From 6288c9b41e830d06ea9c571243fadaf7be0a672f Mon Sep 17 00:00:00 2001 From: Andrea Gottardo Date: Tue, 19 Mar 2024 14:50:34 -0700 Subject: [PATCH] version/prop: remove IsMacAppSandboxEnabled (#11461) Fixes tailscale/corp#18441 For a few days, IsMacAppStore() has been returning `false` on App Store builds (IPN-macOS target in Xcode). I regressed this in #11369 by introducing logic to detect the sandbox by checking for the APP_SANDBOX_CONTAINER_ID environment variable. I thought that was a more robust approach instead of checking the name of the executable. However, it appears that on recent macOS versions this environment variable is no longer getting set, so we should go back to the previous logic that checks for the executable path, or HOME containing references to macsys. This PR also adds additional checks to the logic by also checking XPC_SERVICE_NAME in addition to HOME where possible. That environment variable is set inside the network extension, either macos or macsys and is good to look at if for any reason HOME is not set. --- version/prop.go | 33 +++++---------------------------- 1 file changed, 5 insertions(+), 28 deletions(-) diff --git a/version/prop.go b/version/prop.go index 11cc69c03..3156b3605 100644 --- a/version/prop.go +++ b/version/prop.go @@ -71,7 +71,7 @@ func IsMacSysApp() bool { } // Check that this is the GUI binary, and it is not sandboxed. The GUI binary // shipped in the App Store will always have the App Sandbox enabled. - return strings.HasSuffix(exe, "/Contents/MacOS/Tailscale") && !IsMacAppSandboxEnabled() + return strings.HasSuffix(exe, "/Contents/MacOS/Tailscale") && !IsMacAppStore() }) } @@ -85,7 +85,8 @@ func IsMacSysExt() bool { return false } return isMacSysExt.Get(func() bool { - if strings.Contains(os.Getenv("HOME"), "/Containers/io.tailscale.ipn.macsys/") { + if strings.Contains(os.Getenv("HOME"), "/Containers/io.tailscale.ipn.macsys/") || + strings.Contains(os.Getenv("XPC_SERVICE_NAME"), "io.tailscale.ipn.macsys") { return true } exe, err := os.Executable() @@ -96,19 +97,6 @@ func IsMacSysExt() bool { }) } -var isMacAppSandboxEnabled lazy.SyncValue[bool] - -// IsMacAppSandboxEnabled reports whether this process is subject to the App Sandbox -// on macOS. -func IsMacAppSandboxEnabled() bool { - if runtime.GOOS != "darwin" { - return false - } - return isMacAppSandboxEnabled.Get(func() bool { - return os.Getenv("APP_SANDBOX_CONTAINER_ID") != "" - }) -} - var isMacAppStore lazy.SyncValue[bool] // IsMacAppStore whether this binary is from the App Store version of Tailscale @@ -121,19 +109,8 @@ func IsMacAppStore() bool { // Both macsys and app store versions can run CLI executable with // suffix /Contents/MacOS/Tailscale. Check $HOME to filter out running // as macsys. - if !IsMacAppSandboxEnabled() { - // If no sandbox found, we're definitely not on an App Store release, as you cannot push - // anything to the App Store that has the App Sandbox disabled. - return false - } - if strings.Contains(os.Getenv("HOME"), "/Containers/io.tailscale.ipn.macsys/") { - return false - } - exe, err := os.Executable() - if err != nil { - return false - } - return strings.HasSuffix(exe, "/Contents/MacOS/Tailscale") || strings.HasSuffix(exe, "/Contents/MacOS/IPNExtension") + return strings.Contains(os.Getenv("HOME"), "/Containers/io.tailscale.ipn.macos/") || + strings.Contains(os.Getenv("XPC_SERVICE_NAME"), "io.tailscale.ipn.macos") }) }