safesocket: return an error for LocalTCPPortAndToken for tailscaled (#15144)

fixes tailscale/corp#26806 Fixes a regression where LocalTCPPortAndToken needs to error out early if we're not running as sandboxed macos so that we attempt to connect using the normal unix machinery. Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>
2025-08-20 01:47:33 +00:00 · 2025-02-27 18:55:46 -05:00
parent 6df0aa58bb
commit 90273a7f70
2 changed files with 14 additions and 5 deletions
--- a/safesocket/safesocket_darwin.go
+++ b/safesocket/safesocket_darwin.go
@@ -37,14 +37,16 @@ type safesocketDarwin struct {
 	sameuserproofFD *os.File // file descriptor for macos app store sameuserproof file
 	sharedDir       string   // shared directory for location of sameuserproof file

-	checkConn   bool        // Check macsys safesocket port before returning it
-	isMacSysExt func() bool // For testing only to force macsys
+	checkConn        bool        // Check macsys safesocket port before returning it
+	isMacSysExt      func() bool // For testing only to force macsys
+	isSandboxedMacos func() bool // For testing only to force macOS sandbox
 }

 var ssd = safesocketDarwin{
-	isMacSysExt: version.IsMacSysExt,
-	checkConn:   true,
-	sharedDir:   "/Library/Tailscale",
+	isMacSysExt:      version.IsMacSysExt,
+	isSandboxedMacos: version.IsSandboxedMacOS,
+	checkConn:        true,
+	sharedDir:        "/Library/Tailscale",
 }

 // There are three ways a Darwin binary can be run: as the Mac App Store (macOS)
@@ -66,6 +68,10 @@ func localTCPPortAndTokenDarwin() (port int, token string, err error) {
 	ssd.mu.Lock()
 	defer ssd.mu.Unlock()

+	if !ssd.isSandboxedMacos() {
+		return 0, "", ErrNoTokenOnOS
+	}
+
 	if ssd.port != 0 && ssd.token != "" {
 		return ssd.port, ssd.token, nil
 	}