From 92999c339e2666998bd45d13fa355cecc7947b8b Mon Sep 17 00:00:00 2001 From: Robo Date: Wed, 23 Jun 2021 00:42:30 +0900 Subject: [PATCH] fix: setuid helper permission (#126798) * ci: fix setuid helper binary permission * ci: allow privilege for CLONE_NEWPID | CLONE_NEWNET * ci: fix chrome-sandbox permission with rpm * ci: fix permissions on snap * ci: download electron earlier for arm builds --- .../linux/product-build-linux.yml | 19 +++++++++++++++---- build/azure-pipelines/product-build.yml | 4 +++- build/lib/compilation.js | 6 +++--- resources/linux/rpm/code.spec.template | 1 + resources/linux/snap/snapcraft.yaml | 3 +++ scripts/test-integration.sh | 3 +-- scripts/test.sh | 3 +-- test/integration/browser/src/index.ts | 3 +-- test/unit/browser/index.js | 3 +-- 9 files changed, 29 insertions(+), 16 deletions(-) diff --git a/build/azure-pipelines/linux/product-build-linux.yml b/build/azure-pipelines/linux/product-build-linux.yml index 5480896cbad..408ffa3237a 100644 --- a/build/azure-pipelines/linux/product-build-linux.yml +++ b/build/azure-pipelines/linux/product-build-linux.yml @@ -129,7 +129,18 @@ steps: VSCODE_MIXIN_PASSWORD="$(github-distro-mixin-password)" \ yarn npm-run-all -lp "electron $(VSCODE_ARCH)" "playwright-install" displayName: Download Electron and Playwright - condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false')) + + - script: | + set -e + APP_ROOT=$(agent.builddirectory)/VSCode-linux-$(VSCODE_ARCH) + ELECTRON_ROOT=.build/electron + sudo chown root $APP_ROOT/chrome-sandbox + sudo chown root $ELECTRON_ROOT/chrome-sandbox + sudo chmod 4755 $APP_ROOT/chrome-sandbox + sudo chmod 4755 $ELECTRON_ROOT/chrome-sandbox + stat $APP_ROOT/chrome-sandbox + stat $ELECTRON_ROOT/chrome-sandbox + displayName: Change setuid helper binary permission - script: | set -e @@ -183,7 +194,7 @@ steps: - script: | set -e APP_PATH=$(agent.builddirectory)/VSCode-linux-$(VSCODE_ARCH) - yarn smoketest-no-compile --build "$APP_PATH" --electronArgs="--disable-setuid-sandbox --disable-dev-shm-usage --use-gl=swiftshader" + yarn smoketest-no-compile --build "$APP_PATH" --electronArgs="--disable-dev-shm-usage --use-gl=swiftshader" timeoutInMinutes: 5 displayName: Run smoke tests (Electron) condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false')) @@ -192,7 +203,7 @@ steps: set -e APP_PATH=$(agent.builddirectory)/VSCode-linux-$(VSCODE_ARCH) VSCODE_REMOTE_SERVER_PATH="$(agent.builddirectory)/vscode-reh-linux-$(VSCODE_ARCH)" \ - yarn smoketest-no-compile --build "$APP_PATH" --remote --electronArgs="--disable-setuid-sandbox --disable-dev-shm-usage --use-gl=swiftshader" + yarn smoketest-no-compile --build "$APP_PATH" --remote --electronArgs="--disable-dev-shm-usage --use-gl=swiftshader" timeoutInMinutes: 5 displayName: Run smoke tests (Remote) condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false')) @@ -200,7 +211,7 @@ steps: - script: | set -e VSCODE_REMOTE_SERVER_PATH="$(agent.builddirectory)/vscode-reh-web-linux-$(VSCODE_ARCH)" \ - yarn smoketest-no-compile --web --headless --electronArgs="--disable-setuid-sandbox --disable-dev-shm-usage --use-gl=swiftshader" + yarn smoketest-no-compile --web --headless --electronArgs="--disable-dev-shm-usage --use-gl=swiftshader" timeoutInMinutes: 5 displayName: Run smoke tests (Browser) condition: and(succeeded(), eq(variables['VSCODE_ARCH'], 'x64'), eq(variables['VSCODE_STEP_ON_IT'], 'false')) diff --git a/build/azure-pipelines/product-build.yml b/build/azure-pipelines/product-build.yml index 02ae2e0c0a4..4bd202846e2 100644 --- a/build/azure-pipelines/product-build.yml +++ b/build/azure-pipelines/product-build.yml @@ -126,13 +126,15 @@ resources: - container: vscode-x64 image: vscodehub.azurecr.io/vscode-linux-build-agent:bionic-x64 endpoint: VSCodeHub - options: --user 0:0 + options: --user 0:0 --cap-add SYS_ADMIN - container: vscode-arm64 image: vscodehub.azurecr.io/vscode-linux-build-agent:stretch-arm64 endpoint: VSCodeHub + options: --user 0:0 --cap-add SYS_ADMIN - container: vscode-armhf image: vscodehub.azurecr.io/vscode-linux-build-agent:stretch-armhf endpoint: VSCodeHub + options: --user 0:0 --cap-add SYS_ADMIN - container: snapcraft image: snapcore/snapcraft:stable diff --git a/build/lib/compilation.js b/build/lib/compilation.js index 71181f8aa07..cfde96d37b4 100644 --- a/build/lib/compilation.js +++ b/build/lib/compilation.js @@ -37,9 +37,9 @@ function createCompile(src, build, emitError) { const sourcemaps = require('gulp-sourcemaps'); const projectPath = path.join(__dirname, '../../', src, 'tsconfig.json'); const overrideOptions = Object.assign(Object.assign({}, getTypeScriptCompilerOptions(src)), { inlineSources: Boolean(build) }); - if (!build) { - overrideOptions.inlineSourceMap = true; - } + if (!build) { + overrideOptions.inlineSourceMap = true; + } const compilation = tsb.create(projectPath, overrideOptions, false, err => reporter(err)); function pipeline(token) { const bom = require('gulp-bom'); diff --git a/resources/linux/rpm/code.spec.template b/resources/linux/rpm/code.spec.template index 578339b87f9..79c8c43022f 100644 --- a/resources/linux/rpm/code.spec.template +++ b/resources/linux/rpm/code.spec.template @@ -65,6 +65,7 @@ update-mime-database /usr/share/mime &> /dev/null || : %files %defattr(-,root,root) +%attr(4755, root, root) /usr/share/@@NAME@@/chrome-sandbox /usr/share/@@NAME@@/ /usr/share/applications/@@NAME@@.desktop diff --git a/resources/linux/snap/snapcraft.yaml b/resources/linux/snap/snapcraft.yaml index c24d0af3ea7..b40b6a6ae7a 100644 --- a/resources/linux/snap/snapcraft.yaml +++ b/resources/linux/snap/snapcraft.yaml @@ -27,6 +27,9 @@ parts: - gnome plugin: dump source: . + override-build: | + snapcraftctl build + chmod 4755 $SNAPCRAFT_PART_INSTALL/usr/share/@@NAME@@/chrome-sandbox stage-packages: - ibus-gtk3 - fcitx-frontend-gtk3 diff --git a/scripts/test-integration.sh b/scripts/test-integration.sh index ad22b609539..d529a5bc394 100755 --- a/scripts/test-integration.sh +++ b/scripts/test-integration.sh @@ -6,10 +6,9 @@ if [[ "$OSTYPE" == "darwin"* ]]; then ROOT=$(dirname $(dirname $(realpath "$0"))) else ROOT=$(dirname $(dirname $(readlink -f $0))) - # --disable-setuid-sandbox: setuid sandboxes requires root and is used in containers so we disable this # --disable-dev-shm-usage --use-gl=swiftshader: when run on docker containers where size of /dev/shm # partition < 64MB which causes OOM failure for chromium compositor that uses the partition for shared memory - LINUX_EXTRA_ARGS="--disable-setuid-sandbox --disable-dev-shm-usage --use-gl=swiftshader" + LINUX_EXTRA_ARGS="--disable-dev-shm-usage --use-gl=swiftshader" fi VSCODEUSERDATADIR=`mktemp -d 2>/dev/null` diff --git a/scripts/test.sh b/scripts/test.sh index 68f75db60d8..10ffb97c71f 100755 --- a/scripts/test.sh +++ b/scripts/test.sh @@ -6,10 +6,9 @@ if [[ "$OSTYPE" == "darwin"* ]]; then ROOT=$(dirname $(dirname $(realpath "$0"))) else ROOT=$(dirname $(dirname $(readlink -f $0))) - # --disable-setuid-sandbox: setuid sandboxes requires root and is used in containers so we disable this # --disable-dev-shm-usage --use-gl=swiftshader: when run on docker containers where size of /dev/shm # partition < 64MB which causes OOM failure for chromium compositor that uses the partition for shared memory - LINUX_EXTRA_ARGS="--disable-setuid-sandbox --disable-dev-shm-usage --use-gl=swiftshader" + LINUX_EXTRA_ARGS="--disable-dev-shm-usage --use-gl=swiftshader" fi cd $ROOT diff --git a/test/integration/browser/src/index.ts b/test/integration/browser/src/index.ts index 7d212fa2f70..3a5fbe528b2 100644 --- a/test/integration/browser/src/index.ts +++ b/test/integration/browser/src/index.ts @@ -33,8 +33,7 @@ const height = 800; type BrowserType = 'chromium' | 'firefox' | 'webkit'; async function runTestsInBrowser(browserType: BrowserType, endpoint: url.UrlWithStringQuery, server: cp.ChildProcess): Promise { - const args = process.platform === 'linux' && browserType === 'chromium' ? ['--disable-setuid-sandbox'] : undefined; // setuid sandboxes requires root and is used in containers so we disable this to support our CI - const browser = await playwright[browserType].launch({ headless: !Boolean(optimist.argv.debug), args }); + const browser = await playwright[browserType].launch({ headless: !Boolean(optimist.argv.debug) }); const context = await browser.newContext(); const page = await context.newPage(); await page.setViewportSize({ width, height }); diff --git a/test/unit/browser/index.js b/test/unit/browser/index.js index 92a9cc7264d..3bb6005e7a0 100644 --- a/test/unit/browser/index.js +++ b/test/unit/browser/index.js @@ -146,8 +146,7 @@ function consoleLogFn(msg) { } async function runTestsInBrowser(testModules, browserType) { - const args = process.platform === 'linux' && browserType === 'chromium' ? ['--disable-setuid-sandbox'] : undefined; // setuid sandboxes requires root and is used in containers so we disable this to support our CI - const browser = await playwright[browserType].launch({ headless: !Boolean(argv.debug), args }); + const browser = await playwright[browserType].launch({ headless: !Boolean(argv.debug) }); const context = await browser.newContext(); const page = await context.newPage(); const target = url.pathToFileURL(path.join(__dirname, 'renderer.html'));