macOS sandboxed app support

Signed-off-by: Jan Noha <[email protected]>

Author: nohajc

internal/wguser/conn_unix.go

@@ -18,11 +18,18 @@ func dial(device string) (net.Conn, error) {
 
 // find is the default implementation of Client.find.
 func find() ([]string, error) {
-	return findUNIXSockets([]string{
+	paths := []string{
 		// It seems that /var/run is a common location between Linux and the
 		// BSDs, even though it's a symlink on Linux.
 		"/var/run/wireguard",
-	})
+	}
+	altPaths, err := altSockPaths()
+	if err != nil {
+		return nil, err
+	}
+	paths = append(paths, altPaths...)
+
+	return findUNIXSockets(paths)
 }
 
 // findUNIXSockets looks for UNIX socket files in the specified directories.

internal/wguser/sockpath_darwin.go

@@ -0,0 +1,19 @@
+//go:build darwin
+
+package wguser
+
+import (
+	"os"
+	"path/filepath"
+)
+
+const NET_EXT_APP_ID = "com.wireguard.macos.network-extension"
+
+func altSockPaths() ([]string, error) {
+	homeDir, err := os.UserHomeDir()
+	if err != nil {
+		return nil, err
+	}
+	path := filepath.Join(homeDir, "Library", "Containers", NET_EXT_APP_ID, "Data")
+	return []string{path}, nil
+}

internal/wguser/sockpath_unix.go

@@ -0,0 +1,7 @@
+//go:build !darwin && !windows
+
+package wguser
+
+func altSockPaths() ([]string, error) {
+	return nil, nil
+}