safesocket: correct logic for determining if we're a macOS GUI client (#15187)

fixes tailscale/corp#26806

This was still slightly incorrect. We care only if the caller is the macSys
or macOs app.  isSandBoxedMacOS doesn't give us the correct answer
for macSys because technically, macsys isn't sandboxed.

Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>
This commit is contained in:
Jonathan Nobels 2025-03-03 14:54:57 -05:00 committed by GitHub
parent ce6ce81311
commit 5449aba94c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 10 additions and 10 deletions

View File

@ -37,16 +37,16 @@ type safesocketDarwin struct {
sameuserproofFD *os.File // file descriptor for macos app store sameuserproof file
sharedDir string // shared directory for location of sameuserproof file
checkConn bool // Check macsys safesocket port before returning it
isMacSysExt func() bool // For testing only to force macsys
isSandboxedMacos func() bool // For testing only to force macOS sandbox
checkConn bool // Check macsys safesocket port before returning it
isMacSysExt func() bool // For testing only to force macsys
isMacGUIApp func() bool // For testing only to force macOS sandbox
}
var ssd = safesocketDarwin{
isMacSysExt: version.IsMacSysExt,
isSandboxedMacos: version.IsSandboxedMacOS,
checkConn: true,
sharedDir: "/Library/Tailscale",
isMacSysExt: version.IsMacSysExt,
isMacGUIApp: func() bool { return version.IsMacAppStore() || version.IsMacSysApp() },
checkConn: true,
sharedDir: "/Library/Tailscale",
}
// There are three ways a Darwin binary can be run: as the Mac App Store (macOS)
@ -68,7 +68,7 @@ func localTCPPortAndTokenDarwin() (port int, token string, err error) {
ssd.mu.Lock()
defer ssd.mu.Unlock()
if !ssd.isSandboxedMacos() {
if !ssd.isMacGUIApp() {
return 0, "", ErrNoTokenOnOS
}

View File

@ -17,7 +17,7 @@ import (
func TestSetCredentials(t *testing.T) {
wantPort := 123
wantToken := "token"
tstest.Replace(t, &ssd.isSandboxedMacos, func() bool { return true })
tstest.Replace(t, &ssd.isMacGUIApp, func() bool { return true })
SetCredentials(wantToken, wantPort)
gotPort, gotToken, err := LocalTCPPortAndToken()
@ -38,7 +38,7 @@ func TestSetCredentials(t *testing.T) {
// returns a listener and a non-zero port and non-empty token.
func TestInitListenerDarwin(t *testing.T) {
temp := t.TempDir()
tstest.Replace(t, &ssd.isSandboxedMacos, func() bool { return true })
tstest.Replace(t, &ssd.isMacGUIApp, func() bool { return true })
ln, err := InitListenerDarwin(temp)
if err != nil || ln == nil {