From a7caa11a51e9c250176b9a3c591eec2ed5673c77 Mon Sep 17 00:00:00 2001 From: Nick Trogh <1908215+ntrogh@users.noreply.github.com> Date: Thu, 16 Jan 2025 12:03:42 +0100 Subject: [PATCH] Include instructions for Linux sandboxing (https://github.com/microsoft/vscode/issues/237948) --- docs/editor/portable.md | 26 +++++++++++++++++++++----- release-notes/v1_59.md | 4 ++-- 2 files changed, 23 insertions(+), 7 deletions(-) diff --git a/docs/editor/portable.md b/docs/editor/portable.md index dfd61453af..4f98fd1540 100644 --- a/docs/editor/portable.md +++ b/docs/editor/portable.md @@ -5,9 +5,9 @@ TOCTitle: Portable Mode ContentId: A5C839C4-67E9-449C-94B8-4B310FCAAB1B PageTitle: Portable Mode in Visual Studio Code DateApproved: 12/11/2024 -MetaDescription: Visual Studio Code supports a Portable Mode. +MetaDescription: Visual Studio Code supports a Portable mode that enables moving your installation and related data to a different location. --- -# Portable Mode +# Portable mode Visual Studio Code supports [Portable mode](https://en.wikipedia.org/wiki/Portable_application). This mode enables all data created and maintained by VS Code to live near itself, so it can be moved around across environments. @@ -15,7 +15,8 @@ This mode also provides a way to set the installation folder location for VS Cod Portable mode is supported on the ZIP download for Windows, and the TAR.GZ download for Linux, as well as the regular Application download for macOS. See the [Download page](/download) to find the correct `.zip / .tar.gz` file for your platform. -> **Note:** Do not attempt to configure portable mode on an installation from the **Windows User or System installers**. Portable mode is only supported on the Windows ZIP (`.zip`) archive. Note as well that the Windows ZIP archive does not support auto update. +> [!IMPORTANT] +> Do not attempt to configure portable mode on an installation from the **Windows User or System installers**. Portable mode is only supported on the Windows ZIP (`.zip`) archive. Note also that the Windows ZIP archive does not support auto update. ## Enable Portable mode @@ -35,10 +36,24 @@ After unzipping the VS Code download, create a `data` folder within VS Code's fo From then on, the `data` folder will be used to contain all VS Code data, including session state, preferences, extensions, etc. ->**Note**: The `data` folder will override the `--user-data-dir` and `--extensions-dir` [command line](/docs/editor/command-line.md#advanced-cli-options) options. +> [!NOTE] +> The `data` folder will override the `--user-data-dir` and `--extensions-dir` [command line](/docs/editor/command-line.md#advanced-cli-options) options. The `data` folder can be moved to other VS Code installations. This is useful for updating your portable VS Code version, in which case you can move the `data` folder to a newer extracted version of VS Code. +### Linux + +On **Linux**, in addition to creating the `data` folder, you also need to set the correct [Electron sandbox](https://www.electronjs.org/docs/tutorial/sandbox) permissions. + +Chromium has a [multi-layer sandboxing model on Linux](https://chromium.googlesource.com/chromium/src/+/0e94f26e8/docs/linux_sandboxing.md). If Chromium cannot use the namespace sandbox for layer-1, it will try to use the [`setuid` sandbox](https://chromium.googlesource.com/chromium/src/+/0e94f26e8/docs/linux_suid_sandbox.md) via the helper binary `chrome-sandbox` that is shipped alongside the application binary. + +Run the following commands to set the correct permissions of the `setuid` helper: + +```bash +sudo chown root /chrome-sandbox +sudo chmod 4755 /chrome-sandbox +``` + ### macOS On **macOS**, you need to place the data folder as a sibling of the application itself. Since the folder will be alongside the application, you need to name it specifically so that VS Code can find it. The default folder name is `code-portable-data`: @@ -54,7 +69,8 @@ Portable Mode won't work if your application is in [quarantine](https://apple.st xattr -dr com.apple.quarantine Visual\ Studio\ Code.app ``` -**Note:** On Insiders, the folder should be named `code-insiders-portable-data`. +> [!NOTE] +> On Insiders, the folder should be named `code-insiders-portable-data`. ## Update Portable VS Code diff --git a/release-notes/v1_59.md b/release-notes/v1_59.md index 5f7398db9e..e71c486180 100644 --- a/release-notes/v1_59.md +++ b/release-notes/v1_59.md @@ -477,7 +477,7 @@ In this milestone, we finished the exploration to bundle Electron 13 into VS Cod ### Progress for Electron sandbox support -As we continue to make the VS Code workbench ready for enabling Electron's [sandbox](https://www.electronjs.org/docs/tutorial/sandbox), we wanted to enable mixed sandbox mode on Linux and no longer bundle with the CLI argument `--no-sandbox` in our distributed packages deb, rpm, snap and tar archive. Chromium has a [multi-layer sandboxing model on Linux](https://chromium.googlesource.com/chromium/src/+/HEAD/docs/linux/sandboxing.md). If Chromium cannot use the namespace sandbox for layer-1, it will try to use the [setuid sandbox](https://chromium.googlesource.com/chromium/src/+/HEAD/docs/linux/suid_sandbox.md) via the helper binary `chrome-sandbox` shipped alongside the application binary. For the setuid binary to work, it needs to meet the following conditions: +As we continue to make the VS Code workbench ready for enabling Electron's [sandbox](https://www.electronjs.org/docs/tutorial/sandbox), we wanted to enable mixed sandbox mode on Linux and no longer bundle with the CLI argument `--no-sandbox` in our distributed packages deb, rpm, snap and tar archive. Chromium has a [multi-layer sandboxing model on Linux](https://chromium.googlesource.com/chromium/src/+/0e94f26e8/docs/linux_sandboxing.md). If Chromium cannot use the namespace sandbox for layer-1, it will try to use the [`setuid` sandbox](https://chromium.googlesource.com/chromium/src/+/0e94f26e8/docs/linux_suid_sandbox.md) via the helper binary `chrome-sandbox` that is shipped alongside the application binary. For the `setuid` binary to work, it needs to meet the following conditions: * The sandbox binary must be executable by the Chromium process. * It must be SUID and executable by others. @@ -492,7 +492,7 @@ FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but If that happens, you can use either of the following two options to get it working: -* Fix the permissions of setuid helper +* Fix the permissions of `setuid` helper ```bash sudo chown root /chrome-sandbox