commit: f5a3836facfa2dc8192eb0a306cd8a92274c121e Author: Itai Ferber <itai <AT> itaiferber <DOT> net> AuthorDate: Fri May 10 18:23:11 2024 +0000 Commit: Viorel Munteanu <ceamac <AT> gentoo <DOT> org> CommitDate: Fri May 10 18:23:11 2024 +0000 URL: https://gitweb.gentoo.org/repo/proj/guru.git/commit/?id=f5a3836f
net-vpn/mullvadvpn-app: Enable setuid bit for mullvad-exclude Signed-off-by: Itai Ferber <itai <AT> itaiferber.net> net-vpn/mullvadvpn-app/mullvadvpn-app-2024.2.ebuild | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net-vpn/mullvadvpn-app/mullvadvpn-app-2024.2.ebuild b/net-vpn/mullvadvpn-app/mullvadvpn-app-2024.2.ebuild index 1efc699958..4332496f1a 100644 --- a/net-vpn/mullvadvpn-app/mullvadvpn-app-2024.2.ebuild +++ b/net-vpn/mullvadvpn-app/mullvadvpn-app-2024.2.ebuild @@ -49,6 +49,12 @@ src_install() { dobin "${S}"/usr/bin/mullvad-exclude dosym "../../opt/Mullvad VPN/resources/mullvad-problem-report" /usr/bin/mullvad-problem-report + # mullvad-exclude uses cgroups to manage exclusions, which requires root permissions, but is + # also most often used to exclude graphical applications which can't or shouldn't run as root + # (i.e., can't be run under `sudo/doas /usr/bin/mullvad-exclude ...`, because `sudo`/`doas` + # change user). The setuid bit allows any user to exclude executables under their own UID. + fperms 4755 /usr/bin/mullvad-exclude + newinitd "${FILESDIR}"/mullvad-daemon.initd mullvad-daemon systemd_newunit "${S}"/usr/lib/systemd/system/mullvad-daemon.service mullvad-daemon.service