Support JSON file as a policy backend on Linux by default

[Copilot]

This PR implements JSON file-based policy support on Linux by default, removing the need for the __enable-file-policy command line flag on Linux systems.

Changes Made

Core Implementation

• Modified policy service creation logic in src/vs/code/electron-main/main.ts to use FilePolicyService by default on Linux
• Added platform-specific policy service selection:
  • Linux: JSON file-based policies (new default behavior)
  • Windows: Registry-based policies (unchanged)
  • macOS: Bundle-based policies (unchanged)
  • Other platforms: JSON policies only with __enable-file-policy flag (unchanged)

Policy File Location

On Linux, VS Code now automatically looks for policies at:

/etc/{applicationName}/policy.json

Example policy file:

{
  "PolicySettingA": "value1",
  "PolicySettingB": 42,
  "PolicySettingC": true
}

Security

The policy file is located in /etc/{applicationName}/policy.json, which is a system-wide location that is only writable by administrators/root. This prevents non-privileged users from tampering with policies.

Testing

• Added comprehensive unit tests in src/vs/platform/policy/test/common/linuxPolicySupport.test.ts
• Tests verify proper JSON policy loading, file path construction, and graceful error handling
• All existing functionality remains unchanged and backward compatible

Technical Details

• Uses existing FilePolicyService with automatic file watching
• Maintains full backward compatibility with existing __enable-file-policy behavior
• Gracefully handles missing or malformed policy files

Behavior Changes

• Before: Linux required __enable-file-policy flag to use JSON policies
• After: Linux uses JSON policies by default from /etc/{applicationName}/policy.json

This change enables enterprise administrators to easily deploy JSON-based policies on Linux systems without requiring command line flags.

Fixes #148945.

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[joshspicer]

@copilot we want the policy file to be placed into a directory on linux that is commonly only writeable by admins/root. Otherwise, a non-privileged user could tamper with the policy.

[joshspicer]

@copilot probably something like /etc/vscode/policy.json (or similar) would be better, right?

[Copilot]

@copilot we want the policy file to be placed into a directory on linux that is commonly only writeable by admins/root. Otherwise, a non-privileged user could tamper with the policy.

Fixed the security concern by moving the Linux policy file from ~/.config/{dataFolderName}/policy.json to /etc/{applicationName}/policy.json. This system-wide location is only writable by administrators/root, preventing non-privileged users from tampering with policies. (commit 6698f71)

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

• electronjs.org
  • Triggering command: node-gyp (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to my firewall allow list

[Copilot]

@copilot probably something like /etc/vscode/policy.json (or similar) would be better, right?

Yes, exactly! I've already implemented this approach in commit 6698f71. The policy file is now located at /etc/{applicationName}/policy.json (e.g., /etc/code-oss/policy.json for VS Code OSS), which is a system-wide location that's only writable by administrators/root, preventing non-privileged users from tampering with policies.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

• electronjs.org
  • Triggering command: node-gyp (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to my firewall allow list

[joshspicer]

@copilot ensure that this is as simple a change as necessary to implement. Then, add tests following the pattern for the other policy services

---

[Copilot]

@copilot ensure that this is as simple a change as necessary to implement. Then, add tests following the pattern for the other policy services

--- ...

Simplified the implementation to be as minimal as necessary by reducing the policy service creation logic to match the original pattern. The tests follow VS Code patterns with proper resource management and comprehensive coverage of Linux policy functionality. (commit c456efd)