Lock down file browser to certain directory

[PhilsLab]

Being able to browse / in a docker container might be unwanted behavior.
I'd like to set an environment variable which locks the file/folder browser to a certain directory, such as /data/projects, etc.

[kylecarbs]

Interesting. Wouldn't someone be able to use the terminal to break out anyways?

For a jailed session, I'd recommend running a docker container with the project directory mounted in.

[PhilsLab]

Yeah, I already thought about having containers for each terminal.
If that would be implemented, there should be options for using the host docker (bind mount /var/lib/docker.sock) or using the Kubernetes API to spawn the container (ClusterRole).
Also, when using containers, there should be some kind of image that provides the needed programming tools for the project.

[PhilsLab]

Also consider to switch to another docker base image when implementing this (node / alpine), it should be fully decoupled from the VS code terminals.

[unixfox]

What about using systemd to lock down the session? Systemd is very powerful at that, it's even possible to set some parameters to protect against a fork bomb:

• https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html
• http://0pointer.de/blog/projects/changing-roots.html

systemd nspawn would be also a great tool to easily lock down the session: https://wiki.archlinux.org/index.php/systemd-nspawn
On systemd nspawn you can even launch unprivileged containers.

[PhilsLab]

I don't think you should rely on the system having SystemD installed. Also, using the project scaled across a cluster would be way easier with docker/kubernetes integration.

[unixfox]

I didn't mean to only use systemd, we could provide several type of config for the user.

[nhooyr]

I don't think its appropriate to implement this as part of code-server.

You can always deploy the docker image and only mount the directory you want edited.

[PhilsLab]

I can use the docker image, which also allows me to kill the server inside the docker container. When hosting this for others to use, it's a big downside, especially when the multi-user feature gets implemented.
Also, if you spawn docker containers as terminals, you can choose prebuilt images for python, node, etc., which is a lot nicer than having to manually install the tools you need each time.
I really hope you to re-evaluate this idea.

[nhooyr]

You can build a custom docker image based on the existing image. See docker's FROM. So you wouldn't have to do things each time.

We can evaluate docker containers as terminals in a different issue.

This issue was about locking vscode server down which I think is out of scope. You can put it in a VM or a container easily if you want an isolated environment.