1'use strict'; 2const common = require('../common'); 3if (process.platform !== 'darwin') 4 common.skip('App Sandbox is only available on Darwin'); 5 6const fixtures = require('../common/fixtures'); 7const tmpdir = require('../common/tmpdir'); 8const assert = require('assert'); 9const child_process = require('child_process'); 10const path = require('path'); 11const fs = require('fs'); 12const os = require('os'); 13 14const nodeBinary = process.execPath; 15 16tmpdir.refresh(); 17 18const appBundlePath = path.join(tmpdir.path, 'node_sandboxed.app'); 19const appBundleContentPath = path.join(appBundlePath, 'Contents'); 20const appExecutablePath = path.join( 21 appBundleContentPath, 'MacOS', 'node'); 22 23// Construct the app bundle and put the node executable in it: 24// node_sandboxed.app/ 25// └── Contents 26// ├── Info.plist 27// ├── MacOS 28// │ └── node 29fs.mkdirSync(appBundlePath); 30fs.mkdirSync(appBundleContentPath); 31fs.mkdirSync(path.join(appBundleContentPath, 'MacOS')); 32fs.copyFileSync( 33 fixtures.path('macos-app-sandbox', 'Info.plist'), 34 path.join(appBundleContentPath, 'Info.plist')); 35fs.copyFileSync( 36 nodeBinary, 37 appExecutablePath); 38 39 40// Sign the app bundle with sandbox entitlements: 41assert.strictEqual( 42 child_process.spawnSync('/usr/bin/codesign', [ 43 '--entitlements', fixtures.path( 44 'macos-app-sandbox', 'node_sandboxed.entitlements'), 45 '--force', '-s', '-', 46 appBundlePath, 47 ]).status, 48 0); 49 50// Sandboxed app shouldn't be able to read the home dir 51assert.notStrictEqual( 52 child_process.spawnSync(appExecutablePath, [ 53 '-e', 'fs.readdirSync(process.argv[1])', os.homedir(), 54 ]).status, 55 0); 56 57if (process.stdin.isTTY) { 58 // Run the sandboxed node instance with inherited tty stdin 59 const spawnResult = child_process.spawnSync( 60 appExecutablePath, ['-e', ''], 61 { stdio: 'inherit' } 62 ); 63 64 assert.strictEqual(spawnResult.signal, null); 65} 66