fix: setuid helper permission (#126798)

* ci: fix setuid helper binary permission

* ci: allow privilege for CLONE_NEWPID | CLONE_NEWNET

* ci: fix chrome-sandbox permission with rpm

* ci: fix permissions on snap

* ci: download electron earlier for arm builds

build/azure-pipelines/linux/product-build-linux.yml

@@ -129,7 +129,18 @@ steps:
       VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
         yarn npm-run-all -lp "electron $(VSCODE_ARCH)" "playwright-install"
     displayName: Download Electron and Playwright
-    condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))
+
+  - script: |
+      set -e
+      APP_ROOT=$(agent.builddirectory)/VSCode-linux-$(VSCODE_ARCH)
+      ELECTRON_ROOT=.build/electron
+      sudo chown root $APP_ROOT/chrome-sandbox
+      sudo chown root $ELECTRON_ROOT/chrome-sandbox
+      sudo chmod 4755 $APP_ROOT/chrome-sandbox
+      sudo chmod 4755 $ELECTRON_ROOT/chrome-sandbox
+      stat $APP_ROOT/chrome-sandbox
+      stat $ELECTRON_ROOT/chrome-sandbox
+    displayName: Change setuid helper binary permission
 
   - script: |
       set -e
@@ -183,7 +194,7 @@ steps:
   - script: |
       set -e
       APP_PATH=$(agent.builddirectory)/VSCode-linux-$(VSCODE_ARCH)
-      yarn smoketest-no-compile --build "$APP_PATH" --electronArgs="--disable-setuid-sandbox --disable-dev-shm-usage --use-gl=swiftshader"
+      yarn smoketest-no-compile --build "$APP_PATH" --electronArgs="--disable-dev-shm-usage --use-gl=swiftshader"
     timeoutInMinutes: 5
     displayName: Run smoke tests (Electron)
     condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))
@@ -192,7 +203,7 @@ steps:
       set -e
       APP_PATH=$(agent.builddirectory)/VSCode-linux-$(VSCODE_ARCH)
       VSCODE_REMOTE_SERVER_PATH="$(agent.builddirectory)/vscode-reh-linux-$(VSCODE_ARCH)" \
-      yarn smoketest-no-compile --build "$APP_PATH" --remote --electronArgs="--disable-setuid-sandbox --disable-dev-shm-usage --use-gl=swiftshader"
+      yarn smoketest-no-compile --build "$APP_PATH" --remote --electronArgs="--disable-dev-shm-usage --use-gl=swiftshader"
     timeoutInMinutes: 5
     displayName: Run smoke tests (Remote)
     condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))
@@ -200,7 +211,7 @@ steps:
   - script: |
       set -e
       VSCODE_REMOTE_SERVER_PATH="$(agent.builddirectory)/vscode-reh-web-linux-$(VSCODE_ARCH)" \
-      yarn smoketest-no-compile --web --headless --electronArgs="--disable-setuid-sandbox --disable-dev-shm-usage --use-gl=swiftshader"
+      yarn smoketest-no-compile --web --headless --electronArgs="--disable-dev-shm-usage --use-gl=swiftshader"
     timeoutInMinutes: 5
     displayName: Run smoke tests (Browser)
     condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))

build/azure-pipelines/product-build.yml

@@ -126,13 +126,15 @@ resources:
     - container: vscode-x64
       image: vscodehub.azurecr.io/vscode-linux-build-agent:bionic-x64
       endpoint: VSCodeHub
-      options: --user 0:0
+      options: --user 0:0 --cap-add SYS_ADMIN
     - container: vscode-arm64
       image: vscodehub.azurecr.io/vscode-linux-build-agent:stretch-arm64
       endpoint: VSCodeHub
+      options: --user 0:0 --cap-add SYS_ADMIN
     - container: vscode-armhf
       image: vscodehub.azurecr.io/vscode-linux-build-agent:stretch-armhf
       endpoint: VSCodeHub
+      options: --user 0:0 --cap-add SYS_ADMIN
     - container: snapcraft
       image: snapcore/snapcraft:stable
 

build/lib/compilation.js

@@ -37,9 +37,9 @@ function createCompile(src, build, emitError) {
     const sourcemaps = require('gulp-sourcemaps');
     const projectPath = path.join(__dirname, '../../', src, 'tsconfig.json');
     const overrideOptions = Object.assign(Object.assign({}, getTypeScriptCompilerOptions(src)), { inlineSources: Boolean(build) });
-	if (!build) {
-		overrideOptions.inlineSourceMap = true;
-	}
+    if (!build) {
+        overrideOptions.inlineSourceMap = true;
+    }
     const compilation = tsb.create(projectPath, overrideOptions, false, err => reporter(err));
     function pipeline(token) {
         const bom = require('gulp-bom');

resources/linux/rpm/code.spec.template

@@ -65,6 +65,7 @@ update-mime-database /usr/share/mime &> /dev/null || :
 
 %files
 %defattr(-,root,root)
+%attr(4755, root, root) /usr/share/@@NAME@@/chrome-sandbox
 
 /usr/share/@@NAME@@/
 /usr/share/applications/@@NAME@@.desktop

resources/linux/snap/snapcraft.yaml

@@ -27,6 +27,9 @@ parts:
       - gnome
     plugin: dump
     source: .
+    override-build: |
+      snapcraftctl build
+      chmod 4755 $SNAPCRAFT_PART_INSTALL/usr/share/@@NAME@@/chrome-sandbox
     stage-packages:
       - ibus-gtk3
       - fcitx-frontend-gtk3

scripts/test-integration.sh

@@ -6,10 +6,9 @@ if [[ "$OSTYPE" == "darwin"* ]]; then
 	ROOT=$(dirname $(dirname $(realpath "$0")))
 else
 	ROOT=$(dirname $(dirname $(readlink -f $0)))
-	# --disable-setuid-sandbox: setuid sandboxes requires root and is used in containers so we disable this
 	# --disable-dev-shm-usage --use-gl=swiftshader: when run on docker containers where size of /dev/shm
 	# partition < 64MB which causes OOM failure for chromium compositor that uses the partition for shared memory
-	LINUX_EXTRA_ARGS="--disable-setuid-sandbox --disable-dev-shm-usage --use-gl=swiftshader"
+	LINUX_EXTRA_ARGS="--disable-dev-shm-usage --use-gl=swiftshader"
 fi
 
 VSCODEUSERDATADIR=`mktemp -d 2>/dev/null`

scripts/test.sh

@@ -6,10 +6,9 @@ if [[ "$OSTYPE" == "darwin"* ]]; then
 	ROOT=$(dirname $(dirname $(realpath "$0")))
 else
 	ROOT=$(dirname $(dirname $(readlink -f $0)))
-	# --disable-setuid-sandbox: setuid sandboxes requires root and is used in containers so we disable this
 	# --disable-dev-shm-usage --use-gl=swiftshader: when run on docker containers where size of /dev/shm
 	# partition < 64MB which causes OOM failure for chromium compositor that uses the partition for shared memory
-	LINUX_EXTRA_ARGS="--disable-setuid-sandbox --disable-dev-shm-usage --use-gl=swiftshader"
+	LINUX_EXTRA_ARGS="--disable-dev-shm-usage --use-gl=swiftshader"
 fi
 
 cd $ROOT

test/integration/browser/src/index.ts

@@ -33,8 +33,7 @@ const height = 800;
 type BrowserType = 'chromium' | 'firefox' | 'webkit';
 
 async function runTestsInBrowser(browserType: BrowserType, endpoint: url.UrlWithStringQuery, server: cp.ChildProcess): Promise<void> {
-	const args = process.platform === 'linux' && browserType === 'chromium' ? ['--disable-setuid-sandbox'] : undefined; // setuid sandboxes requires root and is used in containers so we disable this to support our CI
-	const browser = await playwright[browserType].launch({ headless: !Boolean(optimist.argv.debug), args });
+	const browser = await playwright[browserType].launch({ headless: !Boolean(optimist.argv.debug) });
 	const context = await browser.newContext();
 	const page = await context.newPage();
 	await page.setViewportSize({ width, height });

test/unit/browser/index.js

@@ -146,8 +146,7 @@ function consoleLogFn(msg) {
 }
 
 async function runTestsInBrowser(testModules, browserType) {
-	const args = process.platform === 'linux' && browserType === 'chromium' ? ['--disable-setuid-sandbox'] : undefined; // setuid sandboxes requires root and is used in containers so we disable this to support our CI
-	const browser = await playwright[browserType].launch({ headless: !Boolean(argv.debug), args });
+	const browser = await playwright[browserType].launch({ headless: !Boolean(argv.debug) });
 	const context = await browser.newContext();
 	const page = await context.newPage();
 	const target = url.pathToFileURL(path.join(__dirname, 'renderer.html'));