Profile report: Visual Studio Code

[krokodyl1220]

As a follow-up from the previous issue I wanted to report on configuration from the code profile. For reference, these are the lines from the default profile (as of 0.9.72) from code.profile:

# Disabled until someone reported positive feedback
ignore include disable-devel.inc
ignore include disable-exec.inc
ignore include disable-interpreters.inc
ignore include disable-xdg.inc
ignore whitelist ${DOWNLOADS}
ignore whitelist ${HOME}/.config/Electron
ignore whitelist ${HOME}/.config/electron*-flag*.conf
ignore include whitelist-common.inc
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
ignore include whitelist-var-common.inc
ignore apparmor
ignore disable-mnt
ignore dbus-user none
ignore dbus-system none

My test scenario / use case for verification:

• VS Code launched from the desktop shortcut created with firecfg
• installed extensions: cortex-debug, python, cmake, c/c++
• editor used for writing embedded code in c/c++ and debugging on the target using the hardware debug probe (ST-Link V2) connected to the system before starting the VSCode
• OS: Fedora 38 with latest updates
• VS Code is able to reach MS Servers, check for update and install extensions

In my code.local file I also added hardening options from the previous discussions:

ignore private-dev #required for USB debugger connection

caps.drop all
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp !chroot

Below is the list of options that I enabled and did not notice any issues during a few days of work:

include whitelist-runuser-common.inc
include whitelist-var-common.inc
apparmor # Probably needs another check, since Fedora uses selinux instead
disable-mnt
dbus-user none
dbus-system none

Below is the list of options that have some side-effects when using VS Code as a full IDE, but may be suitable if one is to use the software only as a text editor:

include disable-devel.inc # Broke the cmake extension
include disable-interpreters.inc # Disabled acces to python from terminal

And finally, below is the list of options that have undesireable effects:

include disable-exec.inc # Broke the cpptools extension
include disable-xdg.inc # Breaks access to ~/Documents
whitelist ${DOWNLOADS} # Breaks editor customization and extensions
whitelist ${HOME}/.config/Electron # Breaks editor customization and extensions
whitelist ${HOME}/.config/electron*-flag*.conf # Breaks editor customization and extensions
include whitelist-common.inc # Breaks editor customization and extensions
include whitelist-usr-share-common.inc # Breaks something in path - when starting code from terminal the message 'no suitable executable found'

If any more information or testing is required please let me know.

[glitsj16]

Thanks for taking the time to test and report, much appreciated.

include disable-devel.inc # Broke the cmake extension include disable-interpreters.inc # Disabled acces to python from terminal

Both these includes don't make much sense in VS Code, we'll keep them disabled.

include disable-exec.inc # Broke the cpptools extension

Adding ignore noexec ${HOME} and maybe also ignore noexec ${RUNUSER} should cover this.

include disable-xdg.inc # Breaks access to ~/Documents

An additional whitelist ${DOCUMENTS} could take care of that. But as your other remarks indicate, it seems that trying to implement a whitelisting profile for VS Code is probably not a very good idea.

Let's wait a bit to give fellow collaborators the time to reflect on your observations. In any case we have a much better view on the best way forward now thanks to your efforts.

Regards

[rusty-snake]

• apparmor dies the same as noexec ${HOME}
• blocking DBus could be problematic too

The rest sounds leggit.