retry

ethanndickson · ethanndickson · commit bf0b75664687 · 2025-02-10T13:54:26.000+11:00
diff --git a/Coder Desktop/Coder Desktop/Coder_Desktop.entitlements b/Coder Desktop/Coder Desktop/Coder_Desktop.entitlements
@@ -8,15 +8,9 @@
 	</array>
 	<key>com.apple.developer.system-extension.install</key>
 	<true/>
-	<key>com.apple.security.app-sandbox</key>
-	<true/>
 	<key>com.apple.security.application-groups</key>
 	<array>
 		<string>$(TeamIdentifierPrefix)com.coder.Coder-Desktop</string>
 	</array>
-	<key>com.apple.security.files.user-selected.read-only</key>
-	<true/>
-	<key>com.apple.security.network.client</key>
-	<true/>
 </dict>
 </plist>
diff --git a/Coder Desktop/Coder Desktop/NetworkExtension.swift b/Coder Desktop/Coder Desktop/NetworkExtension.swift
@@ -24,12 +24,13 @@ enum NetworkExtensionState: Equatable {
 /// An actor that handles configuring, enabling, and disabling the VPN tunnel via the
 /// NetworkExtension APIs.
 extension CoderVPNService {
-    func hasNetworkExtensionConfig() async -> Bool {
+    func loadNetworkExtensionConfig() async {
         do {
-            _ = try await getTunnelManager()
-            return true
+            let tm = try await getTunnelManager()
+            neState = .disabled
+            serverAddress = tm.protocolConfiguration?.serverAddress
         } catch {
-            return false
+            neState = .unconfigured
         }
     }
 
diff --git a/Coder Desktop/Coder Desktop/VPNService.swift b/Coder Desktop/Coder Desktop/VPNService.swift
@@ -63,15 +63,13 @@ final class CoderVPNService: NSObject, VPNService {
     // only stores a weak reference to the delegate.
     var systemExtnDelegate: SystemExtensionDelegate<CoderVPNService>?
 
+    var serverAddress: String?
+
     override init() {
         super.init()
         installSystemExtension()
         Task {
-            neState = if await hasNetworkExtensionConfig() {
-                .disabled
-            } else {
-                .unconfigured
-            }
+            await loadNetworkExtensionConfig()
         }
         xpc.connect()
         xpc.getPeerState()
@@ -115,6 +113,7 @@ final class CoderVPNService: NSObject, VPNService {
     func configureTunnelProviderProtocol(proto: NETunnelProviderProtocol?) {
         Task {
             if let proto {
+                serverAddress = proto.serverAddress
                 await configureNetworkExtension(proto: proto)
                 // this just configures the VPN, it doesn't enable it
                 tunnelState = .disabled
diff --git a/Coder Desktop/Coder Desktop/XPCInterface.swift b/Coder Desktop/Coder Desktop/XPCInterface.swift
@@ -64,4 +64,37 @@ import VPNLib
             svc.onExtensionPeerUpdate(data)
         }
     }
+
+    // The NE has verified the dylib and knows better than mac's Gatekeeper
+    func removeQuarantine(path: String, reply: @escaping (Bool) -> Void) {
+        let reply = CallbackWrapper(reply)
+        Task { @MainActor in
+            let prompt = """
+            Coder Desktop wants to execute code downloaded from \
+            \(svc.serverAddress ?? "the Coder deployment"). The code has been \
+            verified to be signed by Coder.
+            """
+            let source = """
+            do shell script "xattr -d com.apple.quarantine \(path)" \
+            with prompt "\(prompt)" \
+            with administrator privileges
+            """
+            do {
+                try await withCheckedThrowingContinuation { continuation in
+                    guard let script = NSAppleScript(source: source) else {
+                        return
+                    }
+                    // Run on a background thread
+                    Task.detached {
+                        var error: NSDictionary?
+                        script.executeAndReturnError(&error)
+                        continuation.resume()
+                    }
+                }
+                reply(true)
+            } catch {
+                reply(false)
+            }
+        }
+    }
 }
diff --git a/Coder Desktop/VPN/Manager.swift b/Coder Desktop/VPN/Manager.swift
@@ -46,6 +46,11 @@ actor Manager {
         } catch {
             throw .validation(error)
         }
+
+        // HACK: The downloaded dylib may be quarantined, but we've validated it's signature
+        // so it's safe to execute. However, the SE must be sandboxed, so we defer to the app.
+        try await removeQuarantine(dest)
+
         do {
             try tunnelHandle = TunnelHandle(dylibPath: dest)
         } catch {
@@ -228,6 +233,8 @@ enum ManagerError: Error {
     case serverInfo(String)
     case errorResponse(msg: String)
     case noTunnelFileDescriptor
+    case noApp
+    case permissionDenied
 
     var description: String {
         switch self {
@@ -249,6 +256,10 @@ enum ManagerError: Error {
             msg
         case .noTunnelFileDescriptor:
             "Could not find a tunnel file descriptor"
+        case .noApp:
+            "The VPN must be started with the app open to perform first-time setup"
+        case .permissionDenied:
+            "Permission was not granted to run the CoderVPN dylib"
         }
     }
 }
@@ -273,3 +284,24 @@ func writeVpnLog(_ log: Vpn_Log) {
     let fields = log.fields.map { "\($0.name): \($0.value)" }.joined(separator: ", ")
     logger.log(level: level, "\(log.message, privacy: .public): \(fields, privacy: .public)")
 }
+
+private func removeQuarantine(_ dest: URL) async throws(ManagerError) {
+    var flag: AnyObject?
+    let file = NSURL(fileURLWithPath: dest.path)
+    try? file.getResourceValue(&flag, forKey: kCFURLQuarantinePropertiesKey as URLResourceKey)
+    if flag != nil {
+        guard let conn = globalXPCListenerDelegate.conn else {
+            throw .noApp
+        }
+        // Wait for unsandboxed app to accept our file
+        do {
+            try await withCheckedThrowingContinuation { [dest] continuation in
+                conn.removeQuarantine(path: dest.path) { _ in
+                    continuation.resume()
+                }
+            }
+        } catch {
+            throw .permissionDenied
+        }
+    }
+}
diff --git a/Coder Desktop/VPNLib/Util.swift b/Coder Desktop/VPNLib/Util.swift
@@ -1,11 +1,11 @@
 public struct CallbackWrapper<T, U>: @unchecked Sendable {
-    private let block: (T?) -> U
+    private let block: (T) -> U
 
-    public init(_ block: @escaping (T?) -> U) {
+    public init(_ block: @escaping (T) -> U) {
         self.block = block
     }
 
-    public func callAsFunction(_ error: T?) -> U {
+    public func callAsFunction(_ error: T) -> U {
         block(error)
     }
 }
diff --git a/Coder Desktop/VPNLib/XPC.swift b/Coder Desktop/VPNLib/XPC.swift
@@ -10,4 +10,5 @@ import Foundation
 @objc public protocol VPNXPCClientCallbackProtocol {
     // data is a serialized `Vpn_PeerUpdate`
     func onPeerUpdate(_ data: Data)
+    func removeQuarantine(path: String, reply: @escaping (Bool) -> Void)
 }

Original file line number	Diff line number	Diff line change
`@@ -1,11 +1,11 @@`
`1`	`1`	`public struct CallbackWrapper<T, U>: @unchecked Sendable {`
`2`		`- private let block: (T?) -> U`
	`2`	`+ private let block: (T) -> U`
`3`	`3`
`4`		`- public init(_ block: @escaping (T?) -> U) {`
	`4`	`+ public init(_ block: @escaping (T) -> U) {`
`5`	`5`	`self.block = block`
`6`	`6`	`}`
`7`	`7`
`8`		`- public func callAsFunction(_ error: T?) -> U {`
	`8`	`+ public func callAsFunction(_ error: T) -> U {`
`9`	`9`	`block(error)`
`10`	`10`	`}`
`11`	`11`	`}`
Original file line number	Diff line number	Diff line change
`@@ -10,4 +10,5 @@ import Foundation`
`10`	`10`	`@objc public protocol VPNXPCClientCallbackProtocol {`
`11`	`11`	// data is a serialized `Vpn_PeerUpdate`
`12`	`12`	`func onPeerUpdate(_ data: Data)`
	`13`	`+ func removeQuarantine(path: String, reply: @escaping (Bool) -> Void)`
`13`	`14`	`}`