diff --git a/build/azure-pipelines/linux/product-build-linux.yml b/build/azure-pipelines/linux/product-build-linux.yml index 5480896cbad00..408ffa3237a4c 100644 --- a/build/azure-pipelines/linux/product-build-linux.yml +++ b/build/azure-pipelines/linux/product-build-linux.yml @@ -129,7 +129,18 @@ steps: VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \ yarn npm-run-all -lp "electron $(VSCODE_ARCH)" "playwright-install" displayName: Download Electron and Playwright - condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false')) + + - script: | + set -e + APP_ROOT=$(agent.builddirectory)/VSCode-linux-$(VSCODE_ARCH) + ELECTRON_ROOT=.build/electron + sudo chown root $APP_ROOT/chrome-sandbox + sudo chown root $ELECTRON_ROOT/chrome-sandbox + sudo chmod 4755 $APP_ROOT/chrome-sandbox + sudo chmod 4755 $ELECTRON_ROOT/chrome-sandbox + stat $APP_ROOT/chrome-sandbox + stat $ELECTRON_ROOT/chrome-sandbox + displayName: Change setuid helper binary permission - script: | set -e @@ -183,7 +194,7 @@ steps: - script: | set -e APP_PATH=$(agent.builddirectory)/VSCode-linux-$(VSCODE_ARCH) - yarn smoketest-no-compile --build "$APP_PATH" --electronArgs="--disable-setuid-sandbox --disable-dev-shm-usage --use-gl=swiftshader" + yarn smoketest-no-compile --build "$APP_PATH" --electronArgs="--disable-dev-shm-usage --use-gl=swiftshader" timeoutInMinutes: 5 displayName: Run smoke tests (Electron) condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false')) @@ -192,7 +203,7 @@ steps: set -e APP_PATH=$(agent.builddirectory)/VSCode-linux-$(VSCODE_ARCH) VSCODE_REMOTE_SERVER_PATH="$(agent.builddirectory)/vscode-reh-linux-$(VSCODE_ARCH)" \ - yarn smoketest-no-compile --build "$APP_PATH" --remote --electronArgs="--disable-setuid-sandbox --disable-dev-shm-usage --use-gl=swiftshader" + yarn smoketest-no-compile --build "$APP_PATH" --remote --electronArgs="--disable-dev-shm-usage --use-gl=swiftshader" timeoutInMinutes: 5 displayName: Run smoke tests (Remote) condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false')) @@ -200,7 +211,7 @@ steps: - script: | set -e VSCODE_REMOTE_SERVER_PATH="$(agent.builddirectory)/vscode-reh-web-linux-$(VSCODE_ARCH)" \ - yarn smoketest-no-compile --web --headless --electronArgs="--disable-setuid-sandbox --disable-dev-shm-usage --use-gl=swiftshader" + yarn smoketest-no-compile --web --headless --electronArgs="--disable-dev-shm-usage --use-gl=swiftshader" timeoutInMinutes: 5 displayName: Run smoke tests (Browser) condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false')) diff --git a/build/azure-pipelines/product-build.yml b/build/azure-pipelines/product-build.yml index 02ae2e0c0a400..4bd202846e24f 100644 --- a/build/azure-pipelines/product-build.yml +++ b/build/azure-pipelines/product-build.yml @@ -126,13 +126,15 @@ resources: - container: vscode-x64 image: vscodehub.azurecr.io/vscode-linux-build-agent:bionic-x64 endpoint: VSCodeHub - options: --user 0:0 + options: --user 0:0 --cap-add SYS_ADMIN - container: vscode-arm64 image: vscodehub.azurecr.io/vscode-linux-build-agent:stretch-arm64 endpoint: VSCodeHub + options: --user 0:0 --cap-add SYS_ADMIN - container: vscode-armhf image: vscodehub.azurecr.io/vscode-linux-build-agent:stretch-armhf endpoint: VSCodeHub + options: --user 0:0 --cap-add SYS_ADMIN - container: snapcraft image: snapcore/snapcraft:stable diff --git a/build/lib/compilation.js b/build/lib/compilation.js index 71181f8aa07ad..cfde96d37b434 100644 --- a/build/lib/compilation.js +++ b/build/lib/compilation.js @@ -37,9 +37,9 @@ function createCompile(src, build, emitError) { const sourcemaps = require('gulp-sourcemaps'); const projectPath = path.join(__dirname, '../../', src, 'tsconfig.json'); const overrideOptions = Object.assign(Object.assign({}, getTypeScriptCompilerOptions(src)), { inlineSources: Boolean(build) }); - if (!build) { - overrideOptions.inlineSourceMap = true; - } + if (!build) { + overrideOptions.inlineSourceMap = true; + } const compilation = tsb.create(projectPath, overrideOptions, false, err => reporter(err)); function pipeline(token) { const bom = require('gulp-bom'); diff --git a/resources/linux/rpm/code.spec.template b/resources/linux/rpm/code.spec.template index 578339b87f9c1..79c8c43022f8a 100644 --- a/resources/linux/rpm/code.spec.template +++ b/resources/linux/rpm/code.spec.template @@ -65,6 +65,7 @@ update-mime-database /usr/share/mime &> /dev/null || : %files %defattr(-,root,root) +%attr(4755, root, root) /usr/share/@@NAME@@/chrome-sandbox /usr/share/@@NAME@@/ /usr/share/applications/@@NAME@@.desktop diff --git a/resources/linux/snap/snapcraft.yaml b/resources/linux/snap/snapcraft.yaml index c24d0af3ea762..b40b6a6ae7ae3 100644 --- a/resources/linux/snap/snapcraft.yaml +++ b/resources/linux/snap/snapcraft.yaml @@ -27,6 +27,9 @@ parts: - gnome plugin: dump source: . + override-build: | + snapcraftctl build + chmod 4755 $SNAPCRAFT_PART_INSTALL/usr/share/@@NAME@@/chrome-sandbox stage-packages: - ibus-gtk3 - fcitx-frontend-gtk3 diff --git a/scripts/test-integration.sh b/scripts/test-integration.sh index ad22b6095396f..d529a5bc39401 100755 --- a/scripts/test-integration.sh +++ b/scripts/test-integration.sh @@ -6,10 +6,9 @@ if [[ "$OSTYPE" == "darwin"* ]]; then ROOT=$(dirname $(dirname $(realpath "$0"))) else ROOT=$(dirname $(dirname $(readlink -f $0))) - # --disable-setuid-sandbox: setuid sandboxes requires root and is used in containers so we disable this # --disable-dev-shm-usage --use-gl=swiftshader: when run on docker containers where size of /dev/shm # partition < 64MB which causes OOM failure for chromium compositor that uses the partition for shared memory - LINUX_EXTRA_ARGS="--disable-setuid-sandbox --disable-dev-shm-usage --use-gl=swiftshader" + LINUX_EXTRA_ARGS="--disable-dev-shm-usage --use-gl=swiftshader" fi VSCODEUSERDATADIR=`mktemp -d 2>/dev/null` diff --git a/scripts/test.sh b/scripts/test.sh index 68f75db60d8e1..10ffb97c71f7e 100755 --- a/scripts/test.sh +++ b/scripts/test.sh @@ -6,10 +6,9 @@ if [[ "$OSTYPE" == "darwin"* ]]; then ROOT=$(dirname $(dirname $(realpath "$0"))) else ROOT=$(dirname $(dirname $(readlink -f $0))) - # --disable-setuid-sandbox: setuid sandboxes requires root and is used in containers so we disable this # --disable-dev-shm-usage --use-gl=swiftshader: when run on docker containers where size of /dev/shm # partition < 64MB which causes OOM failure for chromium compositor that uses the partition for shared memory - LINUX_EXTRA_ARGS="--disable-setuid-sandbox --disable-dev-shm-usage --use-gl=swiftshader" + LINUX_EXTRA_ARGS="--disable-dev-shm-usage --use-gl=swiftshader" fi cd $ROOT diff --git a/test/integration/browser/src/index.ts b/test/integration/browser/src/index.ts index 7d212fa2f7079..3a5fbe528b2b9 100644 --- a/test/integration/browser/src/index.ts +++ b/test/integration/browser/src/index.ts @@ -33,8 +33,7 @@ const height = 800; type BrowserType = 'chromium' | 'firefox' | 'webkit'; async function runTestsInBrowser(browserType: BrowserType, endpoint: url.UrlWithStringQuery, server: cp.ChildProcess): Promise { - const args = process.platform === 'linux' && browserType === 'chromium' ? ['--disable-setuid-sandbox'] : undefined; // setuid sandboxes requires root and is used in containers so we disable this to support our CI - const browser = await playwright[browserType].launch({ headless: !Boolean(optimist.argv.debug), args }); + const browser = await playwright[browserType].launch({ headless: !Boolean(optimist.argv.debug) }); const context = await browser.newContext(); const page = await context.newPage(); await page.setViewportSize({ width, height }); diff --git a/test/unit/browser/index.js b/test/unit/browser/index.js index 92a9cc7264dd0..3bb6005e7a037 100644 --- a/test/unit/browser/index.js +++ b/test/unit/browser/index.js @@ -146,8 +146,7 @@ function consoleLogFn(msg) { } async function runTestsInBrowser(testModules, browserType) { - const args = process.platform === 'linux' && browserType === 'chromium' ? ['--disable-setuid-sandbox'] : undefined; // setuid sandboxes requires root and is used in containers so we disable this to support our CI - const browser = await playwright[browserType].launch({ headless: !Boolean(argv.debug), args }); + const browser = await playwright[browserType].launch({ headless: !Boolean(argv.debug) }); const context = await browser.newContext(); const page = await context.newPage(); const target = url.pathToFileURL(path.join(__dirname, 'renderer.html'));