fix(daemon): harden launchd plist with umask 077 (#31919)

* fix(daemon): add launchd umask hardening * fix: finalize launchd umask changelog + thanks (#31919) (thanks @liuxiaopai-ai) --------- Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-05-09 18:14:31 +00:00 · 2026-03-03 02:13:41 +08:00
parent 16df7ef4a9
commit 718d418b32
3 changed files with 9 additions and 2 deletions
--- a/src/daemon/launchd-plist.ts
+++ b/src/daemon/launchd-plist.ts
@@ -4,6 +4,7 @@ import fs from "node:fs/promises";
 // intentional gateway restarts. Keep it low so CLI restarts and forced
 // reinstalls do not stall for a full minute.
 export const LAUNCH_AGENT_THROTTLE_INTERVAL_SECONDS = 1;
+export const LAUNCH_AGENT_UMASK_DECIMAL = 0o077;

 const plistEscape = (value: string): string =>
  value
@@ -111,5 +112,5 @@ export function buildLaunchAgentPlist({
    ? `\n    <key>Comment</key>\n    <string>${plistEscape(comment.trim())}</string>`
    : "";
  const envXml = renderEnvDict(environment);
-  return `<?xml version="1.0" encoding="UTF-8"?>\n<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">\n<plist version="1.0">\n  <dict>\n    <key>Label</key>\n    <string>${plistEscape(label)}</string>\n    ${commentXml}\n    <key>RunAtLoad</key>\n    <true/>\n    <key>KeepAlive</key>\n    <true/>\n    <key>ThrottleInterval</key>\n    <integer>${LAUNCH_AGENT_THROTTLE_INTERVAL_SECONDS}</integer>\n    <key>ProgramArguments</key>\n    <array>${argsXml}\n    </array>\n    ${workingDirXml}\n    <key>StandardOutPath</key>\n    <string>${plistEscape(stdoutPath)}</string>\n    <key>StandardErrorPath</key>\n    <string>${plistEscape(stderrPath)}</string>${envXml}\n  </dict>\n</plist>\n`;
+  return `<?xml version="1.0" encoding="UTF-8"?>\n<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">\n<plist version="1.0">\n  <dict>\n    <key>Label</key>\n    <string>${plistEscape(label)}</string>\n    ${commentXml}\n    <key>RunAtLoad</key>\n    <true/>\n    <key>KeepAlive</key>\n    <true/>\n    <key>ThrottleInterval</key>\n    <integer>${LAUNCH_AGENT_THROTTLE_INTERVAL_SECONDS}</integer>\n    <key>Umask</key>\n    <integer>${LAUNCH_AGENT_UMASK_DECIMAL}</integer>\n    <key>ProgramArguments</key>\n    <array>${argsXml}\n    </array>\n    ${workingDirXml}\n    <key>StandardOutPath</key>\n    <string>${plistEscape(stdoutPath)}</string>\n    <key>StandardErrorPath</key>\n    <string>${plistEscape(stderrPath)}</string>${envXml}\n  </dict>\n</plist>\n`;
 }
--- a/src/daemon/launchd.test.ts
+++ b/src/daemon/launchd.test.ts
@@ -1,6 +1,9 @@
 import { PassThrough } from "node:stream";
 import { beforeEach, describe, expect, it, vi } from "vitest";
-import { LAUNCH_AGENT_THROTTLE_INTERVAL_SECONDS } from "./launchd-plist.js";
+import {
+  LAUNCH_AGENT_THROTTLE_INTERVAL_SECONDS,
+  LAUNCH_AGENT_UMASK_DECIMAL,
+} from "./launchd-plist.js";
 import {
  installLaunchAgent,
  isLaunchAgentListed,
@@ -201,6 +204,8 @@ describe("launchd install", () => {
    expect(plist).not.toContain("<key>SuccessfulExit</key>");
    expect(plist).toContain("<key>ThrottleInterval</key>");
    expect(plist).toContain(`<integer>${LAUNCH_AGENT_THROTTLE_INTERVAL_SECONDS}</integer>`);
+    expect(plist).toContain("<key>Umask</key>");
+    expect(plist).toContain(`<integer>${LAUNCH_AGENT_UMASK_DECIMAL}</integer>`);
  });

  it("restarts LaunchAgent with bootout-bootstrap-kickstart order", async () => {