Merge pull request #7942 from microsoft/portable-mode

Include instructions for Linux sandboxing

Author: ntrogh

docs/editor/portable.md

@@ -5,17 +5,18 @@ TOCTitle: Portable Mode
 ContentId: A5C839C4-67E9-449C-94B8-4B310FCAAB1B
 PageTitle: Portable Mode in Visual Studio Code
 DateApproved: 12/11/2024
-MetaDescription: Visual Studio Code supports a Portable Mode.
+MetaDescription: Visual Studio Code supports a Portable mode that enables moving your installation and related data to a different location.
 ---
-# Portable Mode
+# Portable mode
 
 Visual Studio Code supports [Portable mode](https://en.wikipedia.org/wiki/Portable_application). This mode enables all data created and maintained by VS Code to live near itself, so it can be moved around across environments.
 
 This mode also provides a way to set the installation folder location for VS Code extensions, useful for corporate environments that prevent extensions from being installed in the Windows AppData folder.
 
 Portable mode is supported on the ZIP download for Windows, and the TAR.GZ download for Linux, as well as the regular Application download for macOS. See the [Download page](/download) to find the correct `.zip / .tar.gz` file for your platform.
 
-> **Note:** Do not attempt to configure portable mode on an installation from the **Windows User or System installers**. Portable mode is only supported on the Windows ZIP (`.zip`) archive. Note as well that the Windows ZIP archive does not support auto update.
+> [!IMPORTANT]
+> Do not attempt to configure portable mode on an installation from the **Windows User or System installers**. Portable mode is only supported on the Windows ZIP (`.zip`) archive. Note also that the Windows ZIP archive does not support auto update.
 
 ## Enable Portable mode
 
@@ -35,10 +36,24 @@ After unzipping the VS Code download, create a `data` folder within VS Code's fo
 
 From then on, the `data` folder will be used to contain all VS Code data, including session state, preferences, extensions, etc.
 
->**Note**: The `data` folder will override the `--user-data-dir` and `--extensions-dir` [command line](/docs/editor/command-line.md#advanced-cli-options) options.
+> [!NOTE]
+> The `data` folder will override the `--user-data-dir` and `--extensions-dir` [command line](/docs/editor/command-line.md#advanced-cli-options) options.
 
 The `data` folder can be moved to other VS Code installations. This is useful for updating your portable VS Code version, in which case you can move the `data` folder to a newer extracted version of VS Code.
 
+### Linux
+
+On **Linux**, in addition to creating the `data` folder, you also need to set the correct [Electron sandbox](https://www.electronjs.org/docs/tutorial/sandbox) permissions.
+
+Chromium has a [multi-layer sandboxing model on Linux](https://chromium.googlesource.com/chromium/src/+/0e94f26e8/docs/linux_sandboxing.md). If Chromium cannot use the namespace sandbox for layer-1, it will try to use the [`setuid` sandbox](https://chromium.googlesource.com/chromium/src/+/0e94f26e8/docs/linux_suid_sandbox.md) via the helper binary `chrome-sandbox` that is shipped alongside the application binary.
+
+Run the following commands to set the correct permissions of the `setuid` helper:
+
+```bash
+sudo chown root <path-to-vscode>/chrome-sandbox
+sudo chmod 4755 <path-to-vscode>/chrome-sandbox
+```
+
 ### macOS
 
 On **macOS**, you need to place the data folder as a sibling of the application itself. Since the folder will be alongside the application, you need to name it specifically so that VS Code can find it. The default folder name is `code-portable-data`:
@@ -54,7 +69,8 @@ Portable Mode won't work if your application is in [quarantine](https://apple.st
 xattr -dr com.apple.quarantine Visual\ Studio\ Code.app
 ```
 
-**Note:** On Insiders, the folder should be named `code-insiders-portable-data`.
+> [!NOTE]
+> On Insiders, the folder should be named `code-insiders-portable-data`.
 
 ## Update Portable VS Code
 

release-notes/v1_59.md

@@ -477,7 +477,7 @@ In this milestone, we finished the exploration to bundle Electron 13 into VS Cod
 
 ### Progress for Electron sandbox support
 
-As we continue to make the VS Code workbench ready for enabling Electron's [sandbox](https://www.electronjs.org/docs/tutorial/sandbox), we wanted to enable mixed sandbox mode on Linux and no longer bundle with the CLI argument `--no-sandbox` in our distributed packages deb, rpm, snap and tar archive. Chromium has a [multi-layer sandboxing model on Linux](https://chromium.googlesource.com/chromium/src/+/HEAD/docs/linux/sandboxing.md). If Chromium cannot use the namespace sandbox for layer-1, it will try to use the [setuid sandbox](https://chromium.googlesource.com/chromium/src/+/HEAD/docs/linux/suid_sandbox.md) via the helper binary `chrome-sandbox` shipped alongside the application binary. For the setuid binary to work, it needs to meet the following conditions:
+As we continue to make the VS Code workbench ready for enabling Electron's [sandbox](https://www.electronjs.org/docs/tutorial/sandbox), we wanted to enable mixed sandbox mode on Linux and no longer bundle with the CLI argument `--no-sandbox` in our distributed packages deb, rpm, snap and tar archive. Chromium has a [multi-layer sandboxing model on Linux](https://chromium.googlesource.com/chromium/src/+/0e94f26e8/docs/linux_sandboxing.md). If Chromium cannot use the namespace sandbox for layer-1, it will try to use the [`setuid` sandbox](https://chromium.googlesource.com/chromium/src/+/0e94f26e8/docs/linux_suid_sandbox.md) via the helper binary `chrome-sandbox` that is shipped alongside the application binary. For the `setuid` binary to work, it needs to meet the following conditions:
 
 * The sandbox binary must be executable by the Chromium process.
 * It must be SUID and executable by others.
@@ -492,7 +492,7 @@ FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but
 
 If that happens, you can use either of the following two options to get it working:
 
-* Fix the permissions of setuid helper
+* Fix the permissions of `setuid` helper
 
   ```bash
   sudo chown root <path-to-vscode>/chrome-sandbox