I’ve found the lack of glob or regexp support in fapolicyd frustrating as well for exactly the same reason. I’ve succeeded as follows. The first bit is fairly clean but the second part is a bit of a hack. I’d love to know if someone else has come up with a more elegant solution

1. Enable the downloaded executable to be run. I add the following rule to 06-custom_allow.rules (where $gituserid is the user id of the developer and $username is the username):

   allow_audit perm=execute gid=$gituserid exe=/usr/bin/bash : ftype=application/x-executable dir=/home/$username/.vscode-server/

2. Enable VS Code Server to run. This is harder because the create a whole new directory and set of files whenever the extension is updated. To get round this I run the following script every time it stops working due to an extension update

# /usr/bin/bash
if [[ -z $1 ]]
then
    echo 'Specify the user to enable with VS Code Server'
    exit
fi
echo "Enabling $1 for VS Code Server.  This script must be run with SUDO permissions to be effective"
# Clean up previous trust
rm /etc/fapolicyd/trust.d/vscode-server
# Establish trust on updated vscode-server
fapolicyd-cli --file add "/home/$1/.vscode-server/bin/"  --trust-file vscode-server
fapolicyd-cli --update
systemctl restart fapolicyd

Every now and then you probably need to clean up the .vscode-server/bin directory or it will accumulate different versions and making the vscode-server trust file long