fix: snap package validation

[deepak1556]

Fixes #127081

[deepak1556]

Build https://dev.azure.com/monacotools/Monaco/_build/results?buildId=124922&view=results

• verify SNAP_ENFORCE_RESQUASHFS=1 snap-review <path-to>/code-insiders.snap
• verify code-insiders --disable-namespace-sandbox

[deepak1556]

Since resquash test doesn't allow setuid bit for chrome-sandbox, if we need to pass the validation step then we cannot chmod 4755 in any of the lifecycle steps. Two options for snap package,

1. Always disable sandbox but eventually we should change our confinement from classic for this to be safer.

2. Disable setuid sandbox, so that app always default to user namespace sandbox which is available on all kernels >=3.10. For users unable to use namespace sandbox suggest workaround The SUID sandbox helper binary was found, but is not configured correctly electron/electron#17972 (comment) if they can configure.

/cc @bpasero thoughts ?

Currently deb and rpm supports the fallback setuid sandbox, we are only facing this issue with snap.

[deepak1556]

Another option, reach out to the snapcraft team and see if we can get an exception in the resquash test.

[bpasero]

my 2 cents: if we cannot get sandbox to work with snap, we should stop releasing VSCode on snap and work with them to enable this.

Until we are there to enable sandbox, we can go back to no sandbox if that helps for snap only.

[deepak1556]

Agree, will disable sandbox in snap for now, opened #127140 to track next steps.