Pass arguments to disable sandboxing when enabled

.gitignore

@@ -12,3 +12,4 @@ default.profraw
 assets/documentation-webview
 assets/test/**/Package.resolved
 assets/swift-docc-render
+ud

.prettierignore

@@ -18,3 +18,6 @@ node_modules/
 /coverage/
 /dist/
 /snippets/
+
+# macOS CI
+/ud/

.vscode-test.js

@@ -18,25 +18,40 @@ const path = require("path");
 const isCIBuild = process.env["CI"] === "1";
 const isFastTestRun = process.env["FAST_TEST_RUN"] === "1";
 
+const dataDir = process.env["VSCODE_DATA_DIR"];
+
 // "env" in launch.json doesn't seem to work with vscode-test
 const isDebugRun = !(process.env["_"] ?? "").endsWith("node_modules/.bin/vscode-test");
 
 // so tests don't timeout when a breakpoint is hit
 const timeout = isDebugRun ? Number.MAX_SAFE_INTEGER : 3000;
 
+const launchArgs = [
+    "--disable-updates",
+    "--disable-crash-reporter",
+    "--disable-workspace-trust",
+    "--disable-telemetry",
+    "--disable-extension",
+    "vscode.github",
+    "--disable-extension",
+    "vscode.github-authentication",
+];
+if (dataDir) {
+    launchArgs.push("--user-data-dir", dataDir);
+}
+// GPU hardware acceleration not working on Darwin for intel
+if (process.platform === "darwin" && process.arch === "x64") {
+    launchArgs.push("--disable-gpu");
+}
+
 module.exports = defineConfig({
     tests: [
         {
             label: "integrationTests",
             files: ["dist/test/common.js", "dist/test/integration-tests/**/*.test.js"],
             version: process.env["VSCODE_VERSION"] ?? "stable",
             workspaceFolder: "./assets/test",
-            launchArgs: [
-                "--disable-updates",
-                "--disable-crash-reporter",
-                "--disable-workspace-trust",
-                "--disable-telemetry",
-            ],
+            launchArgs,
             mocha: {
                 ui: "tdd",
                 color: true,
@@ -59,13 +74,7 @@ module.exports = defineConfig({
             label: "unitTests",
             files: ["dist/test/common.js", "dist/test/unit-tests/**/*.test.js"],
             version: process.env["VSCODE_VERSION"] ?? "stable",
-            launchArgs: [
-                "--disable-extensions",
-                "--disable-updates",
-                "--disable-crash-reporter",
-                "--disable-workspace-trust",
-                "--disable-telemetry",
-            ],
+            launchArgs: launchArgs.concat("--disable-extensions"),
             mocha: {
                 ui: "tdd",
                 color: true,

assets/test/.vscode/tasks.json

@@ -35,6 +35,7 @@
 			"command": "command_plugin",
 			"args": ["--foo"],
 			"cwd": "command-plugin",
+			"disableSandbox": true,
 			"problemMatcher": [
 				"$swiftc"
 			],

docker/sandbox.sb

@@ -0,0 +1,138 @@
+(version 1)
+; Deny everything by default
+(deny default)
+
+; Get fonts
+(import "system.sb")
+
+; Helpers
+(define (param-regex param-name param-relative-regex)
+    (regex (string-append "^" (regex-quote (param param-name)) param-relative-regex)))
+(define (param-subpath param-name param-relative-subpath)
+    (subpath (string-append (param param-name) param-relative-subpath)))
+(define workspace
+    (param "workspace"))
+
+; Read
+(allow file-read-metadata
+    (subpath "/"))
+(allow file-read*
+    (subpath workspace)
+    (path "/")
+    (path "/private/etc/ssl/openssl.cnf")
+    (path "/dev/dtracehelper")
+    (path "/dev/fd")
+    (path "/dev/null")
+    (path "/dev/ptmx")
+    (regex #"^/dev/tty.*")
+    (path "/etc/shells")
+    (path "/private/etc/shells")
+    (path "/private/etc/ssl/cert.pem")
+    (path "/System/Library/OpenSSL/openssl.cnf")
+    (regex #"^/Users/[^/]+/.vscode.*")
+    (regex #"^/Users/[^/]+/.gitconfig$")
+    (regex #"^/Users/[^/]+/.gitignore$")
+    (regex #"^/Users/[^/]+/.lldbinit$")
+    (regex #"^/Users/[^/]+/.sourcekit-lsp.*")
+    (regex #"^/Users/[^/]+/.swiftpm.*")
+    (regex #"^/Users/[^/]+/Library/org.swift.swiftpm.*")
+    (regex #"^/Users/[^/]+/Library/Developer/CommandLineTools")
+    (regex #"^/Users/[^/]+/Library/Developer/Toolchains")
+    (regex #"^/Users/[^/]+/Library/Developer/Xcode/DerivedData.*")
+    (regex #"^/Users/[^/]+/Library/Caches/org.swift.swiftpm.*")
+    (regex #"^/Users/[^/]+/Library/Caches/com.apple.dt.Xcode.*")
+    (regex #"^/Users/[^/]+/Library/Caches/com.apple.python.*")
+    (regex #"^/Users/[^/]+/Library/Application Support/Code.*")
+    (regex #"^/Users/[^/]+/Library/Application Support/Microsoft.*")
+    (regex #"^/Users/[^/]+/Library/Preferences/.*.plist")
+    (regex #"^/Users/[^/]+/Library/Python")
+    (regex #"^/Users/[^/]+/Library/SymbolCache/dsyms/uuids")
+    (regex #"^/Users/[^/]+/Library/Saved Application State/com.microsoft.VSCode.savedState.*")
+    (regex #"^/private/var/folders/[^/]+/[^/]+/.+")
+    (regex #"^/Library/Preferences/.*.plist")
+    (regex #"^/[^/]+/Library/Python")
+    (subpath "/Library/Developer/CommandLineTools")
+    (subpath "/Library/Developer/Toolchains")
+    (subpath "/Library/Frameworks/UIAutomation.framework")
+    (subpath "/Library/Python")
+    (subpath "/System/Library/Perl")
+    (subpath "/Applications/Xcode.app")
+    (subpath "/Applications/Xcode-beta.app")
+    (subpath "/bin")
+    (subpath "/usr/bin")
+    (subpath "/usr/local/bin")
+    (subpath "/usr/libexec/path_helper")
+    (subpath "/usr/local/share/git-core")
+    (subpath "/usr/local/share/hwtrace")
+
+    (regex #".*/LLDB.framework/.*")
+    (regex #".*/Python3.framework/.*")
+    (regex #".*/branch-main/.*")
+    (regex #".*/usr/lib/swift/.*")
+)
+
+(allow mach-lookup)
+(allow mach-priv-task-port)
+(allow mach-register)
+(allow sysctl-read)
+(allow system-debug)
+(allow ipc-posix-shm-read-data (literal "apple.shm.notification_center"))
+
+; Write
+(allow file-write*
+    (subpath workspace)
+    (path "/dev/null")
+    (path "/dev/ptmx")
+    (regex #"^/dev/tty.*")
+    (regex #"^/Users/[^/]+/.sourcekit-lsp.*")
+    (regex #"^/Users/[^/]+/Library/org.swift.swiftpm.*")
+    (regex #"^/Users/[^/]+/Library/Caches/org.swift.swiftpm.*")
+    (regex #"^/Users/[^/]+/Library/Caches/com.apple.dt.Xcode.*")
+    (regex #"^/Users/[^/]+/Library/Caches/com.apple.python.*")
+    (regex #"^/Users/[^/]+/Library/Developer/Xcode/DerivedData.*")
+    (regex #"^/Users/[^/]+/Library/Application Support/Code.*")
+    (regex #"^/Users/[^/]+/Library/Application Support/Microsoft.*")
+    (regex #"^/private/var/folders/[^/]+/[^/]+/.+")
+    (regex #"^/Users/[^/]+/.vscode.*")
+
+    (regex #".*/branch-main.*")
+)
+
+; Execute
+(allow process-exec*)
+(allow process-fork)
+
+; Network
+(allow system-socket)
+(allow network-outbound
+    (path "/private/var/run/mDNSResponder")
+    (remote tcp4 "*:443")
+    (remote tcp4 "*:3128")
+    ; (local tcp4 "*:*") ; CodeLLDB
+)
+
+; CodeLLDB
+; (allow network-bind 
+;    (local tcp4 "*:*")
+; )
+; (allow network-inbound
+;    (local tcp4 "*:*")
+; )
+
+; VSCode sockets
+(allow network*
+    (param-regex "workspace" "/ud/1\.[0-9]+-main\.sock")
+)
+
+; Open VSCode window
+(allow file-ioctl)
+(allow iokit-open-user-client)
+
+; VSCode terminal
+(allow pseudo-tty)
+
+; SourceKit-LSP
+(allow job-creation)
+
+; JSON language server
+(allow signal)

docker/test-macos.sh

@@ -0,0 +1,94 @@
+#!/bin/bash
+##===----------------------------------------------------------------------===##
+##
+## This source file is part of the VS Code Swift open source project
+##
+## Copyright (c) 2024 the VS Code Swift project authors
+## Licensed under Apache License v2.0
+##
+## See LICENSE.txt for license information
+## See CONTRIBUTORS.txt for the list of VS Code Swift project authors
+##
+## SPDX-License-Identifier: Apache-2.0
+##
+##===----------------------------------------------------------------------===##
+
+set -e
+
+platform=$([ "$(arch)" == "arm64" ] && echo "arm64" || echo "x64")
+
+NODE_VERSION="$(cat .nvmrc)"
+NODE_NAME="node-v$NODE_VERSION-darwin-$platform"
+NODE_ARCHIVE="$NODE_NAME.tar.gz"
+ARTIFACTS="$PWD/.vscode-test"
+USER_DATA="$PWD/ud"
+VSCODE_SETTINGS="$USER_DATA/User/settings.json"
+LSP_SETTINGS="$HOME/.sourcekit-lsp/config.json"
+
+export TMPDIR="$ARTIFACTS/tmp"
+export TMP="$TMPDIR"
+mkdir -p "$TMPDIR"
+
+function cleanup {
+    rm SHASUMS256.txt
+    rm "$NODE_ARCHIVE"
+    rm -rf "$ARTIFACTS"
+    rm -rf "$LSP_SETTINGS"
+    rm -rf "$USER_DATA"
+}
+trap "cleanup" EXIT
+trap "cleanup" INT
+
+curl -O "https://nodejs.org/dist/v$NODE_VERSION/$NODE_ARCHIVE"
+curl -O "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt"
+
+grep "$NODE_ARCHIVE" SHASUMS256.txt | shasum -a 256 -c -
+
+tar -xzf "$NODE_ARCHIVE" -C "$ARTIFACTS"
+
+export NPM_CONFIG_CACHE="$ARTIFACTS/$NODE_NAME/cache"
+export NPM_CONFIG_PREFIX="$ARTIFACTS/$NODE_NAME"
+export NPM_CONFIG_USERCONFIG="$ARTIFACTS/$NODE_NAME/usernpmrc"
+export NPM_CONFIG_GLOBALCONFIG="$ARTIFACTS/$NODE_NAME/globalnpmrc"
+
+PATH="$ARTIFACTS/$NODE_NAME/bin:$PATH"
+
+mkdir -p "$(dirname "$VSCODE_SETTINGS")"
+cat <<EOT > "$VSCODE_SETTINGS"
+{
+    "swift.path": "/Users/ec2-user/jenkins/workspace/pr-vscode-swift-macos/branch-main/latest_toolchain/usr/bin"
+    "swift.disableSandbox": true,
+    "swift.debugger.disable": true,
+    "swift.debugger.path": "/Users/ec2-user/jenkins/workspace/pr-vscode-swift-macos/branch-main/latest_toolchain/usr/bin/lldb-dap",
+    "lldb.library": "/Applications/Xcode-beta.app/Contents/SharedFrameworks/LLDB.framework/Versions/A/LLDB",
+    "lldb.launch.expressions": "native",
+    "lldb.suppressUpdateNotifications": true
+}
+EOT
+
+mkdir -p "$(dirname "$LSP_SETTINGS")"
+cat <<EOT > "$LSP_SETTINGS"
+{
+    "swiftPM": {
+        "disableSandbox": true,
+        "swiftCompilerFlags": [
+            "-disable-sandbox"
+        ]
+    }
+}
+EOT
+
+npm ci -ignore-script node-pty
+npm run lint
+npm run format
+npm run package
+
+# Ignore hooks when running locally for development
+export GIT_CONFIG_COUNT=1
+export GIT_CONFIG_KEY_0="core.hookspath"
+export GIT_CONFIG_VALUE_0="$PWD/hooks"
+
+# Need to set proxy to download VS Code
+export npm_config_https_proxy="$HTTPS_PROXY"
+
+VSCODE_DATA_DIR="$USER_DATA" CI=1 FAST_TEST_RUN=1 npm run coverage -- --coverage-output "$PWD/coverage"

package.json

@@ -689,7 +689,12 @@
           "swift.swiftSDK": {
             "type": "string",
             "default": "",
-            "markdownDescription": "The [Swift SDK](https://github.com/swiftlang/swift-evolution/blob/main/proposals/0387-cross-compilation-destinations.md) to compile against (`--swift-sdk` parameter).",
+            "markdownDescription": "The [Swift SDK](https://github.com/swiftlang/swift-evolution/blob/main/proposals/0387-cross-compilation-destinations.md) to compile against (`--swift-sdk` parameter)."
+          },
+          "swift.disableSandox": {
+            "type": "boolean",
+            "default": false,
+            "markdownDescription": "Disable sandboxing when running SwiftPM commands. In most cases you should keep the sandbox enabled and leave this setting set to `false`",
             "order": 4
           },
           "swift.diagnostics": {

src/commands/dependencies/unedit.ts

@@ -44,7 +44,12 @@ async function uneditFolderDependency(
 ) {
     try {
         const uneditOperation = new SwiftExecOperation(
-            ["package", "unedit", ...args, identifier],
+            ctx.toolchain.buildFlags.withAdditionalFlags([
+                "package",
+                "unedit",
+                ...args,
+                identifier,
+            ]),
             folder,
             `Finish editing ${identifier}`,
             { showStatusItem: true, checkAlreadyRunning: false, log: "Unedit" },

src/commands/dependencies/useLocal.ts

@@ -50,7 +50,13 @@ export async function useLocalDependency(
         folder = folders[0];
     }
     const task = createSwiftTask(
-        ["package", "edit", "--path", folder.fsPath, identifier],
+        ctx.toolchain.buildFlags.withAdditionalFlags([
+            "package",
+            "edit",
+            "--path",
+            folder.fsPath,
+            identifier,
+        ]),
         "Edit Package Dependency",
         {
             scope: currentFolder.workspaceFolder,

src/commands/resetPackage.ts

@@ -35,7 +35,10 @@ export async function resetPackage(ctx: WorkspaceContext) {
  */
 export async function folderResetPackage(folderContext: FolderContext) {
     const task = createSwiftTask(
-        ["package", "reset"],
+        folderContext.workspaceContext.toolchain.buildFlags.withAdditionalFlags([
+            "package",
+            "reset",
+        ]),
         "Reset Package Dependencies",
         {
             cwd: folderContext.folder,