mirrors/tailscale
1
0
Fork 0
Code Issues Pull Requests Projects Wiki Activity

safesocket: correct logic for determining if we're a macOS GUI client (#15187)

Browse Source 
fixes tailscale/corp#26806

This was still slightly incorrect. We care only if the caller is the macSys
or macOs app.  isSandBoxedMacOS doesn't give us the correct answer
for macSys because technically, macsys isn't sandboxed.

Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>
This commit is contained in:
Jonathan Nobels 2025-03-03 14:54:57 -05:00 committed by GitHub
parent ce6ce81311
commit 5449aba94c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
safesocket/safesocket_darwin.go
View File

@ -37,16 +37,16 @@ type safesocketDarwin struct {
sameuserproofFD *os.File // file descriptor for macos app store sameuserproof file sameuserproofFD *os.File // file descriptor for macos app store sameuserproof file
sharedDir string // shared directory for location of sameuserproof file sharedDir string // shared directory for location of sameuserproof file
checkConn bool // Check macsys safesocket port before returning it checkConn bool // Check macsys safesocket port before returning it
isMacSysExt func() bool // For testing only to force macsys isMacSysExt func() bool // For testing only to force macsys
isSandboxedMacos func() bool // For testing only to force macOS sandbox isMacGUIApp func() bool // For testing only to force macOS sandbox
} }
var ssd = safesocketDarwin{ var ssd = safesocketDarwin{
isMacSysExt: version.IsMacSysExt, isMacSysExt: version.IsMacSysExt,
isSandboxedMacos: version.IsSandboxedMacOS, isMacGUIApp: func() bool { return version.IsMacAppStore() || version.IsMacSysApp() },
checkConn: true, checkConn: true,
sharedDir: "/Library/Tailscale", sharedDir: "/Library/Tailscale",
} }
// There are three ways a Darwin binary can be run: as the Mac App Store (macOS) // There are three ways a Darwin binary can be run: as the Mac App Store (macOS)
@ -68,7 +68,7 @@ func localTCPPortAndTokenDarwin() (port int, token string, err error) {
ssd.mu.Lock() ssd.mu.Lock()
defer ssd.mu.Unlock() defer ssd.mu.Unlock()
if !ssd.isSandboxedMacos() { if !ssd.isMacGUIApp() {
return 0, "", ErrNoTokenOnOS return 0, "", ErrNoTokenOnOS
} }

4
safesocket/safesocket_darwin_test.go
View File

@ -17,7 +17,7 @@
func TestSetCredentials(t *testing.T) { func TestSetCredentials(t *testing.T) {
wantPort := 123 wantPort := 123
wantToken := "token" wantToken := "token"
tstest.Replace(t, &ssd.isSandboxedMacos, func() bool { return true }) tstest.Replace(t, &ssd.isMacGUIApp, func() bool { return true })
SetCredentials(wantToken, wantPort) SetCredentials(wantToken, wantPort)
gotPort, gotToken, err := LocalTCPPortAndToken() gotPort, gotToken, err := LocalTCPPortAndToken()
@ -38,7 +38,7 @@ func TestSetCredentials(t *testing.T) {
// returns a listener and a non-zero port and non-empty token. // returns a listener and a non-zero port and non-empty token.
func TestInitListenerDarwin(t *testing.T) { func TestInitListenerDarwin(t *testing.T) {
temp := t.TempDir() temp := t.TempDir()
tstest.Replace(t, &ssd.isSandboxedMacos, func() bool { return true }) tstest.Replace(t, &ssd.isMacGUIApp, func() bool { return true })
ln, err := InitListenerDarwin(temp) ln, err := InitListenerDarwin(temp)
if err != nil || ln == nil { if err != nil || ln == nil {