Configure firewall rules to allow proxy clients

The default setting will (always) be to only allow processes with
root-privilege to send/receive traffic from an allowed endpoint.

This change is only supposed to be used with the local SOCKS5 api access
method.

3 files changed, 38 insertions, 6 deletions

diff --git a/mullvad-api/src/lib.rs b/mullvad-api/src/lib.rs
index 267fdfd811..5a436fe1bf 100644
--- a/mullvad-api/src/lib.rs
+++ b/mullvad-api/src/lib.rs
@@ -21,7 +21,7 @@ use std::{
     ops::Deref,
     path::Path,
 };
-use talpid_types::{net::Endpoint, ErrorExt};
+use talpid_types::{net::AllowedEndpoint, ErrorExt};
 
 pub mod availability;
 use availability::{ApiAvailability, ApiAvailabilityHandle};
@@ -221,13 +221,13 @@ pub enum Error {
 
 /// Closure that receives the next API (real or proxy) endpoint to use for `api.mullvad.net`.
 /// It should return a future that determines whether to reject the new endpoint or not.
-pub trait ApiEndpointUpdateCallback: Fn(Endpoint) -> Self::AcceptedNewEndpoint {
+pub trait ApiEndpointUpdateCallback: Fn(AllowedEndpoint) -> Self::AcceptedNewEndpoint {
     type AcceptedNewEndpoint: Future<Output = bool> + Send;
 }
 
 impl<U, T: Future<Output = bool> + Send> ApiEndpointUpdateCallback for U
 where
-    U: Fn(Endpoint) -> T,
+    U: Fn(AllowedEndpoint) -> T,
 {
     type AcceptedNewEndpoint = T;
 }
diff --git a/mullvad-api/src/proxy.rs b/mullvad-api/src/proxy.rs
index 0727628596..783cc8a157 100644
--- a/mullvad-api/src/proxy.rs
+++ b/mullvad-api/src/proxy.rs
@@ -9,7 +9,7 @@ use std::{
     task::{self, Poll},
 };
 use talpid_types::{
-    net::{Endpoint, TransportProtocol},
+    net::{AllowedClients, Endpoint, TransportProtocol},
     ErrorExt,
 };
 use tokio::{
@@ -143,6 +143,36 @@ impl ApiConnectionMode {
         }
     }
 
+    #[cfg(unix)]
+    pub fn allowed_clients(&self) -> AllowedClients {
+        use access_method::Socks5;
+        match self {
+            ApiConnectionMode::Proxied(ProxyConfig::Socks(Socks5::Local(_))) => AllowedClients::All,
+            ApiConnectionMode::Direct | ApiConnectionMode::Proxied(_) => AllowedClients::Root,
+        }
+    }
+
+    #[cfg(windows)]
+    pub fn allowed_clients(&self) -> AllowedClients {
+        use access_method::Socks5;
+        match self {
+            ApiConnectionMode::Proxied(ProxyConfig::Socks(Socks5::Local(_))) => {
+                AllowedClients::all()
+            }
+            ApiConnectionMode::Direct | ApiConnectionMode::Proxied(_) => {
+                let daemon_exe = std::env::current_exe().expect("failed to obtain executable path");
+                vec![
+                    daemon_exe
+                        .parent()
+                        .expect("missing executable parent directory")
+                        .join("mullvad-problem-report.exe"),
+                    daemon_exe,
+                ]
+                .into()
+            }
+        }
+    }
+
     pub fn is_proxy(&self) -> bool {
         *self != ApiConnectionMode::Direct
     }
diff --git a/mullvad-api/src/rest.rs b/mullvad-api/src/rest.rs
index a973c32f2a..2484bec64b 100644
--- a/mullvad-api/src/rest.rs
+++ b/mullvad-api/src/rest.rs
@@ -25,7 +25,7 @@ use std::{
     time::Duration,
 };
 use talpid_types::{
-    net::{Endpoint, TransportProtocol},
+    net::{AllowedEndpoint, Endpoint, TransportProtocol},
     ErrorExt,
 };
 
@@ -217,8 +217,10 @@ impl<
                             TransportProtocol::Tcp,
                         ),
                     };
+                    let clients = new_config.allowed_clients();
+                    let allowed_endpoint = AllowedEndpoint { endpoint, clients };
                     // Switch to new connection mode unless rejected by address change callback
-                    if (self.new_address_callback)(endpoint).await {
+                    if (self.new_address_callback)(allowed_endpoint).await {
                         self.connector_handle.set_connection_mode(new_config);
                     }
                 }