Is there a way to disable the terminal?

[rdbeach]

Hi. I was wondering if it was possible to disable the terminal. This would involve both removing from the UI and preventing terminal requests from being processed by the server. Or if you could direct me to the part of the code where terminal requests are handled, that would be helpful. I've been looking at the code for a few days now, but am finding the execution flow very difficult to follow. Thx.

[code-asher]

There's no way to disable it at the moment so we'd need to add it.

The terminal requests are handled via the extension host protocol. The server-side implementation is in lib/vscode/src/vs/workbench/api/node/extHostTerminalService.ts so maybe we could just throw errors if those methods are called and terminals are disabled.

Terminals are used for debugging as well so doing this will also disable debugging.

In terms of the UI I think it might be better to leave everything in and show a message when trying to access the disabled functionality. Something like "terminals have been disabled" just to prevent anyone from thinking the missing terminals are a bug or something like that especially if they're familiar with VS Code already.

For the terminal we can write a message in lib/vscode/src/vs/workbench/contrib/terminal/browser/terminalInstance.ts by adding an xterm.write("message").

You might have already considered this but just in case you'll also probably need to disable installing new extensions (or whitelist extensions in some way) and make the extensions directory read-only (or restrict the file picker, see #1834) so users can't add an extension that just bypasses all this and gives them access to run commands on the system.

Depending on your goal it might be easier to run code-server in some kind of jail but I think we plan on doing this for collaboration eventually anyway (we'd disable all the "dangerous" stuff for the guests) so it wouldn't be bad to get a start on it.

[dyegoaurelio]

Any updates?

[code-asher]

No work has been done here yet.

[Livven]

Regarding the security aspect, also consider the VS Code tasks system, Git hooks, and probably a lot more. The attack surface here is extremely large.

[qqw78901]

Any updates?

[code-asher]

No updates. For now it's still in the backlog and I think it's unlikely we will get to it any time soon.

[laza6030]

Any update?

[code-asher]

No, the issue is still on the backlog.

[code-asher]

If someone picks this up here are some investigation notes: #6138 (comment)

[malwareslayer]

In Linux you could use firejail to restrict specific you want, instead modifying parent functionality to be disabled. In my case i just let my code-server could run Java and minimal shell utility (no cat). For example:

include code-server.local
include globals.local

# Default Java
include allow-java.inc

noblacklist ${PATH}/javac

whitelist /usr/bin/java
whitelist /usr/bin/javac
# =======

include disable-common.inc
include disable-devel.inc
# include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc

whitelist ${HOME}/.config/fish/fish_variables
whitelist ${HOME}/.config/fish/completions
whitelist ${HOME}/.config/fish/conf.d
whitelist ${HOME}/.config/fish/functions/fish_greeting.fish
whitelist ${HOME}/.config/fish/functions/fish_right_prompt.fish

whitelist ${HOME}/.config/omf
whitelist ${HOME}/.local/share/omf

## Code Server User Directory
whitelist ${HOME}/.config/code-server
whitelist ${HOME}/.local/share/code-server

whitelist /usr/bin/code-server
## =======

## Default Shared
whitelist ${HOME}/Documents/Workspaces Shared
## =======

whitelist /usr/bin/cd
whitelist /usr/bin/clear
whitelist /usr/bin/basename
whitelist /usr/bin/bash
whitelist /usr/bin/date
whitelist /usr/bin/dirname
whitelist /usr/bin/echo
whitelist /usr/bin/env
whitelist /usr/bin/file
whitelist /usr/bin/fish
whitelist /usr/bin/git
whitelist /usr/bin/jobs
whitelist /usr/bin/kill
whitelist /usr/bin/ls
whitelist /usr/bin/mkdir
whitelist /usr/bin/readlink
whitelist /usr/bin/realpath
whitelist /usr/bin/sh
whitelist /usr/bin/shellfirm
whitelist /usr/bin/set
whitelist /usr/bin/stat
whitelist /usr/bin/stty
whitelist /usr/bin/test
whitelist /usr/bin/uname
whitelist /usr/bin/wc

noblacklist /sbin
noblacklist /usr/sbin
noblacklist /usr/bin
noblacklist /usr/lib

blacklist /boot
blacklist /var
blacklist /efi
blacklist /mnt
blacklist /opt
blacklist /root
blacklist /srv

caps.drop all
ipc-namespace
no3d
nodvd
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
seccomp

disable-mnt
private-dev
private-tmp

restrict-namespaces