commit: f5a3836facfa2dc8192eb0a306cd8a92274c121e
Author: Itai Ferber <itai <AT> itaiferber <DOT> net>
AuthorDate: Fri May 10 18:23:11 2024 +0000
Commit: Viorel Munteanu <ceamac <AT> gentoo <DOT> org>
CommitDate: Fri May 10 18:23:11 2024 +0000
URL: https://gitweb.gentoo.org/repo/proj/guru.git/commit/?id=f5a3836f
net-vpn/mullvadvpn-app: Enable setuid bit for mullvad-exclude
Signed-off-by: Itai Ferber <itai <AT> itaiferber.net>
net-vpn/mullvadvpn-app/mullvadvpn-app-2024.2.ebuild | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net-vpn/mullvadvpn-app/mullvadvpn-app-2024.2.ebuild
b/net-vpn/mullvadvpn-app/mullvadvpn-app-2024.2.ebuild
index 1efc699958..4332496f1a 100644
--- a/net-vpn/mullvadvpn-app/mullvadvpn-app-2024.2.ebuild
+++ b/net-vpn/mullvadvpn-app/mullvadvpn-app-2024.2.ebuild
@@ -49,6 +49,12 @@ src_install() {
dobin "${S}"/usr/bin/mullvad-exclude
dosym "../../opt/Mullvad VPN/resources/mullvad-problem-report"
/usr/bin/mullvad-problem-report
+ # mullvad-exclude uses cgroups to manage exclusions, which requires
root permissions, but is
+ # also most often used to exclude graphical applications which can't or
shouldn't run as root
+ # (i.e., can't be run under `sudo/doas /usr/bin/mullvad-exclude ...`,
because `sudo`/`doas`
+ # change user). The setuid bit allows any user to exclude executables
under their own UID.
+ fperms 4755 /usr/bin/mullvad-exclude
+
newinitd "${FILESDIR}"/mullvad-daemon.initd mullvad-daemon
systemd_newunit "${S}"/usr/lib/systemd/system/mullvad-daemon.service
mullvad-daemon.service
