// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// +build !windows
package safesocket
import (
"bufio"
"bytes"
"fmt"
"io"
"log"
"net"
"os"
"os/exec"
"path/filepath"
"runtime"
"strings"
)
// TODO(apenwarr): handle magic cookie auth
func connect(path string, port uint16) (net.Conn, error) {
if runtime.GOOS == "darwin" && path == "" && port == 0 {
return connectMacOSAppSandbox()
}
pipe, err := net.Dial("unix", path)
if err != nil {
if runtime.GOOS == "darwin" {
extConn, err := connectMacOSAppSandbox()
if err != nil {
log.Printf("safesocket: failed to connect to Tailscale IPNExtension: %v", err)
} else {
return extConn, nil
}
}
return nil, err
}
return pipe, err
}
// TODO(apenwarr): handle magic cookie auth
func listen(path string, port uint16) (ln net.Listener, _ uint16, err error) {
// Unix sockets hang around in the filesystem even after nobody
// is listening on them. (Which is really unfortunate but long-
// entrenched semantics.) Try connecting first; if it works, then
// the socket is still live, so let's not replace it. If it doesn't
// work, then replace it.
//
// Note that there's a race condition between these two steps. A
// "proper" daemon usually uses a dance involving pidfiles to first
// ensure that no other instances of itself are running, but that's
// beyond the scope of our simple socket library.
c, err := net.Dial("unix", path)
if err == nil {
c.Close()
return nil, 0, fmt.Errorf("%v: address already in use", path)
}
_ = os.Remove(path)
os.MkdirAll(filepath.Dir(path), 0755) // best effort
pipe, err := net.Listen("unix", path)
if err != nil {
return nil, 0, err
}
os.Chmod(path, 0666)
return pipe, 0, err
}
// connectMacOSAppSandbox connects to the Tailscale Network Extension,
// which is necessarily running within the macOS App Sandbox. Our
// little dance to connect a regular user binary to the sandboxed
// nework extension is:
//
// * the sandboxed IPNExtension picks a random localhost:0 TCP port
// to listen on
// * it also picks a random hex string that acts as an auth token
// * it then creates a file named "sameuserproof-$PORT-$TOKEN" and leaves
// that file descriptor open forever.
// * then we come along here, running as the same UID, but outside
// of the sandbox, and look for it. We can run lsof on our own processes,
// but other users on the system can't.
// * we parse out the localhost port number and the auth token
// * we connect to TCP localhost:$PORT
// * we send $TOKEN + "\n"
// * server verifies $TOKEN, sends "#IPN\n" if okay.
// * server is now protocol switched
// * we return the net.Conn and the caller speaks the normal protocol
func connectMacOSAppSandbox() (net.Conn, error) {
out, err := exec.Command("lsof",
"-n", // numeric sockets; don't do DNS lookups, etc
"-a", // logical AND remaining options
fmt.Sprintf("-u%d", os.Getuid()), // process of same user only
"-c", "IPNExtension", // starting with IPNExtension
"-F", // machine-readable output
).Output()
if err != nil {
return nil, err
}
bs := bufio.NewScanner(bytes.NewReader(out))
subStr := []byte(".tailscale.ipn.macos/sameuserproof-")
for bs.Scan() {
line := bs.Bytes()
i := bytes.Index(line, subStr)
if i == -1 {
continue
}
f := strings.SplitN(string(line[i+len(subStr):]), "-", 2)
if len(f) != 2 {
continue
}
portStr, token := f[0], f[1]
c, err := net.Dial("tcp", "localhost:"+portStr)
if err != nil {
return nil, fmt.Errorf("error dialing IPNExtension: %w", err)
}
if _, err := io.WriteString(c, token+"\n"); err != nil {
return nil, fmt.Errorf("error writing auth token: %w", err)
}
buf := make([]byte, 5)
const authOK = "#IPN\n"
if _, err := io.ReadFull(c, buf); err != nil {
return nil, fmt.Errorf("error reading from IPNExtension post-auth: %w", err)
}
if string(buf) != authOK {
return nil, fmt.Errorf("invalid response reading from IPNExtension post-auth")
}
return c, nil
}
return nil, fmt.Errorf("failed to find Tailscale's IPNExtension process")
}