feat: add experimental privileged helper (#160)

Closes #135.
Closes #142.

This PR adds an optional privileged `LaunchDaemon` capable of removing the quarantine flag on a downloaded `.dylib` without prompting the user to enter their password. This is most useful when the Coder deployment updates frequently.

<img width="597" alt="image" src="https://github.com/user-attachments/assets/5f51b9a3-93ba-46b7-baa3-37c8bd817733" />

The System Extension communicates directly with the `LaunchDaemon`, meaning a new `.dylib` can be downloaded and executed even if the app was closed, which was previously not possible. 

I've tested this in a fresh 15.4 VM.

Author: ethanndickson

Coder-Desktop/Coder-Desktop/Coder_DesktopApp.swift

@@ -25,6 +25,7 @@ struct DesktopApp: App {
             SettingsView<CoderVPNService>()
                 .environmentObject(appDelegate.vpn)
                 .environmentObject(appDelegate.state)
+                .environmentObject(appDelegate.helper)
         }
         .windowResizability(.contentSize)
         Window("Coder File Sync", id: Windows.fileSync.rawValue) {
@@ -45,10 +46,12 @@ class AppDelegate: NSObject, NSApplicationDelegate {
     let fileSyncDaemon: MutagenDaemon
     let urlHandler: URLHandler
     let notifDelegate: NotifDelegate
+    let helper: HelperService
 
     override init() {
         notifDelegate = NotifDelegate()
         vpn = CoderVPNService()
+        helper = HelperService()
         let state = AppState(onChange: vpn.configureTunnelProviderProtocol)
         vpn.onStart = {
             // We don't need this to have finished before the VPN actually starts

Coder-Desktop/Coder-Desktop/HelperService.swift

@@ -0,0 +1,117 @@
+import os
+import ServiceManagement
+
+// Whilst the GUI app installs the helper, the System Extension communicates
+// with it over XPC
+@MainActor
+class HelperService: ObservableObject {
+    private let logger = Logger(subsystem: Bundle.main.bundleIdentifier!, category: "HelperService")
+    let plistName = "com.coder.Coder-Desktop.Helper.plist"
+    @Published var state: HelperState = .uninstalled {
+        didSet {
+            logger.info("helper daemon state set: \(self.state.description, privacy: .public)")
+        }
+    }
+
+    init() {
+        update()
+    }
+
+    func update() {
+        let daemon = SMAppService.daemon(plistName: plistName)
+        state = HelperState(status: daemon.status)
+    }
+
+    func install() {
+        let daemon = SMAppService.daemon(plistName: plistName)
+        do {
+            try daemon.register()
+        } catch let error as NSError {
+            self.state = .failed(.init(error: error))
+        } catch {
+            state = .failed(.unknown(error.localizedDescription))
+        }
+        state = HelperState(status: daemon.status)
+    }
+
+    func uninstall() {
+        let daemon = SMAppService.daemon(plistName: plistName)
+        do {
+            try daemon.unregister()
+        } catch let error as NSError {
+            self.state = .failed(.init(error: error))
+        } catch {
+            state = .failed(.unknown(error.localizedDescription))
+        }
+        state = HelperState(status: daemon.status)
+    }
+}
+
+enum HelperState: Equatable {
+    case uninstalled
+    case installed
+    case requiresApproval
+    case failed(HelperError)
+
+    var description: String {
+        switch self {
+        case .uninstalled:
+            "Uninstalled"
+        case .installed:
+            "Installed"
+        case .requiresApproval:
+            "Requires Approval"
+        case let .failed(error):
+            "Failed: \(error.localizedDescription)"
+        }
+    }
+
+    init(status: SMAppService.Status) {
+        self = switch status {
+        case .notRegistered:
+            .uninstalled
+        case .enabled:
+            .installed
+        case .requiresApproval:
+            .requiresApproval
+        case .notFound:
+            // `Not found`` is the initial state, if `register` has never been called
+            .uninstalled
+        @unknown default:
+            .failed(.unknown("Unknown status: \(status)"))
+        }
+    }
+}
+
+enum HelperError: Error, Equatable {
+    case alreadyRegistered
+    case launchDeniedByUser
+    case invalidSignature
+    case unknown(String)
+
+    init(error: NSError) {
+        self = switch error.code {
+        case kSMErrorAlreadyRegistered:
+            .alreadyRegistered
+        case kSMErrorLaunchDeniedByUser:
+            .launchDeniedByUser
+        case kSMErrorInvalidSignature:
+            .invalidSignature
+        default:
+            .unknown(error.localizedDescription)
+        }
+    }
+
+    var localizedDescription: String {
+        switch self {
+        case .alreadyRegistered:
+            "Already registered"
+        case .launchDeniedByUser:
+            "Launch denied by user"
+        case .invalidSignature:
+            "Invalid signature"
+        case let .unknown(message):
+            message
+        }
+    }
+}

Coder-Desktop/Coder-Desktop/Views/Settings/ExperimentalTab.swift

@@ -0,0 +1,10 @@
+import LaunchAtLogin
+import SwiftUI
+
+struct ExperimentalTab: View {
+    var body: some View {
+        Form {
+            HelperSection()
+        }.formStyle(.grouped)
+    }
+}

Coder-Desktop/Coder-Desktop/Views/Settings/HelperSection.swift

@@ -0,0 +1,82 @@
+import LaunchAtLogin
+import ServiceManagement
+import SwiftUI
+
+struct HelperSection: View {
+    var body: some View {
+        Section {
+            HelperButton()
+            Text("""
+            Coder Connect executes a dynamic library downloaded from the Coder deployment.
+            Administrator privileges are required when executing a copy of this library for the first time.
+            Without this helper, these are granted by the user entering their password.
+            With this helper, this is done automatically.
+            This is useful if the Coder deployment updates frequently.
+
+            Coder Desktop will not execute code unless it has been signed by Coder.
+            """)
+            .font(.subheadline)
+            .foregroundColor(.secondary)
+        }
+    }
+}
+
+struct HelperButton: View {
+    @EnvironmentObject var helperService: HelperService
+
+    var buttonText: String {
+        switch helperService.state {
+        case .uninstalled, .failed:
+            "Install"
+        case .installed:
+            "Uninstall"
+        case .requiresApproval:
+            "Open Settings"
+        }
+    }
+
+    var buttonDescription: String {
+        switch helperService.state {
+        case .uninstalled, .installed:
+            ""
+        case .requiresApproval:
+            "Requires approval"
+        case let .failed(err):
+            err.localizedDescription
+        }
+    }
+
+    func buttonAction() {
+        switch helperService.state {
+        case .uninstalled, .failed:
+            helperService.install()
+            if helperService.state == .requiresApproval {
+                SMAppService.openSystemSettingsLoginItems()
+            }
+        case .installed:
+            helperService.uninstall()
+        case .requiresApproval:
+            SMAppService.openSystemSettingsLoginItems()
+        }
+    }
+
+    var body: some View {
+        HStack {
+            Text("Privileged Helper")
+            Spacer()
+            Text(buttonDescription)
+                .foregroundColor(.secondary)
+            Button(action: buttonAction) {
+                Text(buttonText)
+            }
+        }.onReceive(NotificationCenter.default.publisher(for: NSApplication.didBecomeActiveNotification)) { _ in
+            helperService.update()
+        }.onAppear {
+            helperService.update()
+        }
+    }
+}
+
+#Preview {
+    HelperSection().environmentObject(HelperService())
+}

Coder-Desktop/Coder-Desktop/Views/Settings/Settings.swift

@@ -13,6 +13,11 @@ struct SettingsView<VPN: VPNService>: View {
                 .tabItem {
                     Label("Network", systemImage: "dot.radiowaves.left.and.right")
                 }.tag(SettingsTab.network)
+            ExperimentalTab()
+                .tabItem {
+                    Label("Experimental", systemImage: "gearshape.2")
+                }.tag(SettingsTab.experimental)
+
         }.frame(width: 600)
             .frame(maxHeight: 500)
             .scrollContentBackground(.hidden)
@@ -23,4 +28,5 @@ struct SettingsView<VPN: VPNService>: View {
 enum SettingsTab: Int {
     case general
     case network
+    case experimental
 }

Coder-Desktop/Coder-Desktop/XPCInterface.swift

@@ -14,9 +14,9 @@ import VPNLib
     }
 
     func connect() {
-        logger.debug("xpc connect called")
+        logger.debug("VPN xpc connect called")
         guard xpc == nil else {
-            logger.debug("xpc already exists")
+            logger.debug("VPN xpc already exists")
             return
         }
         let networkExtDict = Bundle.main.object(forInfoDictionaryKey: "NetworkExtension") as? [String: Any]
@@ -34,14 +34,14 @@ import VPNLib
         xpcConn.exportedObject = self
         xpcConn.invalidationHandler = { [logger] in
             Task { @MainActor in
-                logger.error("XPC connection invalidated.")
+                logger.error("VPN XPC connection invalidated.")
                 self.xpc = nil
                 self.connect()
             }
         }
         xpcConn.interruptionHandler = { [logger] in
             Task { @MainActor in
-                logger.error("XPC connection interrupted.")
+                logger.error("VPN XPC connection interrupted.")
                 self.xpc = nil
                 self.connect()
             }

Coder-Desktop/Coder-DesktopHelper/HelperXPCProtocol.swift

@@ -0,0 +1,5 @@
+import Foundation
+
+@objc protocol HelperXPCProtocol {
+    func removeQuarantine(path: String, withReply reply: @escaping (Int32, String) -> Void)
+}

Coder-Desktop/Coder-DesktopHelper/com.coder.Coder-Desktop.Helper.plist

@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Label</key>
+	<string>com.coder.Coder-Desktop.Helper</string>
+	<key>BundleProgram</key>
+	<string>Contents/MacOS/com.coder.Coder-Desktop.Helper</string>
+	<key>MachServices</key>
+	<dict>
+		<!-- $(TeamIdentifierPrefix) isn't populated here, so this value is hardcoded -->
+		<key>4399GN35BJ.com.coder.Coder-Desktop.Helper</key>
+		<true/>
+	</dict>
+	<key>AssociatedBundleIdentifiers</key>
+	<array>
+		<string>com.coder.Coder-Desktop</string>
+	</array>
+</dict>
+</plist>

Coder-Desktop/Coder-DesktopHelper/main.swift

@@ -0,0 +1,72 @@
+import Foundation
+import os
+
+class HelperToolDelegate: NSObject, NSXPCListenerDelegate, HelperXPCProtocol {
+    private var logger = Logger(subsystem: Bundle.main.bundleIdentifier!, category: "HelperToolDelegate")
+
+    override init() {
+        super.init()
+    }
+
+    func listener(_: NSXPCListener, shouldAcceptNewConnection newConnection: NSXPCConnection) -> Bool {
+        newConnection.exportedInterface = NSXPCInterface(with: HelperXPCProtocol.self)
+        newConnection.exportedObject = self
+        newConnection.invalidationHandler = { [weak self] in
+            self?.logger.info("Helper XPC connection invalidated")
+        }
+        newConnection.interruptionHandler = { [weak self] in
+            self?.logger.debug("Helper XPC connection interrupted")
+        }
+        logger.info("new active connection")
+        newConnection.resume()
+        return true
+    }
+
+    func removeQuarantine(path: String, withReply reply: @escaping (Int32, String) -> Void) {
+        guard isCoderDesktopDylib(at: path) else {
+            reply(1, "Path is not to a Coder Desktop dylib: \(path)")
+            return
+        }
+
+        let task = Process()
+        let pipe = Pipe()
+
+        task.standardOutput = pipe
+        task.standardError = pipe
+        task.arguments = ["-d", "com.apple.quarantine", path]
+        task.executableURL = URL(fileURLWithPath: "/usr/bin/xattr")
+
+        do {
+            try task.run()
+        } catch {
+            reply(1, "Failed to start command: \(error)")
+            return
+        }
+
+        let data = pipe.fileHandleForReading.readDataToEndOfFile()
+        let output = String(data: data, encoding: .utf8) ?? ""
+
+        task.waitUntilExit()
+        reply(task.terminationStatus, output)
+    }
+}
+
+func isCoderDesktopDylib(at rawPath: String) -> Bool {
+    let url = URL(fileURLWithPath: rawPath)
+        .standardizedFileURL
+        .resolvingSymlinksInPath()
+
+    // *Must* be within the Coder Desktop System Extension sandbox
+    let requiredPrefix = ["/", "var", "root", "Library", "Containers",
+                          "com.coder.Coder-Desktop.VPN"]
+    guard url.pathComponents.starts(with: requiredPrefix) else { return false }
+    guard url.pathExtension.lowercased() == "dylib" else { return false }
+    guard FileManager.default.fileExists(atPath: url.path) else { return false }
+    return true
+}
+
+let delegate = HelperToolDelegate()
+let listener = NSXPCListener(machServiceName: "4399GN35BJ.com.coder.Coder-Desktop.Helper")
+listener.delegate = delegate
+listener.resume()
+RunLoop.main.run()