From db707746857620801f5a246c61949b13dfd23782 Mon Sep 17 00:00:00 2001
From: Maisem Ali <maisem@tailscale.com>
Date: Thu, 21 Apr 2022 16:37:41 -0700
Subject: [PATCH] cmd/tailscale/cli: do not use syscall.Exec from macOS sandbox

Signed-off-by: Maisem Ali <maisem@tailscale.com>
---
 cmd/tailscale/cli/ssh.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/cmd/tailscale/cli/ssh.go b/cmd/tailscale/cli/ssh.go
index a429fe5d3..d1f990d0d 100644
--- a/cmd/tailscale/cli/ssh.go
+++ b/cmd/tailscale/cli/ssh.go
@@ -24,6 +24,7 @@ import (
 	"tailscale.com/client/tailscale"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/version"
 )
 
 var sshCmd = &ffcli.Command{
@@ -104,8 +105,8 @@ func runSSH(ctx context.Context, args []string) error {
 		username + "@" + hostForSSH,
 	}, argRest...)
 
-	if runtime.GOOS == "windows" {
-		// Don't use syscall.Exec on Windows.
+	if runtime.GOOS == "windows" || version.IsSandboxedMacOS() {
+		// Don't use syscall.Exec on Windows or in the macOS sandbox.
 		cmd := exec.Command(ssh, argv[1:]...)
 		cmd.Stderr = os.Stderr
 		cmd.Stdout = os.Stdout