closes#207
I'd be lying if I said I was familiar with these particulars more than a
couple hours ago, but after investigating and testing locally, this does
fix the go issue, I prefer it over #272 which is a lot of code and a one
off fix
----
cc @bolinfest do you mind taking a look here?
1. Seatbelt compares the paths it gets from the kernal to its policies
1. Go is attempting to write to the os.tmpdir, which we have
allowlisted.
1. The kernel rewrites /var/… to /private/var/… before the sandbox
check.
1. The policy still said /var/…, so writes were denied.
Fix: canonicalise every writable root we feed into the policy
(realpathSync(...)).
We do not have to touch runtime file paths—the kernel already
canonicalises those.
### before
see that the command exited 1, and that the command was reported to be
prohibited, despite using the allowlisted tmpdir
https://github.com/user-attachments/assets/23911101-0ec0-4a59-a0a1-423be04063f0
### after
command exits 0
https://github.com/user-attachments/assets/6ab2bcd6-68bd-4f89-82bb-2c8612e39ac3
3356ac0aef