NOTE
For some reason, Lemmy isn’t allowing me to upload more than 11 images. I will try to add the missing images after posting. It will take a while.
Edit: It isn’t allowing me to add more images. If anyone is interested, I will upload the images elsewhere.
Introduction
Setting up a secure coding environment for the Rust programming language on secureblue isn’t hard to do, but it’s difficult to figure out on your own. That is why I am making a guide explaining how to do it yourself.
For this tutorial, I will be using the silverblue-main-hardened:latest image of secureblue. For this tutorial, I am also assuming you have enabled Flatpak permission lockdown by running ujust flatpak-permissions-lockdown.
Install a code editor
You can install whichever code editor you want, but for this tutorial I will be using VSCodium which is an open source binary of Microsoft’s Visual Studio Code without telemetry.
Command-line instructions
Open the terminal.

VScodium can be installed using the following command:
flatpak install com.vscodium.codium

You will be prompted to proceed with changes to the user installation. After reviewing the changes, you can press enter. VSCodium will be downloaded and installed for the current user.

You may close the terminal now.
User-interface instructions
- Open GNOME Software.

- Type VSCodium. This should begin typing in a search bar, and VSCodium should show up as a search result.

- Select VSCodium(the blue one).VSCodium - Insiders(the orange one) is the nightly release of VSCodium, and is not recommended for daily use.

- Click the blue Installbutton on the top right. VSCodium will be downloaded and installed for the current user.

You may close GNOME Software now.
Install the Rust SDK
Rust provides multiple ways of installing. On secureblue, things are more locked down, especially with VSCodium being installed as a Flatpak. Rather than layering Rust as a system package and giving VSCodium invasive permissions to make it work, there is a much more elegant way to install Rust that isn’t mentioned in their install instructions.
Flathub provides an SDK Extension for Rust that can be used for Flatpak code editors, such as VSCodium. This can only be installed from the command line. Trying to install it from GNOME Software will install an outdated version of the Rust SDK.
Open the terminal.

First, we need to find the branch of org.freedesktop.Sdk. This will allow us to install the correct version of the Rust SDK.
The branch of org.freedesktop.Sdk can be found using the following command:
flatpak info org.freedesktop.Sdk

Make a note of the version number next to the Branch: section. In my case, it is 24.08.
The Rust SDK can be installed using the following command:
flatpak install org.freedesktop.Sdk.Extension.rust-stable

You will be prompted to select which ref you would like to install. Find the version that matches the branch of org.freedesktop.Sdk. Type the number corresponding with the version (in my case, 5), and press enter.

You will be prompted to proceed with changes to the user installation. After reviewing the changes, you can press enter. The Rust SDK will be downloaded and installed for the current user.

You may close the terminal now.
Grant Flatpak permissions
Assuming you enabled Flatpak permission lockdown, VSCodium won’t have permission to access everything it needs to work properly. We need to grant these permissions manually.
We will need to create a directory to act as your project directory. VSCodium will have access to every file in this directory, so it is best to only use it for VSCodium. I am deciding to create a folder in my home directory named VSCodium to store all of my VSCodium projects.
VSCodium will need the following permissions to work:
- The Networkpermission, in order to efficiently install extensions and update them automatically.
- Access to a dedicated project directory, in order to create workspaces.
- Permission to access the Rust SDK, in order to support the Rust language.
- Optional access to Development syscalls, in order to use debugging extensions.
Command-line instructions
Open the terminal.

VScodium can be granted the Network permission using the following command:
flatpak override -u --share=network com.vscodium.codium
The -u flag is an alias for --user, which will change the permission only for the current user.
[INSERT IMAGE HERE]
A project directory can be created using the following command:
mkdir VSCodium
[INSERT IMAGE HERE]
VSCodium can be granted access to the project directory using the following command:
flatpak override -u --filesystem=~/VSCodium com.vscodium.codium
[INSERT IMAGE HERE]
VScodium can be granted access to the Rust SDK using the following command:
flatpak override -u --env=FLATPAK_ENABLE_SDK_EXT=rust-stable com.vscodium.codium
[INSERT IMAGE HERE]
You may close the terminal now.
User-interface instructions
- 
Open Flatseal. This should be installed by default, but if you decided not to install it during the post-install of secureblue, it can be installed from GNOME Software. 
- 
Type VSCodium. This should begin typing in a search bar on the left, and VSCodium should show up as a search result.
[INSERT IMAGE HERE]
- Select VSCodium.
[INSERT IMAGE HERE]
- To grant VSCodium the Networkpermission, enable the switch next to theNetworkpermission. It should turn blue, indicating that the permission has been granted.
[INSERT IMAGE HERE]
- Open Files
[INSERT IMAGE HERE]
- Right click, and click on the option labeled New Folder...(This can also be done usingShift+Ctrl+N)
[INSERT IMAGE HERE]
- Enter VSCodiumin the text field labeledFolder Name.
[INSERT IMAGE HERE]
- Click Createto create the folder. This will create a project directory for VSCodium to use.
[INSERT IMAGE HERE]
- In Flatseal, scroll down to the Filesystemsection.
[INSERT IMAGE HERE]
- Click on the folder with a plus icon under the Other filessection. An empty text field should appear.
[INSERT IMAGE HERE]
- Click on the empty text field.
[INSERT IMAGE HERE]
- Enter the following into the text field:
~/VSCodium
[INSERT IMAGE HERE]
- To grant VSCodium access to the Rust SDK, scroll down to the Environmentsection.
[INSERT IMAGE HERE]
- Click the plus icon on the top right. An empty text field should appear.
[INSERT IMAGE HERE]
- Click on the empty text field.
[INSERT IMAGE HERE]
- Enter the following into the text field:
FLATPAK_ENABLE_SDK_EXT=rust-stable
[INSERT IMAGE HERE]
You may close Flatseal now.
Open VSCodium
Now that VSCodium has the necessary permissions to function, we can finally run it.
Command-line instructions
Open the terminal.

VScodium can berun using the following command:
flatpak run com.vscodium.codium
[INSERT IMAGE HERE]
User-interface instructions
- 
Press the Superkey to view the dock.
- 
Click on the Show Appsbutton (nine dots) on the bottom right to show a list of installed apps.
- 
Click on the VSCodium icon to open it. 
Install the rust-analyzer extension
Upon first launching VSCodium, you will be presented with a README.md file.
[INSERT IMAGE HERE]
This file has information about using VSCodium as a Flatpak. Since we have already granted it the necessary permissions, this file can be ignored.
We now need to install the rust-analyzer extension. This extension will give us a comfortable Rust development environment in VSCodium.
Keyboard instructions
Launch the VSCodium Quick Open by using Ctrl+P.
[INSERT IMAGE HERE]
Enter the following command:
ext install rust-lang.rust-analyzer
Sources: 1
[INSERT IMAGE HERE]
Press enter to install the rust-analyzer extension.
[INSERT IMAGE HERE]
You will be prompted to trust the publisher and install the extension. After reviewing the prompt, you can press enter to select the Trust Publisher & Install button on the bottom right.
[INSERT IMAGE HERE]
You may be prompted to trust the authors of the files in this workspace. After reviewing the prompt, you can select the Install button. The rust-analyzer extension will be downloaded and installed for the current profile.
Mouse instructions
- Click on the Extensionsmenu on the left. (This can also be opened by usingCtrl+Shift+X)
[INSERT IMAGE HERE]
- Enter rust-analyzerinto the search bar. This will search for the extension we need.
[INSERT IMAGE HERE]
- Click on the extension labeled rust-analyzer.
[INSERT IMAGE HERE]
- Click the Installbutton for therust-analyzerextension.
[INSERT IMAGE HERE]
- You will be prompted to trust the publisher and install the extension. After reviewing the prompt, you can click on the Trust Publisher & Installbutton on the bottom right.
[INSERT IMAGE HERE]
- You may be prompted to trust the authors of the files in this workspace. After reviewing the prompt, you can click the Installbutton. Therust-analyzerextension will be downloaded and installed for the current profile.
[INSERT IMAGE HERE]
The rust-analyzer extension is now installed.
Create a new project
Now that we have the rust-analyzer extension installed, we can create a new Rust project.
The keyboard instructions are broken due to the Ctrl+K keybind being unfunctional, and the Ctrl+O keybind being binded to the wrong option. Because of that, only mouse instructions are available for this step.
- Click on the Filedropdown on the top left.
[INSERT IMAGE HERE]
- Click on the option labeled Open Folder...
You will get a dialogue saying the following:
Oops! Something went wrong.
Unable to find "/app/share/ide-flatpak-wrapper". Please check the spelling and try again.
[INSERT IMAGE HERE]
This can be ignored. It is appearing because we never granted VSCodium access to a specific folder, and it has no effect.
- Click on OKto dismiss it.
[INSERT IMAGE HERE]
- Double click on the VSCodiumfolder to enter it.
[INSERT IMAGE HERE]
- Right click, and click on the option labeled New Folder...(This can also be done usingShift+Ctrl+N). Alternatively, select the folder with a plus icon on the top right.
[INSERT IMAGE HERE]
- Enter the name of your project in the text field labeled Folder Name. For this example, I will create a folder namedexample.
[INSERT IMAGE HERE]
- Click Createto create the folder.
[INSERT IMAGE HERE]
- Click Openin the bottom left to open the folder.
[INSERT IMAGE HERE]
- You will be prompted to trust the authors of the files in this folder. After reviewing the prompt, you can select the Yes, I trust the authorsbutton.
[INSERT IMAGE HERE]
- Press Ctrl+` to open the terminal.
[INSERT IMAGE HERE]
- The project can be initialized using the following command:
cargo init
[INSERT IMAGE HERE]
You have now created a Rust project, and you can get started coding in Rust.
Optional: Support for debugging
Right now, there are no debugging extensions installed. The two recommended debugging extensions are CodeLLDB and Native Debug. I prefer CodeLLDB because, as of writing this, Native Debug has not been updated in over a year. It is still in active development, but there has not been a release in over a year.
Keyboard instructions
Open VSCodium.
[INSERT IMAGE HERE]
Launch the VSCodium Quick Open by using Ctrl+P.
[INSERT IMAGE HERE]
Enter the following command:
ext install vadimcn.vscode-lldb
Sources: 1
[INSERT IMAGE HERE]
Press enter to install the CodeLLDB extension.
[INSERT IMAGE HERE]
You will be prompted to trust the publisher and install the extension. After reviewing the prompt, you can press enter to select the Trust Publisher & Install button on the bottom right. The CodeLLDB extension will be downloaded and installed for the current profile.
[INSERT IMAGE HERE]
You will see a prompt on the bottom right saying the following:
Completed installing extension. Please restart extensions to enable it.
Select Restart Extensions to restart the extensions.
[INSERT IMAGE HERE]
Mouse instructions
- Click on the Extensionsmenu on the left. (This can also be opened by usingCtrl+Shift+X)
[INSERT IMAGE HERE]
- Enter CodeLLDBinto the search bar. This will search for the extension we need.
[INSERT IMAGE HERE]
- Click on the extension labeled CodeLLDB.
[INSERT IMAGE HERE]
- Click the Installbutton for the CodeLLDB extension.
[INSERT IMAGE HERE]
- You will be prompted to trust the publisher and install the extension. After reviewing the prompt, you can click on the Trust Publisher & Installbutton on the bottom right. The CodeLLDB extension will be downloaded and installed for the current profile.
[INSERT IMAGE HERE]
You will see a prompt on the bottom right saying the following:
Completed installing extension. Please restart extensions to enable it.
Select Restart Extensions to restart the extensions.
[INSERT IMAGE HERE]
The CodeLLDB extension is now installed.
Grant VSCodium ptrace access
If you try to debug a program using a debugger extension, you will receive the following error:
VSCodium
Cannot launch '/var/home/anonymous/VSCodium/example/target/debug/example': ptrace failed: Operation not permitted
[INSERT IMAGE HERE]
The reason for this is because VSCodium does not have permission to access development syscalls.
Command-line instructions
Open the terminal.

VScodium can be granted the Development syscalls permission using the following command:
flatpak override -u --allow=devel com.vscodium.codium
[INSERT IMAGE HERE]
You may close the terminal now.
User-interface instructions
- 
Open Flatseal. 
- 
Type VSCodium. This should begin typing in a search bar on the left, and VSCodium should show up as a search result.
[INSERT IMAGE HERE]
- Select VSCodium.
[INSERT IMAGE HERE]
- To grant VSCodium the Development syscallspermission, scroll down to the section labeledAllow.
[INSERT IMAGE HERE]
- Enable the switch next to the Development syscalls (e.g. ptrace)permission. It should turn blue, indicating that the permission has been granted.
[INSERT IMAGE HERE]
You may close Flatseal now.
Enable anti-cheat support
Even though VSCodium has access to ptrace, the system still does not permit it. This is to defend against basic security concerns. secureblue provides a toggle to enable support for anti-cheat, which will allow VSCodium to access ptrace.
Open the terminal.

Anti-cheat support can be enabled using one of the following commands:
ujust toggle-anticheat-support
or
ujust toggle-ptrace-scope
Sources: 1
[INSERT IMAGE HERE]
You will be prompted for your administrator passphrase. After reviewing the prompt, enter your passphrase and click Authenticate. This will enable anti-cheat support.
[INSERT IMAGE HERE]
You will need to restart your device to complete the changes.
Command-line instructions
Open the terminal.

The device can be restarted using the following command:
reboot
User-interface instructions
- 
Click on the status bar on the top right. 
- 
Click on the power button. 
- 
Click on the option labeled Restart....
- 
You will get a prompt saying the following: 
Restart
The system will restart automatically in 60 seconds
- Click on the button labeled Restartto restart the system now.
Anti-cheat support is now enabled, and debugging extensions will work.


secureblue has native support for containers, although it uses the more modern Distrobox rather than Toolbx. I tried installing VSCodium in this way, but I couldn’t get it to start due to some windowing system issue. Even if I could, it comes at the cost of security. Firstly, user namespaces need to be enabled. Secondly, the app would have less granular permission control (e.g. full access to the home directory). For those reasons, it’s better to avoid using containers unless explicitly required. This method works fine, so there’s no need.