Merge branch 'ubuntu-add-apparmor-profile'

5 files changed, 36 insertions, 0 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1149d96271..3460d73f0e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -25,6 +25,10 @@ Line wrap the file at 100 chars.                                              Th
 ### Added
 - Add custom bridge settings in GUI.
 
+### Fixed
+#### Linux
+- Fix GUI not working on Ubuntu 24.04 by adding an AppArmor profile.
+
 
 ## [2024.2] - 2024-04-29
 ### Fixed
diff --git a/dist-assets/linux/after-install.sh b/dist-assets/linux/after-install.sh
index 20e07be59a..7701202b46 100644
--- a/dist-assets/linux/after-install.sh
+++ b/dist-assets/linux/after-install.sh
@@ -6,3 +6,20 @@ chmod u+s "/usr/bin/mullvad-exclude"
 systemctl enable "/usr/lib/systemd/system/mullvad-daemon.service"
 systemctl start mullvad-daemon.service || echo "Failed to start mullvad-daemon.service"
 systemctl enable "/usr/lib/systemd/system/mullvad-early-boot-blocking.service"
+
+# return 0 if version $1 is greater than or equal to $2
+function version_is_ge {
+    [ "$1" = "$2" ] && return 0
+    printf '%s\n' "$2" "$1" | sort -C -V
+}
+
+# Ubuntu 24.04 or newer: Install apparmor profile to allow Electron sandbox to work
+# This disables user namespace restrictions
+os=$(grep -oP '^ID=\K.+' /etc/os-release | tr -d '"')
+version=$(grep -oP '^VERSION_ID=\K.+' /etc/os-release | tr -d '"')
+
+if [[ "$os" == "ubuntu" ]] && version_is_ge "$version" "24.04"; then
+    echo "Creating apparmor profile"
+    cp /opt/Mullvad\ VPN/resources/apparmor_mullvad /etc/apparmor.d/mullvad
+    apparmor_parser -r /etc/apparmor.d/mullvad || echo "Failed to reload apparmor profile"
+fi
diff --git a/dist-assets/linux/after-remove.sh b/dist-assets/linux/after-remove.sh
index 2b3a93e5f2..2eb8387b04 100644
--- a/dist-assets/linux/after-remove.sh
+++ b/dist-assets/linux/after-remove.sh
@@ -74,3 +74,9 @@ esac
 # Different electron versions can have incompatible GPU caches. Clearing it on upgrades makes sure
 # the same cache is not used across versions.
 clear_gpu_cache
+
+# Remove apparmor profile
+if apparmor_parser -R /etc/apparmor.d/mullvad &>/dev/null; then
+    echo "Removing apparmor profile"
+    rm -f /etc/apparmor.d/mullvad || echo "Failed to delete apparmor profile"
+fi
diff --git a/dist-assets/linux/apparmor_mullvad b/dist-assets/linux/apparmor_mullvad
new file mode 100644
index 0000000000..ac06ebd9fc
--- /dev/null
+++ b/dist-assets/linux/apparmor_mullvad
@@ -0,0 +1,8 @@
+abi <abi/4.0>,
+include <tunables/global>
+
+profile mullvad /opt/Mullvad\ VPN/mullvad-gui flags=(unconfined) {
+  userns,
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/mullvad>
+}
\ No newline at end of file
diff --git a/gui/tasks/distribution.js b/gui/tasks/distribution.js
index ada829057b..6cae17885a 100644
--- a/gui/tasks/distribution.js
+++ b/gui/tasks/distribution.js
@@ -175,6 +175,7 @@ const config = {
       { from: distAssets(path.join(getLinuxTargetSubdir(), 'mullvad-problem-report')), to: '.' },
       { from: distAssets(path.join(getLinuxTargetSubdir(), 'mullvad-setup')), to: '.' },
       { from: distAssets(path.join(getLinuxTargetSubdir(), 'libtalpid_openvpn_plugin.so')), to: '.' },
+      { from: distAssets(path.join('linux', 'apparmor_mullvad')), to: '.' },
       { from: distAssets(path.join('binaries', '${env.TARGET_TRIPLE}', 'openvpn')), to: '.' },
     ],
   },