Add launcher script on Linux to disable sandbox

6 files changed, 244 insertions, 172 deletions

diff --git a/build.sh b/build.sh
index d6c1147c3e..12b2408579 100755
--- a/build.sh
+++ b/build.sh
@@ -77,15 +77,6 @@ function restore_metadata_backups() {
 }
 trap 'restore_metadata_backups' EXIT
 
-if [[ "$BUILD_MODE" == "dev" ]]; then
-    # Disable installer compression on *explicit* dev builds.
-    # This does not disable compression on build server builds, since they
-    # always run without --dev-buid.
-    echo "Disabling compression of installer in this dev build"
-    cp gui/electron-builder.yml gui/electron-builder.yml.bak
-    echo "compression: store" >> gui/electron-builder.yml
-fi
-
 echo "Updating version in metadata files..."
 cp gui/package-lock.json gui/package-lock.json.bak
 cp Cargo.lock Cargo.lock.bak
@@ -175,10 +166,22 @@ npm install
 ################################################################################
 
 echo "Packing final release artifact..."
+
+if [[ "$BUILD_MODE" == "dev" ]]; then
+    # Disable installer compression on *explicit* dev builds.
+    # This does not disable compression on build server builds, since they
+    # always run without --dev-build.
+    echo "Disabling compression of installer in this dev build"
+
+    PACK_ARGS="--no-compression"
+else
+    PACK_ARGS=""
+fi
+
 case "$(uname -s)" in
-    Linux*)     npm run pack:linux;;
-    Darwin*)    npm run pack:mac;;
-    MINGW*)     npm run pack:win;;
+    Linux*)     npm run pack:linux -- $PACK_ARGS;;
+    Darwin*)    npm run pack:mac -- $PACK_ARGS;;
+    MINGW*)     npm run pack:win -- $PACK_ARGS;;
 esac
 
 popd
diff --git a/dist-assets/linux/mullvad-gui-launcher.sh b/dist-assets/linux/mullvad-gui-launcher.sh
new file mode 100755
index 0000000000..cf75c4e916
--- /dev/null
+++ b/dist-assets/linux/mullvad-gui-launcher.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+set -eu
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+exec "$SCRIPT_DIR/mullvad-gui" --no-sandbox "$@"
diff --git a/gui/electron-builder.yml b/gui/electron-builder.yml
deleted file mode 100755
index a57b08e6c9..0000000000
--- a/gui/electron-builder.yml
+++ /dev/null
@@ -1,151 +0,0 @@
-appId: net.mullvad.vpn
-copyright: Amagicom AB
-productName: Mullvad VPN
-
-asar: true
-
-# assets bundled on all platforms
-extraResources:
-  # Mullvad root CA certificate used by OpenVPN
-  - from: ../dist-assets/ca.crt
-    to: .
-  - from: ../dist-assets/api_root_ca.pem
-    to: .
-  - from: ../dist-assets/relays.json
-    to: .
-  - from: ../CHANGELOG.md
-    to: .
-
-directories:
-  buildResources: ../dist-assets/
-  output: ../dist/
-
-# override package.json
-extraMetadata:
-  name: mullvad-vpn
-
-files:
-  - package.json
-  - init.js
-  - build/
-  - node_modules/
-  - "!**/*.tsbuildinfo"
-
-mac:
-  target: pkg
-  artifactName: MullvadVPN-${version}.${ext}
-  category: public.app-category.tools
-  extendInfo:
-    LSUIElement: true
-    NSUserNotificationAlertStyle: alert
-  extraResources:
-    - from: ../dist-assets/mullvad
-      to: .
-    - from: ../dist-assets/problem-report
-      to: .
-    - from: ../dist-assets/mullvad-daemon
-      to: .
-    - from: ../dist-assets/libtalpid_openvpn_plugin.dylib
-      to: .
-    - from: ../dist-assets/binaries/x86_64-apple-darwin/openvpn
-      to: .
-    - from: ../dist-assets/binaries/x86_64-apple-darwin/sslocal
-      to: .
-    - from: ../dist-assets/uninstall_macos.sh
-      to: ./uninstall.sh
-
-pkg:
-  allowAnywhere: false
-  allowCurrentUserHome: false
-  isRelocatable: false
-
-nsis:
-  guid: "Mullvad VPN"
-  oneClick: false
-  perMachine: true
-  allowElevation: true
-  allowToChangeInstallationDirectory: false
-  include: ../dist-assets/windows/installer.nsh
-  installerSidebar: ../dist-assets/windows/installersidebar.bmp
-
-win:
-  target:
-    - target: nsis
-      arch:
-        - x64
-  artifactName: MullvadVPN-${version}.${ext}
-  publisherName: Amagicom AB
-  signingHashAlgorithms:
-    - sha256
-  signDlls: true
-  extraResources:
-    - from: ../dist-assets/mullvad.exe
-      to: .
-    - from: ../dist-assets/problem-report.exe
-      to: .
-    - from: ../dist-assets/mullvad-daemon.exe
-      to: .
-    - from: ../dist-assets/talpid_openvpn_plugin.dll
-      to: .
-    - from: ../windows/winfw/bin/x64-Release/winfw.dll
-      to: .
-    - from: ../windows/windns/bin/x64-Release/windns.dll
-      to: .
-    - from: ../windows/winnet/bin/x64-Release/winnet.dll
-      to: .
-    - from: ../dist-assets/binaries/x86_64-pc-windows-msvc/openvpn.exe
-      to: .
-    - from: ../dist-assets/binaries/x86_64-pc-windows-msvc/sslocal.exe
-      to: .
-    - from: ../windows/winutil/bin/x64-Release/winutil.dll
-      to: .
-      
-linux:
-  target:
-    - deb
-    - rpm
-  artifactName: MullvadVPN-${version}_${arch}.${ext}
-  category: Network
-  extraResources:
-    - from: ../dist-assets/problem-report
-      to: .
-    - from: ../dist-assets/mullvad-daemon
-      to: .
-    - from: ../dist-assets/libtalpid_openvpn_plugin.so
-      to: .
-    - from: ../dist-assets/binaries/x86_64-unknown-linux-gnu/openvpn
-      to: .
-    - from: ../dist-assets/binaries/x86_64-unknown-linux-gnu/sslocal
-      to: .
-    - from: ../dist-assets/linux/mullvad-daemon.conf
-      to: .
-    - from: ../dist-assets/linux/mullvad-daemon.service
-      to: .
-
-deb:
-  fpm: ["--before-install", "../dist-assets/linux/before-install.sh",
-       "--before-remove", "../dist-assets/linux/before-remove.sh",
-       "--config-files", "/opt/Mullvad VPN/resources/mullvad-daemon.service",
-       "--config-files", "/opt/Mullvad VPN/resources/mullvad-daemon.conf",
-       "../dist-assets/mullvad=/usr/bin/",
-       ]
-  afterInstall: ../dist-assets/linux/after-install.sh
-  afterRemove: ../dist-assets/linux/after-remove.sh
-  depends:
-    - iputils-ping
-
-rpm:
-  fpm: ["--before-install", "../dist-assets/linux/before-install.sh",
-       "--before-remove", "../dist-assets/linux/before-remove.sh",
-       "--rpm-posttrans", "../dist-assets/linux/post-transaction.sh",
-       "--config-files", "/opt/Mullvad VPN/resources/mullvad-daemon.service",
-       "--config-files", "/opt/Mullvad VPN/resources/mullvad-daemon.conf",
-       "../dist-assets/mullvad=/usr/bin/",
-       ]
-  afterInstall: ../dist-assets/linux/after-install.sh
-  afterRemove: ../dist-assets/linux/after-remove.sh
-  depends:
-      - libXScrnSaver
-      - libnotify
-      - libnsl
-      - dbus-libs
diff --git a/gui/gulpfile.js b/gui/gulpfile.js
index 10e61b98b9..659663d30e 100644
--- a/gui/gulpfile.js
+++ b/gui/gulpfile.js
@@ -5,9 +5,13 @@ const rimraf = require('rimraf');
 const scripts = require('./tasks/scripts');
 const assets = require('./tasks/assets');
 const watch = require('./tasks/watch');
+const dist = require('./tasks/distribution');
 
 task('clean', function(done) {
   rimraf('./build', done);
 });
 task('build', series('clean', assets.copyAll, scripts.build));
 task('develop', series('clean', watch.start));
+task('pack-win', series('build', dist.packWin));
+task('pack-linux', series('build', dist.packLinux));
+task('pack-mac', series('build', dist.packMac));
diff --git a/gui/package.json b/gui/package.json
index 6744a0e1e7..e525cfbdf7 100644
--- a/gui/package.json
+++ b/gui/package.json
@@ -94,14 +94,9 @@
     "develop": "gulp develop",
     "test": "cross-env NODE_ENV=test electron-mocha --renderer --reporter spec --require-main \"test/setup/main.js\" --require ts-node/register --require \"test/setup/renderer.ts\" \"test/**/*.{ts,tsx}\"",
     "update-translations": "node scripts/extract-translations",
-    "pack:mac": "run-s build private:pack:mac private:postbuild:mac",
-    "pack:win": "run-s build private:pack:win",
-    "pack:linux": "run-s build private:pack:linux",
-    "private:format": "prettier \"**/*.{js,css,ts,tsx}\"",
-    "private:pack:mac": "npm run private:pack -- --mac",
-    "private:postbuild:mac": "rimraf ../dist/mac",
-    "private:pack:win": "npm run private:pack -- --win",
-    "private:pack:linux": "npm run private:pack -- --linux",
-    "private:pack": "cross-env ELECTRON_BUILDER_ALLOW_UNRESOLVED_DEPENDENCIES=true electron-builder"
+    "pack:mac": "gulp pack-mac",
+    "pack:win": "gulp pack-win",
+    "pack:linux": "gulp pack-linux",
+    "private:format": "prettier \"**/*.{js,css,ts,tsx}\""
   }
 }
diff --git a/gui/tasks/distribution.js b/gui/tasks/distribution.js
new file mode 100644
index 0000000000..5e08455b45
--- /dev/null
+++ b/gui/tasks/distribution.js
@@ -0,0 +1,216 @@
+const path = require('path');
+const fs = require('fs');
+const builder = require('electron-builder');
+const rimraf = require('rimraf');
+const util = require('util');
+
+const renameAsync = util.promisify(fs.rename);
+const unlinkAsync = util.promisify(fs.unlink);
+const rimrafAsync = util.promisify(rimraf);
+
+const compression = process.argv.indexOf('--no-compression') !== -1 ? 'store' : 'normal';
+
+const config = {
+  appId: 'net.mullvad.vpn',
+  copyright: 'Amagicom AB',
+  productName: 'Mullvad VPN',
+  asar: true,
+  compression: compression,
+  extraResources: [
+    { from: distAssets('ca.crt'), to: '.' },
+    { from: distAssets('api_root_ca.pem'), to: '.' },
+    { from: distAssets('relays.json'), to: '.' },
+    { from: root('CHANGELOG.md'), to: '.' },
+  ],
+
+  directories: {
+    buildResources: root('dist-assets'),
+    output: root('dist'),
+  },
+
+  extraMetadata: {
+    name: 'mullvad-vpn',
+  },
+
+  files: ['package.json', 'init.js', 'build/', 'node_modules/', '!**/*.tsbuildinfo'],
+
+  mac: {
+    target: 'pkg',
+    artifactName: 'MullvadVPN-${version}.${ext}',
+    category: 'public.app-category.tools',
+    extendInfo: {
+      LSUIElement: true,
+      NSUserNotificationAlertStyle: 'alert',
+    },
+    extraResources: [
+      { from: distAssets('mullvad'), to: '.' },
+      { from: distAssets('problem-report'), to: '.' },
+      { from: distAssets('mullvad-daemon'), to: '.' },
+      { from: distAssets('libtalpid_openvpn_plugin.dylib'), to: '.' },
+      { from: distAssets('binaries/x86_64-apple-darwin/openvpn'), to: '.' },
+      { from: distAssets('binaries/x86_64-apple-darwin/sslocal'), to: '.' },
+      { from: distAssets('uninstall_macos.sh'), to: './uninstall.sh' },
+    ],
+  },
+
+  pkg: {
+    allowAnywhere: false,
+    allowCurrentUserHome: false,
+    isRelocatable: false,
+  },
+
+  nsis: {
+    guid: 'Mullvad VPN',
+    oneClick: false,
+    perMachine: true,
+    allowElevation: true,
+    allowToChangeInstallationDirectory: false,
+    include: distAssets('windows/installer.nsh'),
+    installerSidebar: distAssets('windows/installersidebar.bmp'),
+  },
+
+  win: {
+    target: [
+      {
+        target: 'nsis',
+        arch: ['x64'],
+      },
+    ],
+    artifactName: 'MullvadVPN-${version}.${ext}',
+    publisherName: 'Amagicom AB',
+    signingHashAlgorithms: ['sha256'],
+    signDlls: true,
+    extraResources: [
+      { from: distAssets('mullvad.exe'), to: '.' },
+      { from: distAssets('problem-report.exe'), to: '.' },
+      { from: distAssets('mullvad-daemon.exe'), to: '.' },
+      { from: distAssets('talpid_openvpn_plugin.dll'), to: '.' },
+      { from: root('windows/winfw/bin/x64-Release/winfw.dll'), to: '.' },
+      { from: root('windows/windns/bin/x64-Release/windns.dll'), to: '.' },
+      { from: root('windows/winnet/bin/x64-Release/winnet.dll'), to: '.' },
+      { from: root('windows/winutil/bin/x64-Release/winutil.dll'), to: '.' },
+      { from: distAssets('binaries/x86_64-pc-windows-msvc/openvpn.exe'), to: '.' },
+      { from: distAssets('binaries/x86_64-pc-windows-msvc/sslocal.exe'), to: '.' },
+    ],
+  },
+
+  linux: {
+    target: ['deb', 'rpm'],
+    artifactName: 'MullvadVPN-${version}_${arch}.${ext}',
+    category: 'Network',
+    extraFiles: [{ from: distAssets('linux/mullvad-gui-launcher.sh'), to: '.' }],
+    extraResources: [
+      { from: distAssets('problem-report'), to: '.' },
+      { from: distAssets('mullvad-daemon'), to: '.' },
+      { from: distAssets('libtalpid_openvpn_plugin.so'), to: '.' },
+      { from: distAssets('binaries/x86_64-unknown-linux-gnu/openvpn'), to: '.' },
+      { from: distAssets('binaries/x86_64-unknown-linux-gnu/sslocal'), to: '.' },
+      { from: distAssets('linux/mullvad-daemon.conf'), to: '.' },
+      { from: distAssets('linux/mullvad-daemon.service'), to: '.' },
+    ],
+  },
+
+  deb: {
+    fpm: [
+      '--before-install',
+      distAssets('linux/before-install.sh'),
+      '--before-remove',
+      distAssets('linux/before-remove.sh'),
+      '--config-files',
+      '/opt/Mullvad VPN/resources/mullvad-daemon.service',
+      '--config-files',
+      '/opt/Mullvad VPN/resources/mullvad-daemon.conf',
+      distAssets('mullvad') + '=/usr/bin/',
+    ],
+    afterInstall: distAssets('linux/after-install.sh'),
+    afterRemove: distAssets('linux/after-remove.sh'),
+    depends: ['iputils-ping'],
+  },
+
+  rpm: {
+    fpm: [
+      '--before-install',
+      distAssets('linux/before-install.sh'),
+      '--before-remove',
+      distAssets('linux/before-remove.sh'),
+      '--rpm-posttrans',
+      distAssets('linux/post-transaction.sh'),
+      '--config-files',
+      '/opt/Mullvad VPN/resources/mullvad-daemon.service',
+      '--config-files',
+      '/opt/Mullvad VPN/resources/mullvad-daemon.conf',
+      distAssets('mullvad') + '=/usr/bin/',
+    ],
+    afterInstall: distAssets('linux/after-install.sh'),
+    afterRemove: distAssets('linux/after-remove.sh'),
+    depends: ['libXScrnSaver', 'libnotify', 'libnsl', 'dbus-libs'],
+  },
+};
+
+function packWin() {
+  return builder.build({
+    targets: builder.Platform.WINDOWS.createTarget(),
+    config: config,
+  });
+}
+
+function packMac() {
+  let appOutDir;
+
+  return builder.build({
+    targets: builder.Platform.MAC.createTarget(),
+    config: {
+      ...config,
+      afterPack: (context) => {
+        appOutDir = context.appOutDir;
+        return Promise.resolve();
+      },
+      afterAllArtifactBuild: (buildResult) => {
+        // remove the folder that contains the unpacked app
+        return rimrafAsync(appOutDir);
+      },
+    },
+  });
+}
+
+function packLinux() {
+  return builder.build({
+    targets: builder.Platform.LINUX.createTarget(),
+    config: {
+      ...config,
+      afterPack: (context) => {
+        const sourceExecutable = path.join(context.appOutDir, 'mullvad-vpn');
+        const targetExecutable = path.join(context.appOutDir, 'mullvad-gui');
+        const launcherScript = path.join(context.appOutDir, 'mullvad-gui-launcher.sh');
+        const chromeSandbox = path.join(context.appOutDir, 'chrome-sandbox');
+
+        return Promise.all([
+          // rename mullvad-vpn to mullvad-gui
+          renameAsync(sourceExecutable, targetExecutable),
+
+          // rename launcher script to mullvad-vpn
+          renameAsync(launcherScript, sourceExecutable),
+
+          // remove the chrome-sandbox file since we explicitly disable it
+          unlinkAsync(chromeSandbox),
+        ]);
+      },
+    },
+  });
+}
+
+function distAssets(relativePath) {
+  return path.join(path.resolve(__dirname, '../../dist-assets'), relativePath);
+}
+
+function root(relativePath) {
+  return path.join(path.resolve(__dirname, '../../'), relativePath);
+}
+
+packWin.displayName = 'builder-win';
+packMac.displayName = 'builder-mac';
+packLinux.displayName = 'builder-linux';
+
+exports.packWin = packWin;
+exports.packMac = packMac;
+exports.packLinux = packLinux;