diff options
| author | Emīls Piņķis <emils@mullvad.net> | 2020-06-05 14:50:46 +0100 |
|---|---|---|
| committer | Emīls Piņķis <emils@mullvad.net> | 2020-06-09 13:30:31 +0100 |
| commit | c23937a4550cdd515a8af9835cb5d2ef3b74be25 (patch) | |
| tree | 9e5d87a14d315b28c7a57f5472c0101981c58ac3 | |
| parent | 45cf15631449c03a980ed17da6a53868db178275 (diff) | |
| download | mullvadvpn-c23937a4550cdd515a8af9835cb5d2ef3b74be25.tar.xz mullvadvpn-c23937a4550cdd515a8af9835cb5d2ef3b74be25.zip | |
Only allow root to send tunnel traffic
| -rw-r--r-- | talpid-core/src/firewall/macos.rs | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/talpid-core/src/firewall/macos.rs b/talpid-core/src/firewall/macos.rs index 5fd8584ad1..140829a10a 100644 --- a/talpid-core/src/firewall/macos.rs +++ b/talpid-core/src/firewall/macos.rs @@ -1,6 +1,6 @@ use super::{FirewallArguments, FirewallPolicy, FirewallT}; use ipnetwork::IpNetwork; -use pfctl::{DropAction, FilterRuleAction}; +use pfctl::{DropAction, FilterRuleAction, Uid}; use std::{ env, net::{IpAddr, Ipv4Addr}, @@ -15,6 +15,8 @@ type Result<T> = std::result::Result<T, Error>; /// replaced by allowing the anchor name to be configured from the public API of this crate. const ANCHOR_NAME: &'static str = "mullvad"; +const ROOT_UID: u32 = 0; + /// The macOS firewall and DNS implementation. pub struct Firewall { pf: pfctl::PfCtl, @@ -194,6 +196,7 @@ impl Firewall { .proto(pfctl_proto) .keep_state(pfctl::StatePolicy::Keep) .tcp_flags(Self::get_tcp_flags()) + .user(Uid::from(ROOT_UID)) .quick(true) .build()?) } |