Merge branch 'fix-netcls-changes'

4 files changed, 23 insertions, 106 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3ccd0e3612..3f56d454fb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -47,8 +47,8 @@ Line wrap the file at 100 chars.                                              Th
 - Upgrade Wintun from 0.7 to 0.8.1.
 
 #### Linux
-- Allow users to specify `net_cls` controller mountpoint if it's not mounted already via the
-  `TALPID_NETCLS_MOUNT_DIR` environment variable.
+- Allow users to specify `net_cls` controller mountpoint via `TALPID_NET_CLS_MOUNT_DIR`. The
+  specified mountpoint will only be used if the controller isn't mounted already.
 
 ### Fixed
 - Fix connectivity monitor for WireGuard not disconnecting from a relay when connectivity is lost.
diff --git a/talpid-core/src/firewall/linux.rs b/talpid-core/src/firewall/linux.rs
index 21c7b3ce3b..3a68d3734d 100644
--- a/talpid-core/src/firewall/linux.rs
+++ b/talpid-core/src/firewall/linux.rs
@@ -292,7 +292,7 @@ impl<'a> PolicyBatch<'a> {
         for chain in &mangle_chains {
             let mut rule = Rule::new(chain);
             rule.add_expr(&nft_expr!(meta cgroup));
-            rule.add_expr(&nft_expr!(cmp == split_tunnel::NETCLS_CLASSID));
+            rule.add_expr(&nft_expr!(cmp == split_tunnel::NET_CLS_CLASSID));
             rule.add_expr(&nft_expr!(immediate data split_tunnel::MARK));
             rule.add_expr(&nft_expr!(ct mark set));
             rule.add_expr(&nft_expr!(meta mark set));
diff --git a/talpid-core/src/split_tunnel/linux.rs b/talpid-core/src/split_tunnel/linux.rs
index 8d9da5ebca..b2c3fcfe1e 100644
--- a/talpid-core/src/split_tunnel/linux.rs
+++ b/talpid-core/src/split_tunnel/linux.rs
@@ -1,16 +1,16 @@
 use std::{
-    fs,
+    env, fs,
     io::{self, BufRead, BufReader, BufWriter, Write},
     path::PathBuf,
 };
 use talpid_types::cgroup::{find_net_cls_mount, SPLIT_TUNNEL_CGROUP_NAME};
 
-const DEFAULT_NETCLS_DIR: &str = "/sys/fs/cgroup/net_cls";
-const NETCLS_DIR_OVERRIDE_ENV_VAR: &str = "TALPID_NETCLS_MOUNT_DIR";
+const DEFAULT_NET_CLS_DIR: &str = "/sys/fs/cgroup/net_cls";
+const NET_CLS_DIR_OVERRIDE_ENV_VAR: &str = "TALPID_NET_CLS_MOUNT_DIR";
 
 /// Identifies packets coming from the cgroup.
 /// This should be an arbitrary but unique integer.
-pub const NETCLS_CLASSID: u32 = 0x4d9f41;
+pub const NET_CLS_CLASSID: u32 = 0x4d9f41;
 /// Value used to mark packets and associated connections.
 /// This should be an arbitrary but unique integer.
 pub const MARK: i32 = 0xf41;
@@ -69,18 +69,18 @@ impl PidManager {
             return Ok(net_cls_path);
         }
 
-        let netcls_dir = std::env::var(NETCLS_DIR_OVERRIDE_ENV_VAR)
+        let net_cls_dir = env::var(NET_CLS_DIR_OVERRIDE_ENV_VAR)
             .map(PathBuf::from)
-            .unwrap_or(PathBuf::from(DEFAULT_NETCLS_DIR));
+            .unwrap_or(PathBuf::from(DEFAULT_NET_CLS_DIR));
 
-        if !netcls_dir.exists() {
-            fs::create_dir(netcls_dir.clone()).map_err(Error::CreateCGroup)?;
+        if !net_cls_dir.exists() {
+            fs::create_dir_all(&net_cls_dir).map_err(Error::CreateCGroup)?;
         }
 
         // https://www.kernel.org/doc/Documentation/cgroup-v1/net_cls.txt
         nix::mount::mount(
             Some("net_cls"),
-            &netcls_dir,
+            &net_cls_dir,
             Some("cgroup"),
             nix::mount::MsFlags::empty(),
             Some("net_cls"),
@@ -88,7 +88,7 @@ impl PidManager {
         .map_err(Error::InitNetClsCGroup)?;
 
 
-        Ok(netcls_dir)
+        Ok(net_cls_dir)
     }
 
     fn setup_exclusion_group(&self) -> Result<(), Error> {
@@ -98,7 +98,7 @@ impl PidManager {
         }
 
         let classid_path = exclusions_dir.join("net_cls.classid");
-        fs::write(classid_path, NETCLS_CLASSID.to_string().as_bytes())
+        fs::write(classid_path, NET_CLS_CLASSID.to_string().as_bytes())
             .map_err(Error::SetCGroupClassId)
     }
 
diff --git a/talpid-types/src/cgroup.rs b/talpid-types/src/cgroup.rs
index 6a3e8ca4fc..1aeddd728f 100644
--- a/talpid-types/src/cgroup.rs
+++ b/talpid-types/src/cgroup.rs
@@ -49,53 +49,9 @@ mod test {
 
     #[test]
     fn test_find_net_cls_path() {
-        let input = br#"sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0
-proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
-udev /dev devtmpfs rw,nosuid,noexec,relatime,size=989436k,nr_inodes=247359,mode=755 0 0
-devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
-tmpfs /run tmpfs rw,nosuid,nodev,noexec,relatime,size=203520k,mode=755 0 0
-/dev/vda5 / ext4 rw,relatime,errors=remount-ro 0 0
-securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0
-tmpfs /dev/shm tmpfs rw,nosuid,nodev 0 0
-tmpfs /run/lock tmpfs rw,nosuid,nodev,noexec,relatime,size=5120k 0 0
-tmpfs /sys/fs/cgroup tmpfs ro,nosuid,nodev,noexec,mode=755 0 0
-cgroup2 /sys/fs/cgroup/unified cgroup2 rw,nosuid,nodev,noexec,relatime,nsdelegate 0 0
-cgroup /sys/fs/cgroup/systemd cgroup rw,nosuid,nodev,noexec,relatime,xattr,name=systemd 0 0
-pstore /sys/fs/pstore pstore rw,nosuid,nodev,noexec,relatime 0 0
-none /sys/fs/bpf bpf rw,nosuid,nodev,noexec,relatime,mode=700 0 0
-cgroup /sys/fs/cgroup/blkio cgroup rw,nosuid,nodev,noexec,relatime,blkio 0 0
-cgroup /sys/fs/cgroup/memory cgroup rw,nosuid,nodev,noexec,relatime,memory 0 0
-cgroup /sys/fs/cgroup/hugetlb cgroup rw,nosuid,nodev,noexec,relatime,hugetlb 0 0
-cgroup /sys/fs/cgroup/cpuset cgroup rw,nosuid,nodev,noexec,relatime,cpuset 0 0
-cgroup /sys/fs/cgroup/cpu,cpuacct cgroup rw,nosuid,nodev,noexec,relatime,cpu,cpuacct 0 0
-cgroup /sys/fs/cgroup/pids cgroup rw,nosuid,nodev,noexec,relatime,pids 0 0
-cgroup /sys/fs/cgroup/rdma cgroup rw,nosuid,nodev,noexec,relatime,rdma 0 0
+        let input =
+            br#"cgroup /sys/fs/cgroup/memory cgroup rw,nosuid,nodev,noexec,relatime,memory 0 0
 cgroup /sys/fs/cgroup/net_cls,net_prio cgroup rw,nosuid,nodev,noexec,relatime,net_cls,net_prio 0 0
-cgroup /sys/fs/cgroup/devices cgroup rw,nosuid,nodev,noexec,relatime,devices 0 0
-cgroup /sys/fs/cgroup/freezer cgroup rw,nosuid,nodev,noexec,relatime,freezer 0 0
-cgroup /sys/fs/cgroup/perf_event cgroup rw,nosuid,nodev,noexec,relatime,perf_event 0 0
-systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime,fd=28,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=14329 0 0
-hugetlbfs /dev/hugepages hugetlbfs rw,relatime,pagesize=2M 0 0
-mqueue /dev/mqueue mqueue rw,nosuid,nodev,noexec,relatime 0 0
-debugfs /sys/kernel/debug debugfs rw,nosuid,nodev,noexec,relatime 0 0
-tracefs /sys/kernel/tracing tracefs rw,nosuid,nodev,noexec,relatime 0 0
-fusectl /sys/fs/fuse/connections fusectl rw,nosuid,nodev,noexec,relatime 0 0
-configfs /sys/kernel/config configfs rw,nosuid,nodev,noexec,relatime 0 0
-/dev/loop1 /snap/gnome-3-34-1804/24 squashfs ro,nodev,relatime 0 0
-/dev/loop2 /snap/core18/1880 squashfs ro,nodev,relatime 0 0
-/dev/loop3 /snap/gtk-common-themes/1506 squashfs ro,nodev,relatime 0 0
-/dev/loop0 /snap/core18/1754 squashfs ro,nodev,relatime 0 0
-/dev/loop5 /snap/snap-store/467 squashfs ro,nodev,relatime 0 0
-/dev/loop6 /snap/gnome-3-34-1804/36 squashfs ro,nodev,relatime 0 0
-/dev/loop7 /snap/snap-store/454 squashfs ro,nodev,relatime 0 0
-/dev/loop8 /snap/snapd/8140 squashfs ro,nodev,relatime 0 0
-/dev/vda1 /boot/efi vfat rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro 0 0
-tmpfs /run/user/125 tmpfs rw,nosuid,nodev,relatime,size=203516k,mode=700,uid=125,gid=130 0 0
-gvfsd-fuse /run/user/125/gvfs fuse.gvfsd-fuse rw,nosuid,nodev,relatime,user_id=125,group_id=130 0 0
-/dev/loop9 /snap/snapd/8542 squashfs ro,nodev,relatime 0 0
-tmpfs /run/user/1000 tmpfs rw,nosuid,nodev,relatime,size=203516k,mode=700,uid=1000,gid=1000 0 0
-gvfsd-fuse /run/user/1000/gvfs fuse.gvfsd-fuse rw,nosuid,nodev,relatime,user_id=1000,group_id=1000 0 0
-some-garbage-line
 "#;
 
         assert_eq!(
@@ -106,52 +62,13 @@ some-garbage-line
 
     #[test]
     fn test_fail_to_find_net_cls_path() {
-        let input = br#"sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0
-proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
-udev /dev devtmpfs rw,nosuid,noexec,relatime,size=989436k,nr_inodes=247359,mode=755 0 0
-devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
-tmpfs /run tmpfs rw,nosuid,nodev,noexec,relatime,size=203520k,mode=755 0 0
-/dev/vda5 / ext4 rw,relatime,errors=remount-ro 0 0
-securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0
-tmpfs /dev/shm tmpfs rw,nosuid,nodev 0 0
-tmpfs /run/lock tmpfs rw,nosuid,nodev,noexec,relatime,size=5120k 0 0
-tmpfs /sys/fs/cgroup tmpfs ro,nosuid,nodev,noexec,mode=755 0 0
-cgroup2 /sys/fs/cgroup/unified cgroup2 rw,nosuid,nodev,noexec,relatime,nsdelegate 0 0
-cgroup /sys/fs/cgroup/systemd cgroup rw,nosuid,nodev,noexec,relatime,xattr,name=systemd 0 0
-pstore /sys/fs/pstore pstore rw,nosuid,nodev,noexec,relatime 0 0
-none /sys/fs/bpf bpf rw,nosuid,nodev,noexec,relatime,mode=700 0 0
-cgroup /sys/fs/cgroup/blkio cgroup rw,nosuid,nodev,noexec,relatime,blkio 0 0
-cgroup /sys/fs/cgroup/memory cgroup rw,nosuid,nodev,noexec,relatime,memory 0 0
-cgroup /sys/fs/cgroup/hugetlb cgroup rw,nosuid,nodev,noexec,relatime,hugetlb 0 0
-cgroup /sys/fs/cgroup/cpuset cgroup rw,nosuid,nodev,noexec,relatime,cpuset 0 0
-cgroup /sys/fs/cgroup/cpu,cpuacct cgroup rw,nosuid,nodev,noexec,relatime,cpu,cpuacct 0 0
-cgroup /sys/fs/cgroup/pids cgroup rw,nosuid,nodev,noexec,relatime,pids 0 0
-cgroup /sys/fs/cgroup/rdma cgroup rw,nosuid,nodev,noexec,relatime,rdma 0 0
-cgroup /sys/fs/cgroup/devices cgroup rw,nosuid,nodev,noexec,relatime,devices 0 0
-cgroup /sys/fs/cgroup/freezer cgroup rw,nosuid,nodev,noexec,relatime,freezer 0 0
-cgroup /sys/fs/cgroup/perf_event cgroup rw,nosuid,nodev,noexec,relatime,perf_event 0 0
-systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime,fd=28,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=14329 0 0
-hugetlbfs /dev/hugepages hugetlbfs rw,relatime,pagesize=2M 0 0
-mqueue /dev/mqueue mqueue rw,nosuid,nodev,noexec,relatime 0 0
-debugfs /sys/kernel/debug debugfs rw,nosuid,nodev,noexec,relatime 0 0
-tracefs /sys/kernel/tracing tracefs rw,nosuid,nodev,noexec,relatime 0 0
-fusectl /sys/fs/fuse/connections fusectl rw,nosuid,nodev,noexec,relatime 0 0
-configfs /sys/kernel/config configfs rw,nosuid,nodev,noexec,relatime 0 0
-/dev/loop1 /snap/gnome-3-34-1804/24 squashfs ro,nodev,relatime 0 0
-/dev/loop2 /snap/core18/1880 squashfs ro,nodev,relatime 0 0
-/dev/loop3 /snap/gtk-common-themes/1506 squashfs ro,nodev,relatime 0 0
-/dev/loop0 /snap/core18/1754 squashfs ro,nodev,relatime 0 0
-/dev/loop5 /snap/snap-store/467 squashfs ro,nodev,relatime 0 0
-/dev/loop6 /snap/gnome-3-34-1804/36 squashfs ro,nodev,relatime 0 0
-/dev/loop7 /snap/snap-store/454 squashfs ro,nodev,relatime 0 0
-/dev/loop8 /snap/snapd/8140 squashfs ro,nodev,relatime 0 0
-/dev/vda1 /boot/efi vfat rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro 0 0
-tmpfs /run/user/125 tmpfs rw,nosuid,nodev,relatime,size=203516k,mode=700,uid=125,gid=130 0 0
-gvfsd-fuse /run/user/125/gvfs fuse.gvfsd-fuse rw,nosuid,nodev,relatime,user_id=125,group_id=130 0 0
-/dev/loop9 /snap/snapd/8542 squashfs ro,nodev,relatime 0 0
-tmpfs /run/user/1000 tmpfs rw,nosuid,nodev,relatime,size=203516k,mode=700,uid=1000,gid=1000 0 0
-gvfsd-fuse /run/user/1000/gvfs fuse.gvfsd-fuse rw,nosuid,nodev,relatime,user_id=1000,group_id=1000 0 0
-        "#;
+        let input =
+            br#"cgroup /sys/fs/cgroup/memory cgroup rw,nosuid,nodev,noexec,relatime,memory 0 0
+cgroup /sys/fs/cgroup/net_cls,net_prio cgroup rw,nosuid,nodev,noexec,relatime,,net_prio 0 0
+cgroup /sys/fs/cgroup/net_cls,net_prio cgroup2 rw,nosuid,nodev,noexec,relatime,net_cls,net_prio 0 0
+cgroup /sys/fs/cgroup/net_cls,net_prio garbage rw,nosuid,nodev,noexec,relatime,net_cls,net_prio 0 0
+cgroup /nope
+"#;
 
         assert_eq!(find_net_cls_mount_inner(input), None)
     }