory. VSCodium will have access to every file in this directory, so it is best to only use it for VSCodium. I am deciding to create a folder in my home directory named VSCodium to store all of my VSCodium projects.

VSCodium will need the following permissions to work:

• The Network permission, in order to efficiently install extensions and update them automatically.
• Access to a dedicated project directory, in order to create workspaces.
• Permission to access the Rust SDK, in order to support the Rust language.
• Optional access to Development syscalls, in order to use debugging extensions.

Command-line instructions

Open the terminal.

VScodium can be granted the Network permission using the following command:

flatpak override -u --share=network com.vscodium.codium

The -u flag is an alias for --user, which will change the permission only for the current user.

[INSERT IMAGE HERE]

A project directory can be created using the following command:

mkdir VSCodium

[INSERT IMAGE HERE]

VSCodium can be granted access to the project directory using the following command:

flatpak override -u --filesystem=~/VSCodium com.vscodium.codium

[INSERT IMAGE HERE]

VScodium can be granted access to the Rust SDK using the following command:

flatpak override -u --env=FLATPAK_ENABLE_SDK_EXT=rust-stable com.vscodium.codium

[INSERT IMAGE HERE]

You may close the terminal now.

User-interface instructions

1. Open Flatseal. This should be installed by default, but if you decided not to install it during the post-install of secureblue, it can be installed from GNOME Software.

2. Type VSCodium. This should begin typing in a search bar on the left, and VSCodium should show up as a search result.

[INSERT IMAGE HERE]

3. Select VSCodium.

[INSERT IMAGE HERE]

4. To grant VSCodium the Network permission, enable the switch next to the Network permission. It should turn blue, indicating that the permission has been granted.

[INSERT IMAGE HERE]

5. Open Files

[INSERT IMAGE HERE]

6. Right click, and click on the option labeled New Folder... (This can also be done using Shift+Ctrl+N)

[INSERT IMAGE HERE]

7. Enter VSCodium in the text field labeled Folder Name.

[INSERT IMAGE HERE]

8. Click Create to create the folder. This will create a project directory for VSCodium to use.

[INSERT IMAGE HERE]

9. In Flatseal, scroll down to the Filesystem section.

[INSERT IMAGE HERE]

10. Click on the folder with a plus icon under the Other files section. An empty text field should appear.

[INSERT IMAGE HERE]

11. Click on the empty text field.

[INSERT IMAGE HERE]

12. Enter the following into the text field:

~/VSCodium

[INSERT IMAGE HERE]

13. To grant VSCodium access to the Rust SDK, scroll down to the Environment section.

[INSERT IMAGE HERE]

14. Click the plus icon on the top right. An empty text field should appear.

[INSERT IMAGE HERE]

15. Click on the empty text field.

[INSERT IMAGE HERE]

16. Enter the following into the text field:

FLATPAK_ENABLE_SDK_EXT=rust-stable

[INSERT IMAGE HERE]

You may close Flatseal now.

Open VSCodium

Now that VSCodium has the necessary permissions to function, we can finally run it.

Command-line instructions

Open the terminal.

VScodium can berun using the following command:

flatpak run com.vscodium.codium

[INSERT IMAGE HERE]

User-interface instructions

1. Press the Super key to view the dock.

2. Click on the Show Apps button (nine dots) on the bottom right to show a list of installed apps.

3. Click on the VSCodium icon to open it.

Install the rust-analyzer extension

Upon first launching VSCodium, you will be presented with a README.md file.

[INSERT IMAGE HERE]

This file has information about using VSCodium as a Flatpak. Since we have already granted it the necessary permissions, this file can be ignored.

We now need to install the rust-analyzer extension. This extension will give us a comfortable Rust development environment in VSCodium.

Keyboard instructions

Launch the VSCodium Quick Open by using Ctrl+P.

[INSERT IMAGE HERE]

Enter the following command:

ext install rust-lang.rust-analyzer

Sources: 1

[INSERT IMAGE HERE]

Press enter to install the rust-analyzer extension.

[INSERT IMAGE HERE]

You will be prompted to trust the publisher and install the extension. After reviewing the prompt, you can press enter to select the Trust Publisher & Install button on the bottom right.

[INSERT IMAGE HERE]

You may be prompted to trust the authors of the files in this workspace. After reviewing the prompt, you can select the Install button. The rust-analyzer extension will be downloaded and installed for the current profile.

Mouse instructions

1. Click on the Extensions menu on the left. (This can also be opened by using Ctrl+Shift+X)

[INSERT IMAGE HERE]

2. Enter rust-analyzer into the search bar. This will search for the extension we need.

[INSERT IMAGE HERE]

3. Click on the extension labeled rust-analyzer.

[INSERT IMAGE HERE]

4. Click the Install button for the rust-analyzer extension.

[INSERT IMAGE HERE]

5. You will be prompted to trust the publisher and install the extension. After reviewing the prompt, you can click on the Trust Publisher & Install button on the bottom right.

[INSERT IMAGE HERE]

6. You may be prompted to trust the authors of the files in this workspace. After reviewing the prompt, you can click the Install button. The rust-analyzer extension will be downloaded and installed for the current profile.

[INSERT IMAGE HERE]

The rust-analyzer extension is now installed.

Create a new project

Now that we have the rust-analyzer extension installed, we can create a new Rust project.

The keyboard instructions are broken due to the Ctrl+K keybind being unfunctional, and the Ctrl+O keybind being binded to the wrong option. Because of that, only mouse instructions are available for this step.

1. Click on the File dropdown on the top left.

[INSERT IMAGE HERE]

2. Click on the option labeled Open Folder...

You will get a dialogue saying the following:

Oops! Something went wrong.
Unable to find "/app/share/ide-flatpak-wrapper". Please check the spelling and try again.

[INSERT IMAGE HERE]

This can be ignored. It is appearing because we never granted VSCodium access to a specific folder, and it has no effect.

3. Click on OK to dismiss it.

[INSERT IMAGE HERE]

4. Double click on the VSCodium folder to enter it.

[INSERT IMAGE HERE]

5. Right click, and click on the option labeled New Folder... (This can also be done using Shift+Ctrl+N). Alternatively, select the folder with a plus icon on the top right.

[INSERT IMAGE HERE]

6. Enter the name of your project in the text field labeled Folder Name. For this example, I will create a folder named example.

[INSERT IMAGE HERE]

9. Click Create to create the folder.

[INSERT IMAGE HERE]

10. Click Open in the bottom left to open the folder.

[INSERT IMAGE HERE]

11. You will be prompted to trust the authors of the files in this folder. After reviewing the prompt, you can select the Yes, I trust the authors button.

[INSERT IMAGE HERE]

12. Press Ctrl+` to open the terminal.

[INSERT IMAGE HERE]

13. The project can be initialized using the following command:

cargo init

[INSERT IMAGE HERE]

You have now created a Rust project, and you can get started coding in Rust.

Optional: Support for debugging

Right now, there are no debugging extensions installed. The two recommended debugging extensions are CodeLLDB and Native Debug. I prefer CodeLLDB because, as of writing this, Native Debug has not been updated in over a year. It is still in active development, but there has not been a release in over a year.

Keyboard instructions

Open VSCodium.

[INSERT IMAGE HERE]

Launch the VSCodium Quick Open by using Ctrl+P.

[INSERT IMAGE HERE]

Enter the following command:

ext install vadimcn.vscode-lldb

Sources: 1

[INSERT IMAGE HERE]

Press enter to install the CodeLLDB extension.

[INSERT IMAGE HERE]

You will be prompted to trust the publisher and install the extension. After reviewing the prompt, you can press enter to select the Trust Publisher & Install button on the bottom right. The CodeLLDB extension will be downloaded and installed for the current profile.

[INSERT IMAGE HERE]

You will see a prompt on the bottom right saying the following:

Completed installing extension. Please restart extensions to enable it.

Select Restart Extensions to restart the extensions.

[INSERT IMAGE HERE]

Mouse instructions

1. Click on the Extensions menu on the left. (This can also be opened by using Ctrl+Shift+X)

[INSERT IMAGE HERE]

2. Enter CodeLLDB into the search bar. This will search for the extension we need.

[INSERT IMAGE HERE]

3. Click on the extension labeled CodeLLDB.

[INSERT IMAGE HERE]

4. Click the Install button for the CodeLLDB extension.

[INSERT IMAGE HERE]

5. You will be prompted to trust the publisher and install the extension. After reviewing the prompt, you can click on the Trust Publisher & Install button on the bottom right. The CodeLLDB extension will be downloaded and installed for the current profile.

[INSERT IMAGE HERE]

You will see a prompt on the bottom right saying the following:

Completed installing extension. Please restart extensions to enable it.

Select Restart Extensions to restart the extensions.

[INSERT IMAGE HERE]

The CodeLLDB extension is now installed.

Grant VSCodium ptrace access

If you try to debug a program using a debugger extension, you will receive the following error:

VSCodium
Cannot launch '/var/home/anonymous/VSCodium/example/target/debug/example': ptrace failed: Operation not permitted

[INSERT IMAGE HERE]

The reason for this is because VSCodium does not have permission to access development syscalls.

Command-line instructions

Open the terminal.

VScodium can be granted the Development syscalls permission using the following command:

flatpak override -u --allow=devel com.vscodium.codium

[INSERT IMAGE HERE]

You may close the terminal now.

User-interface instructions

1. Open Flatseal.

2. Type VSCodium. This should begin typing in a search bar on the left, and VSCodium should show up as a search result.

[INSERT IMAGE HERE]

3. Select VSCodium.

[INSERT IMAGE HERE]

4. To grant VSCodium the Development syscalls permission, scroll down to the section labeled Allow.

[INSERT IMAGE HERE]

5. Enable the switch next to the Development syscalls (e.g. ptrace) permission. It should turn blue, indicating that the permission has been granted.

[INSERT IMAGE HERE]

You may close Flatseal now.

Enable anti-cheat support

Even though VSCodium has access to ptrace, the system still does not permit it. This is to defend against basic security concerns. secureblue provides a toggle to enable support for anti-cheat, which will allow VSCodium to access ptrace.

Open the terminal.

Anti-cheat support can be enabled using one of the following commands:

ujust toggle-anticheat-support

or

ujust toggle-ptrace-scope

Sources: 1

[INSERT IMAGE HERE]

You will be prompted for your administrator passphrase. After reviewing the prompt, enter your passphrase and click Authenticate. This will enable anti-cheat support.

[INSERT IMAGE HERE]

You will need to restart your device to complete the changes.

Command-line instructions

Open the terminal.

The device can be restarted using the following command:

reboot

User-interface instructions

1. Click on the status bar on the top right.

2. Click on the power button.

3. Click on the option labeled Restart....

4. You will get a prompt saying the following:

Restart
The system will restart automatically in 60 seconds

5. Click on the button labeled Restart to restart the system now.

Anti-cheat support is now enabled, and debugging extensions will work.