chore: introduce a new flag disable-chromium-sandbox (#186252)

src/main.js

@@ -36,10 +36,21 @@ bootstrap.enableASARSupport();
 const args = parseCLIArgs();
 // Configure static command line arguments
 const argvConfig = configureCommandlineSwitchesSync(args);
-// Enable sandbox globally unless disabled via `--no-sandbox` argument
-// or if `disable-chromium-sandbox: true` is set in argv.json.
-if (args['sandbox'] && !argvConfig['disable-chromium-sandbox']) {
+// Enable sandbox globally unless
+// 1) disabled via command line using either
+//    `--no-sandbox` or `--disable-chromium-sandbox` argument.
+// 2) argv.json contains `disable-chromium-sandbox: true`.
+if (args['sandbox'] &&
+	!args['disable-chromium-sandbox'] &&
+	!argvConfig['disable-chromium-sandbox']) {
 	app.enableSandbox();
+} else if (app.commandLine.hasSwitch('no-sandbox') &&
+	!app.commandLine.hasSwitch('disable-gpu-sandbox')) {
+	// Disable GPU sandbox whenever --no-sandbox is used.
+	app.commandLine.appendSwitch('disable-gpu-sandbox');
+} else {
+	app.commandLine.appendSwitch('no-sandbox');
+	app.commandLine.appendSwitch('disable-gpu-sandbox');
 }
 
 // Set userData path before app 'ready' event
@@ -192,9 +203,6 @@ function configureCommandlineSwitchesSync(cliArgs) {
 		// override for the color profile to use
 		'force-color-profile',
 
-		// disable chromium sandbox
-		'disable-chromium-sandbox',
-
 		// override which password-store is used
 		'password-store'
 	];
@@ -238,9 +246,6 @@ function configureCommandlineSwitchesSync(cliArgs) {
 			else if (argvValue === true || argvValue === 'true') {
 				if (argvKey === 'disable-hardware-acceleration') {
 					app.disableHardwareAcceleration(); // needs to be called explicitly
-				} else if (argvKey === 'disable-chromium-sandbox') {
-					app.commandLine.appendSwitch('no-sandbox');
-					app.commandLine.appendSwitch('disable-gpu-sandbox');
 				} else {
 					app.commandLine.appendSwitch(argvKey);
 				}
@@ -480,6 +485,9 @@ function parseCLIArgs() {
 			'js-flags',
 			'crash-reporter-directory'
 		],
+		boolean: [
+			'disable-chromium-sandbox',
+		],
 		default: {
 			'sandbox': true
 		},

src/vs/platform/environment/common/argv.ts

@@ -109,6 +109,7 @@ export interface NativeParsedArgs {
 	'locate-shell-integration-path'?: string;
 	'profile'?: string;
 	'profile-temp'?: boolean;
+	'disable-chromium-sandbox'?: boolean;
 
 	'enable-coi'?: boolean;
 

src/vs/platform/environment/node/argv.ts

@@ -109,6 +109,7 @@ export const OPTIONS: OptionDescriptions<Required<NativeParsedArgs>> = {
 	'inspect-extensions': { type: 'string', allowEmptyValue: true, deprecates: ['debugPluginHost'], args: 'port', cat: 't', description: localize('inspect-extensions', "Allow debugging and profiling of extensions. Check the developer tools for the connection URI.") },
 	'inspect-brk-extensions': { type: 'string', allowEmptyValue: true, deprecates: ['debugBrkPluginHost'], args: 'port', cat: 't', description: localize('inspect-brk-extensions', "Allow debugging and profiling of extensions with the extension host being paused after start. Check the developer tools for the connection URI.") },
 	'disable-gpu': { type: 'boolean', cat: 't', description: localize('disableGPU', "Disable GPU hardware acceleration.") },
+	'disable-chromium-sandbox': { type: 'boolean', cat: 't', description: localize('disableChromiumSandbox', "Use this option only when there is requirement to launch the application as sudo user on Linux or when running as an elevated user in an applocker environment on Windows.") },
 	'ms-enable-electron-run-as-node': { type: 'boolean', global: true },
 	'telemetry': { type: 'boolean', cat: 't', description: localize('telemetry', "Shows all telemetry events which VS code collects.") },