Enable user to repair bubble wrap incase of error due to app armor#320866
Open
dileepyavan wants to merge 4 commits into
Open
Enable user to repair bubble wrap incase of error due to app armor#320866dileepyavan wants to merge 4 commits into
dileepyavan wants to merge 4 commits into
Conversation
dileepyavan
changed the title
Contributor
📬 CODENOTIFYThe following users are being notified based on files changed in this PR: @anthonykim1Matched files:
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR improves the terminal sandbox precheck flow on Linux by distinguishing between “bubblewrap missing” vs “bubblewrap installed but unusable” (e.g. AppArmor userns restrictions), and adds a user-confirmable remediation path that can attempt to repair the environment before retrying the command.
Changes:
- Add a bubblewrap capability probe (
bubblewrapUsable+bubblewrapError) and surface a dedicated prereq failure (TerminalSandboxPrerequisiteCheck.Bubblewrap) with remediations. - Add a “Repair Bubblewrap Sandbox” confirmation flow and remediation execution path, including forced prereq re-check after installs/remediations.
- Refine chat notifications to omit “exit code 0” from “command completed/terminal exited” messages, and expand/update tests.
Show a summary per file
| File | Description |
|---|---|
| src/vs/workbench/contrib/terminalContrib/chatAgentTools/test/electron-browser/runInTerminalTool.test.ts | Adds coverage for bubblewrap unusable + remediation/refresh flows and exit-code messaging changes. |
| src/vs/workbench/contrib/terminalContrib/chatAgentTools/test/browser/terminalSandboxService.test.ts | Adds tests for bubblewrap unusable reporting and remediation command execution. |
| src/vs/workbench/contrib/terminalContrib/chatAgentTools/common/terminalSandboxService.ts | Implements runSandboxRemediation and unifies prerequisite command execution. |
| src/vs/workbench/contrib/terminalContrib/chatAgentTools/common/terminalChatAgentToolsConfiguration.ts | Updates sandbox filesystem setting descriptions re: workspace storage writes. |
| src/vs/workbench/contrib/terminalContrib/chatAgentTools/browser/tools/runInTerminalTool.ts | Adds bubblewrap remediation confirmation/invocation flow and omits success exit code in chat notices. |
| src/vs/workbench/contrib/chat/common/chatService/chatService.ts | Extends terminal tool invocation data with remediation/failure fields. |
| src/vs/workbench/contrib/chat/browser/widget/chatContentParts/toolInvocationParts/chatToolInvocationPart.ts | Switches confirmation UI subpart to the generalized sandbox prerequisite confirmation. |
| src/vs/workbench/contrib/chat/browser/widget/chatContentParts/toolInvocationParts/chatSandboxPrerequisiteConfirmationSubPart.ts | New/renamed confirmation subpart for sandbox dependency/remediation confirmations. |
| src/vs/platform/sandbox/test/node/sandboxHelper.test.ts | New unit tests for bubblewrap probing behavior in the helper service. |
| src/vs/platform/sandbox/test/common/terminalSandboxEngine.test.ts | Updates dependency status shape and adds coverage for caching + bubblewrap remediation reporting. |
| src/vs/platform/sandbox/node/sandboxHelper.ts | Adds bubblewrap capability probe via execFile and reports usability/error details. |
| src/vs/platform/sandbox/common/terminalSandboxService.ts | Adds prereq check + remediation enums and exposes runSandboxRemediation on the service contract. |
| src/vs/platform/sandbox/common/terminalSandboxEngine.ts | Surfaces bubblewrap unusable as a distinct prereq failure with remediation(s). |
| src/vs/platform/sandbox/common/sandboxHelperService.ts | Extends dependency status to include bubblewrapUsable and bubblewrapError. |
| src/vs/platform/sandbox/browser/sandboxHelperService.ts | Updates null helper to return bubblewrapUsable: true for browser environments. |
Copilot's findings
Comments suppressed due to low confidence (1)
src/vs/workbench/contrib/terminalContrib/chatAgentTools/browser/tools/runInTerminalTool.ts:997
- The bubblewrap remediation confirmation text is too generic for an action that runs a privileged sysctl and weakens a system security policy. The confirmation should clearly state what will be executed (including the exact command), that it requires sudo, that it changes the kernel setting (likely until reboot), and that it may reduce system security.
message: new MarkdownString(localize(
'runInTerminal.missingDeps.message',
"The following dependencies required for sandboxed execution are not installed: {0}. Would you like to install them?",
- Files reviewed: 15/15 changed files
- Comments generated: 3
Comment on lines
+26
to
28
| export const enum TerminalSandboxPreCheckRemediation { | ||
| DisableUnprivilagedusernamespaceRestriction = 'disableUserNamespaceRestriction', | ||
| } |
Comment on lines
+295
to
+297
| default: | ||
| throw new Error('Unsupported sandbox remediation'); | ||
| } |
Comment on lines
+617
to
+620
| /** Approved repair actions that may make an installed but unusable sandbox dependency work. */ | ||
| sandboxRemediations?: string[]; | ||
| /** User-visible reason a sandbox prerequisite cannot be repaired automatically. */ | ||
| sandboxPrerequisiteFailure?: string; |
DonJayamanne
approved these changes
Jun 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fixes: #316046