safesocket: correct logic for determining if we're a macOS GUI client (#15187)

fixes tailscale/corp#26806

This was still slightly incorrect. We care only if the caller is the macSys
or macOs app.  isSandBoxedMacOS doesn't give us the correct answer
for macSys because technically, macsys isn't sandboxed.

Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>

safesocket/safesocket_darwin.go

@@ -39,12 +39,12 @@ type safesocketDarwin struct {
 
 	checkConn   bool        // Check macsys safesocket port before returning it
 	isMacSysExt func() bool // For testing only to force macsys
-	isSandboxedMacos func() bool // For testing only to force macOS sandbox
+	isMacGUIApp func() bool // For testing only to force macOS sandbox
 }
 
 var ssd = safesocketDarwin{
 	isMacSysExt: version.IsMacSysExt,
-	isSandboxedMacos: version.IsSandboxedMacOS,
+	isMacGUIApp: func() bool { return version.IsMacAppStore() || version.IsMacSysApp() },
 	checkConn:   true,
 	sharedDir:   "/Library/Tailscale",
 }
@@ -68,7 +68,7 @@ func localTCPPortAndTokenDarwin() (port int, token string, err error) {
 	ssd.mu.Lock()
 	defer ssd.mu.Unlock()
 
-	if !ssd.isSandboxedMacos() {
+	if !ssd.isMacGUIApp() {
 		return 0, "", ErrNoTokenOnOS
 	}
 

safesocket/safesocket_darwin_test.go

@@ -17,7 +17,7 @@
 func TestSetCredentials(t *testing.T) {
 	wantPort := 123
 	wantToken := "token"
-	tstest.Replace(t, &ssd.isSandboxedMacos, func() bool { return true })
+	tstest.Replace(t, &ssd.isMacGUIApp, func() bool { return true })
 	SetCredentials(wantToken, wantPort)
 
 	gotPort, gotToken, err := LocalTCPPortAndToken()
@@ -38,7 +38,7 @@ func TestSetCredentials(t *testing.T) {
 // returns a listener and a non-zero port and non-empty token.
 func TestInitListenerDarwin(t *testing.T) {
 	temp := t.TempDir()
-	tstest.Replace(t, &ssd.isSandboxedMacos, func() bool { return true })
+	tstest.Replace(t, &ssd.isMacGUIApp, func() bool { return true })
 
 	ln, err := InitListenerDarwin(temp)
 	if err != nil || ln == nil {