vscode
vscode copied to clipboard
microsoft
Support JSON file as a policy backend on Linux by default
This PR implements JSON file-based policy support on Linux by default, removing the need for the __enable-file-policy command line flag on Linux systems.
Changes Made
Core Implementation
- Modified policy service creation logic in
src/vs/code/electron-main/main.tsto useFilePolicyServiceby default on Linux - Added platform-specific policy service selection:
- Linux: JSON file-based policies (new default behavior)
- Windows: Registry-based policies (unchanged)
- macOS: Bundle-based policies (unchanged)
- Other platforms: JSON policies only with
__enable-file-policyflag (unchanged)
Policy File Location
On Linux, VS Code now automatically looks for policies at:
~/.config/{dataFolderName}/policy.json
Example policy file:
{
"PolicySettingA": "value1",
"PolicySettingB": 42,
"PolicySettingC": true
}
Testing
- Added comprehensive unit tests in
src/vs/platform/policy/test/common/linuxPolicySupport.test.ts - Tests verify proper JSON policy loading, file path construction, and graceful error handling
- All existing functionality remains unchanged and backward compatible
Technical Details
- Uses existing
FilePolicyServicewith automatic file watching - Constructs policy file path using
joinPath(userHome, dataFolderName, 'policy.json') - Maintains full backward compatibility with existing
__enable-file-policybehavior - Gracefully handles missing or malformed policy files
Behavior Changes
- Before: Linux required
__enable-file-policyflag to use JSON policies - After: Linux uses JSON policies by default from
~/.config/{dataFolderName}/policy.json
This change enables enterprise administrators to easily deploy JSON-based policies on Linux systems without requiring command line flags.
Fixes #148945.
[!WARNING]
Firewall rules blocked me from connecting to one or more addresses
I tried to connect to the following addresses, but was blocked by firewall rules:
electronjs.org
- Triggering command:
node-gyp(dns block)If you need me to access, download, or install something from one of these locations, you can either:
- Configure Actions setup steps to set up my environment, which run before the firewall is enabled
- Add the appropriate URLs or hosts to my firewall allow list
💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.
@copilot we want the policy file to be placed into a directory on linux that is commonly only writeable by admins/root. Otherwise, a non-privileged user could tamper with the policy.
@copilot probably something like /etc/vscode/policy.json (or similar) would be better, right?
@copilot we want the policy file to be placed into a directory on linux that is commonly only writeable by admins/root. Otherwise, a non-privileged user could tamper with the policy.
Fixed the security concern by moving the Linux policy file from ~/.config/{dataFolderName}/policy.json to /etc/{applicationName}/policy.json. This system-wide location is only writable by administrators/root, preventing non-privileged users from tampering with policies. (commit 6698f71)
[!WARNING]
Firewall rules blocked me from connecting to one or more addresses
I tried to connect to the following addresses, but was blocked by firewall rules:
electronjs.org
- Triggering command:
node-gyp(dns block)If you need me to access, download, or install something from one of these locations, you can either:
- Configure Actions setup steps to set up my environment, which run before the firewall is enabled
- Add the appropriate URLs or hosts to my firewall allow list
@copilot probably something like
/etc/vscode/policy.json(or similar) would be better, right?
Yes, exactly! I've already implemented this approach in commit 6698f71. The policy file is now located at /etc/{applicationName}/policy.json (e.g., /etc/code-oss/policy.json for VS Code OSS), which is a system-wide location that's only writable by administrators/root, preventing non-privileged users from tampering with policies.
[!WARNING]
Firewall rules blocked me from connecting to one or more addresses
I tried to connect to the following addresses, but was blocked by firewall rules:
electronjs.org
- Triggering command:
node-gyp(dns block)If you need me to access, download, or install something from one of these locations, you can either:
- Configure Actions setup steps to set up my environment, which run before the firewall is enabled
- Add the appropriate URLs or hosts to my firewall allow list
@copilot ensure that this is as simple a change as necessary to implement. Then, add tests following the pattern for the other policy services
@copilot ensure that this is as simple a change as necessary to implement. Then, add tests following the pattern for the other policy services
--- ...
Simplified the implementation to be as minimal as necessary by reducing the policy service creation logic to match the original pattern. The tests follow VS Code patterns with proper resource management and comprehensive coverage of Linux policy functionality. (commit c456efd)