diff options
| author | Emīls Piņķis <emils@mullvad.net> | 2021-05-18 18:28:47 +0100 |
|---|---|---|
| committer | Emīls <emils@mullvad.net> | 2021-12-10 09:58:51 +0000 |
| commit | 2b48ee7a513651f65e2db5ff48eeb2fdb14d881a (patch) | |
| tree | 540c00042091c75de08685020d1f110182c7c920 | |
| parent | 05ae3cad58eea7319a566323e7fdc326f8035470 (diff) | |
| download | mullvadvpn-2b48ee7a513651f65e2db5ff48eeb2fdb14d881a.tar.xz mullvadvpn-2b48ee7a513651f65e2db5ff48eeb2fdb14d881a.zip | |
Add exclusion GID fetcher
| -rwxr-xr-x | dist-assets/pkg-scripts/preinstall | 13 | ||||
| -rwxr-xr-x | dist-assets/uninstall_macos.sh | 3 | ||||
| -rw-r--r-- | mullvad-daemon/src/exclusion_gid.rs | 29 | ||||
| -rw-r--r-- | mullvad-daemon/src/lib.rs | 8 | ||||
| -rw-r--r-- | talpid-core/src/lib.rs | 4 | ||||
| -rw-r--r-- | talpid-core/src/macos.rs | 12 |
6 files changed, 69 insertions, 0 deletions
diff --git a/dist-assets/pkg-scripts/preinstall b/dist-assets/pkg-scripts/preinstall index ef6d953970..c8561c0730 100755 --- a/dist-assets/pkg-scripts/preinstall +++ b/dist-assets/pkg-scripts/preinstall @@ -30,3 +30,16 @@ fi # There is a risk that they're incompatible with the format this version wants rm "$NEW_CACHE_DIR/relays.json" || true rm "$NEW_CACHE_DIR/api-ip-address.txt" || true + +# Create a group for mullvad-exclusion +MULLVAD_EXCLUSION_GROUP="mullvad-exclusion" +if ! dscl . -list /Groups | grep $MULLVAD_EXCLUSION_GROUP; then + dscl . -create /Groups/$MULLVAD_EXCLUSION_GROUP \ + || echo "FAILED TO CREATE $MULLVAD_EXCLUSION_GROUP GROUP" +fi +if ! dscl . -read /Groups/$MULLVAD_EXCLUSION_GROUP | grep PrimaryGroupID; then + MULLVAD_EXCLUSION_GID=$(( RANDOM )) + dscl . -append /Groups/$MULLVAD_EXCLUSION_GROUP PrimaryGroupID $MULLVAD_EXCLUSION_GID \ + && echo "Created mullvad-exclusion group with gid $MULLVAD_EXCLUSION_GID" \ + || echo "FAILED TO CREATE 'mullvad-exclusion' group" +fi diff --git a/dist-assets/uninstall_macos.sh b/dist-assets/uninstall_macos.sh index 83316da3ba..7833ba528f 100755 --- a/dist-assets/uninstall_macos.sh +++ b/dist-assets/uninstall_macos.sh @@ -18,6 +18,9 @@ DAEMON_PLIST_PATH="/Library/LaunchDaemons/net.mullvad.daemon.plist" sudo launchctl unload -w "$DAEMON_PLIST_PATH" sudo rm -f "$DAEMON_PLIST_PATH" +sudo dscl . -delete /groups/mullvad-exclusion || echo "Failed to remove 'mullvad-exclusion' group" + + echo "Resetting firewall" sudo /Applications/Mullvad\ VPN.app/Contents/Resources/mullvad-setup reset-firewall sudo /Applications/Mullvad\ VPN.app/Contents/Resources/mullvad-setup remove-wireguard-key diff --git a/mullvad-daemon/src/exclusion_gid.rs b/mullvad-daemon/src/exclusion_gid.rs new file mode 100644 index 0000000000..441b66cb2b --- /dev/null +++ b/mullvad-daemon/src/exclusion_gid.rs @@ -0,0 +1,29 @@ +use std::ffi::CStr; +/// name of the group that should be excluded +const EXCLUSION_GROUP: &[u8] = b"mullvad-exclusion\0"; + +/// Returns the GID of `mullvad-exclusion` group if it exists. +pub fn get_exclusion_gid() -> Option<u32> { + let exclusion_group_name = unsafe { CStr::from_bytes_with_nul_unchecked(EXCLUSION_GROUP) }; + talpid_core::macos::get_group_id(exclusion_group_name) +} + +/// Attempts to set the GID of the current process to `mullvad-exclusion`. +#[cfg(target_os = "macos")] +pub fn set_exclusion_gid() { + if let Some(gid) = get_exclusion_gid() { + if let Err(err) = talpid_core::macos::set_gid(gid) { + log::error!("Failed to set group ID: {}", err); + } + } else { + log::error!("No exclusion ID available"); + } +} + +#[cfg(test)] +mod test { + #[test] + fn test_exclusion_gid() { + let _ = super::get_exclusion_gid(); + } +} diff --git a/mullvad-daemon/src/lib.rs b/mullvad-daemon/src/lib.rs index 5557590b09..93ec0106cf 100644 --- a/mullvad-daemon/src/lib.rs +++ b/mullvad-daemon/src/lib.rs @@ -7,6 +7,9 @@ extern crate serde; mod account; pub mod account_history; pub mod exception_logging; +#[cfg(target_os = "macos")] +pub mod exclusion_gid; +>>>>>>> 51cc8287d (Fix daemon code for GID exclusion) mod geoip; pub mod logging; #[cfg(not(target_os = "android"))] @@ -555,6 +558,11 @@ where command_channel: DaemonCommandChannel, #[cfg(target_os = "android")] android_context: AndroidContext, ) -> Result<Self, Error> { + #[cfg(target_os = "macos")] + { + exclusion_gid::set_exclusion_gid(); + }; + let (tunnel_state_machine_shutdown_tx, tunnel_state_machine_shutdown_signal) = oneshot::channel(); let runtime = tokio::runtime::Handle::current(); diff --git a/talpid-core/src/lib.rs b/talpid-core/src/lib.rs index 8d540fcdbd..648a45bda4 100644 --- a/talpid-core/src/lib.rs +++ b/talpid-core/src/lib.rs @@ -63,5 +63,9 @@ mod mktemp; #[cfg(target_os = "linux")] mod linux; +/// Misc utilities for the macOS platform. +#[cfg(target_os = "macos")] +pub mod macos; + /// A pair of functions to monitor and establish connectivity with ICMP pub mod ping_monitor; diff --git a/talpid-core/src/macos.rs b/talpid-core/src/macos.rs new file mode 100644 index 0000000000..7e6922b796 --- /dev/null +++ b/talpid-core/src/macos.rs @@ -0,0 +1,12 @@ +/// name of the group that should be excluded +const EXCLUSION_GROUP: &[u8] = b"mullvad-exclusion\0"; + +/// Returns the GID of `mullvad-exclusion` group if it exists. +pub fn get_exclusion_gid() -> Option<u32> { + let group = unsafe { libc::getgrnam(EXCLUSION_GROUP.as_ptr() as *const _) }; + if group.is_null() { + return None; + } + let gid = unsafe { (*group).gr_gid }; + Some(gid) +} |