mirror of
https://github.com/Microsoft/vscode
synced 2024-10-05 19:02:54 +00:00
fix: setuid helper permission (#126798)
* ci: fix setuid helper binary permission * ci: allow privilege for CLONE_NEWPID | CLONE_NEWNET * ci: fix chrome-sandbox permission with rpm * ci: fix permissions on snap * ci: download electron earlier for arm builds
This commit is contained in:
parent
70c2130eaf
commit
92999c339e
|
@ -129,7 +129,18 @@ steps:
|
|||
VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \
|
||||
yarn npm-run-all -lp "electron $(VSCODE_ARCH)" "playwright-install"
|
||||
displayName: Download Electron and Playwright
|
||||
condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))
|
||||
|
||||
- script: |
|
||||
set -e
|
||||
APP_ROOT=$(agent.builddirectory)/VSCode-linux-$(VSCODE_ARCH)
|
||||
ELECTRON_ROOT=.build/electron
|
||||
sudo chown root $APP_ROOT/chrome-sandbox
|
||||
sudo chown root $ELECTRON_ROOT/chrome-sandbox
|
||||
sudo chmod 4755 $APP_ROOT/chrome-sandbox
|
||||
sudo chmod 4755 $ELECTRON_ROOT/chrome-sandbox
|
||||
stat $APP_ROOT/chrome-sandbox
|
||||
stat $ELECTRON_ROOT/chrome-sandbox
|
||||
displayName: Change setuid helper binary permission
|
||||
|
||||
- script: |
|
||||
set -e
|
||||
|
@ -183,7 +194,7 @@ steps:
|
|||
- script: |
|
||||
set -e
|
||||
APP_PATH=$(agent.builddirectory)/VSCode-linux-$(VSCODE_ARCH)
|
||||
yarn smoketest-no-compile --build "$APP_PATH" --electronArgs="--disable-setuid-sandbox --disable-dev-shm-usage --use-gl=swiftshader"
|
||||
yarn smoketest-no-compile --build "$APP_PATH" --electronArgs="--disable-dev-shm-usage --use-gl=swiftshader"
|
||||
timeoutInMinutes: 5
|
||||
displayName: Run smoke tests (Electron)
|
||||
condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))
|
||||
|
@ -192,7 +203,7 @@ steps:
|
|||
set -e
|
||||
APP_PATH=$(agent.builddirectory)/VSCode-linux-$(VSCODE_ARCH)
|
||||
VSCODE_REMOTE_SERVER_PATH="$(agent.builddirectory)/vscode-reh-linux-$(VSCODE_ARCH)" \
|
||||
yarn smoketest-no-compile --build "$APP_PATH" --remote --electronArgs="--disable-setuid-sandbox --disable-dev-shm-usage --use-gl=swiftshader"
|
||||
yarn smoketest-no-compile --build "$APP_PATH" --remote --electronArgs="--disable-dev-shm-usage --use-gl=swiftshader"
|
||||
timeoutInMinutes: 5
|
||||
displayName: Run smoke tests (Remote)
|
||||
condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))
|
||||
|
@ -200,7 +211,7 @@ steps:
|
|||
- script: |
|
||||
set -e
|
||||
VSCODE_REMOTE_SERVER_PATH="$(agent.builddirectory)/vscode-reh-web-linux-$(VSCODE_ARCH)" \
|
||||
yarn smoketest-no-compile --web --headless --electronArgs="--disable-setuid-sandbox --disable-dev-shm-usage --use-gl=swiftshader"
|
||||
yarn smoketest-no-compile --web --headless --electronArgs="--disable-dev-shm-usage --use-gl=swiftshader"
|
||||
timeoutInMinutes: 5
|
||||
displayName: Run smoke tests (Browser)
|
||||
condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false'))
|
||||
|
|
|
@ -126,13 +126,15 @@ resources:
|
|||
- container: vscode-x64
|
||||
image: vscodehub.azurecr.io/vscode-linux-build-agent:bionic-x64
|
||||
endpoint: VSCodeHub
|
||||
options: --user 0:0
|
||||
options: --user 0:0 --cap-add SYS_ADMIN
|
||||
- container: vscode-arm64
|
||||
image: vscodehub.azurecr.io/vscode-linux-build-agent:stretch-arm64
|
||||
endpoint: VSCodeHub
|
||||
options: --user 0:0 --cap-add SYS_ADMIN
|
||||
- container: vscode-armhf
|
||||
image: vscodehub.azurecr.io/vscode-linux-build-agent:stretch-armhf
|
||||
endpoint: VSCodeHub
|
||||
options: --user 0:0 --cap-add SYS_ADMIN
|
||||
- container: snapcraft
|
||||
image: snapcore/snapcraft:stable
|
||||
|
||||
|
|
|
@ -37,9 +37,9 @@ function createCompile(src, build, emitError) {
|
|||
const sourcemaps = require('gulp-sourcemaps');
|
||||
const projectPath = path.join(__dirname, '../../', src, 'tsconfig.json');
|
||||
const overrideOptions = Object.assign(Object.assign({}, getTypeScriptCompilerOptions(src)), { inlineSources: Boolean(build) });
|
||||
if (!build) {
|
||||
overrideOptions.inlineSourceMap = true;
|
||||
}
|
||||
if (!build) {
|
||||
overrideOptions.inlineSourceMap = true;
|
||||
}
|
||||
const compilation = tsb.create(projectPath, overrideOptions, false, err => reporter(err));
|
||||
function pipeline(token) {
|
||||
const bom = require('gulp-bom');
|
||||
|
|
|
@ -65,6 +65,7 @@ update-mime-database /usr/share/mime &> /dev/null || :
|
|||
|
||||
%files
|
||||
%defattr(-,root,root)
|
||||
%attr(4755, root, root) /usr/share/@@NAME@@/chrome-sandbox
|
||||
|
||||
/usr/share/@@NAME@@/
|
||||
/usr/share/applications/@@NAME@@.desktop
|
||||
|
|
|
@ -27,6 +27,9 @@ parts:
|
|||
- gnome
|
||||
plugin: dump
|
||||
source: .
|
||||
override-build: |
|
||||
snapcraftctl build
|
||||
chmod 4755 $SNAPCRAFT_PART_INSTALL/usr/share/@@NAME@@/chrome-sandbox
|
||||
stage-packages:
|
||||
- ibus-gtk3
|
||||
- fcitx-frontend-gtk3
|
||||
|
|
|
@ -6,10 +6,9 @@ if [[ "$OSTYPE" == "darwin"* ]]; then
|
|||
ROOT=$(dirname $(dirname $(realpath "$0")))
|
||||
else
|
||||
ROOT=$(dirname $(dirname $(readlink -f $0)))
|
||||
# --disable-setuid-sandbox: setuid sandboxes requires root and is used in containers so we disable this
|
||||
# --disable-dev-shm-usage --use-gl=swiftshader: when run on docker containers where size of /dev/shm
|
||||
# partition < 64MB which causes OOM failure for chromium compositor that uses the partition for shared memory
|
||||
LINUX_EXTRA_ARGS="--disable-setuid-sandbox --disable-dev-shm-usage --use-gl=swiftshader"
|
||||
LINUX_EXTRA_ARGS="--disable-dev-shm-usage --use-gl=swiftshader"
|
||||
fi
|
||||
|
||||
VSCODEUSERDATADIR=`mktemp -d 2>/dev/null`
|
||||
|
|
|
@ -6,10 +6,9 @@ if [[ "$OSTYPE" == "darwin"* ]]; then
|
|||
ROOT=$(dirname $(dirname $(realpath "$0")))
|
||||
else
|
||||
ROOT=$(dirname $(dirname $(readlink -f $0)))
|
||||
# --disable-setuid-sandbox: setuid sandboxes requires root and is used in containers so we disable this
|
||||
# --disable-dev-shm-usage --use-gl=swiftshader: when run on docker containers where size of /dev/shm
|
||||
# partition < 64MB which causes OOM failure for chromium compositor that uses the partition for shared memory
|
||||
LINUX_EXTRA_ARGS="--disable-setuid-sandbox --disable-dev-shm-usage --use-gl=swiftshader"
|
||||
LINUX_EXTRA_ARGS="--disable-dev-shm-usage --use-gl=swiftshader"
|
||||
fi
|
||||
|
||||
cd $ROOT
|
||||
|
|
|
@ -33,8 +33,7 @@ const height = 800;
|
|||
type BrowserType = 'chromium' | 'firefox' | 'webkit';
|
||||
|
||||
async function runTestsInBrowser(browserType: BrowserType, endpoint: url.UrlWithStringQuery, server: cp.ChildProcess): Promise<void> {
|
||||
const args = process.platform === 'linux' && browserType === 'chromium' ? ['--disable-setuid-sandbox'] : undefined; // setuid sandboxes requires root and is used in containers so we disable this to support our CI
|
||||
const browser = await playwright[browserType].launch({ headless: !Boolean(optimist.argv.debug), args });
|
||||
const browser = await playwright[browserType].launch({ headless: !Boolean(optimist.argv.debug) });
|
||||
const context = await browser.newContext();
|
||||
const page = await context.newPage();
|
||||
await page.setViewportSize({ width, height });
|
||||
|
|
|
@ -146,8 +146,7 @@ function consoleLogFn(msg) {
|
|||
}
|
||||
|
||||
async function runTestsInBrowser(testModules, browserType) {
|
||||
const args = process.platform === 'linux' && browserType === 'chromium' ? ['--disable-setuid-sandbox'] : undefined; // setuid sandboxes requires root and is used in containers so we disable this to support our CI
|
||||
const browser = await playwright[browserType].launch({ headless: !Boolean(argv.debug), args });
|
||||
const browser = await playwright[browserType].launch({ headless: !Boolean(argv.debug) });
|
||||
const context = await browser.newContext();
|
||||
const page = await context.newPage();
|
||||
const target = url.pathToFileURL(path.join(__dirname, 'renderer.html'));
|
||||
|
|
Loading…
Reference in a new issue