diff options
| author | Emīls Piņķis <emils@mullvad.net> | 2022-09-27 15:27:50 +0200 |
|---|---|---|
| committer | Emīls Piņķis <emils@mullvad.net> | 2022-09-27 15:27:50 +0200 |
| commit | cf3cc8b150de40079391b27f19ceaf2cd1afac2c (patch) | |
| tree | 9c8d94ca0badc6136968ad3986915efdec0517f8 | |
| parent | 59bfcc9717cb9b9b3743c8e77b1242c296f94653 (diff) | |
| parent | 652e20aadb802fe03585b4f61fe501d03477b046 (diff) | |
| download | mullvadvpn-cf3cc8b150de40079391b27f19ceaf2cd1afac2c.tar.xz mullvadvpn-cf3cc8b150de40079391b27f19ceaf2cd1afac2c.zip | |
Merge branch 'update-security-docs'
| -rw-r--r-- | docs/security.md | 29 |
1 files changed, 22 insertions, 7 deletions
diff --git a/docs/security.md b/docs/security.md index f8e1c511cc..01e0c2d1b1 100644 --- a/docs/security.md +++ b/docs/security.md @@ -33,8 +33,8 @@ An app with permission to act as a VPN service can request to open a VPN tunnel provide a set of IP networks it would like to have routed via itself. Doing so and specifying the routes `0/0` and `::0/0` forces all traffic to go via the app. That is what this app does both when it has a VPN tunnel up, but also when in a state where it would like to block all network -traffic. Such as the [connecting], [disconnecting] and [error] states. In these states, all -packets are simply dropped. +traffic. Such as the [connecting], [disconnecting] and [error] states. In these states, all outgoing +packets are simply dropped, but incoming traffic is still allowed due to the limitations of Android. ### iOS @@ -270,11 +270,19 @@ via unix domain sockets (UDS) on Linux and macOS and via named pipes on Windows. This management interface can be reached by any process running on the device. Locally running malicious programs are outside of the app's threat model. -The service transitions to the [disconnected] state before exiting (i.e., normally when the OS is -being shut down). In general, the last firewall policy is maintained when the service exits, and -lost upon a reboot (except on Windows, see below). In other words, if the "Always require VPN" -option is enabled, the blocking policy will be left intact when the daemon service stops. -Otherwise, the system firewall will be reset to its original state. +The `mullvad-daemon` transition to the [disconnected] state before exiting. To +limit leaks during computer shutdown, it will maintain the blocking firewall +rules upon exit in the following scenarios: +- _Always require VPN_ is enabled +- A user didn't explicitly request for the `mullvad-daemon` to be shut down and + either or both of the following are true + - The daemon is currently in one of the blocking states ([connected], + [connecting], or [error]) + - _auto-connect_ is enabled + +In other cases, when the daemon process stops normally, firewall rules will be +removed. + ### Windows @@ -285,6 +293,13 @@ the service has started back up again during boot, including before the BFE serv As with "Always require VPN", enabling "Auto-connect" in the service will cause it to enforce the blocking policy before being stopped. +### Linux + +Due to the dependence on various other services, the `mullvad-daemon` is not +started early enough to prevent leaks. To prevent this, another system unit is +started during early boot that applies a blocking policy that persists until the +`mullvad-daemon` is started. + ## Desktop Electron GUI The graphical frontend for the app on desktop is an Electron app. This app only ever loads |