Merge branch 'ubuntu-add-apparmor-profile'

mullvad · Apr 30, 2024 · ea344c2 · ea344c2
2 parents 72be78c + 0a04a28
commit ea344c2
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -25,6 +25,10 @@ Line wrap the file at 100 chars.                                              Th
 ### Added
 - Add custom bridge settings in GUI.
 
+### Fixed
+#### Linux
+- Fix GUI not working on Ubuntu 24.04 by adding an AppArmor profile.
+
 
 ## [2024.2] - 2024-04-29
 ### Fixed

diff --git a/dist-assets/linux/after-install.sh b/dist-assets/linux/after-install.sh
@@ -6,3 +6,20 @@ chmod u+s "/usr/bin/mullvad-exclude"
 systemctl enable "/usr/lib/systemd/system/mullvad-daemon.service"
 systemctl start mullvad-daemon.service || echo "Failed to start mullvad-daemon.service"
 systemctl enable "/usr/lib/systemd/system/mullvad-early-boot-blocking.service"
+
+# return 0 if version $1 is greater than or equal to $2
+function version_is_ge {
+    [ "$1" = "$2" ] && return 0
+    printf '%s\n' "$2" "$1" | sort -C -V
+}
+
+# Ubuntu 24.04 or newer: Install apparmor profile to allow Electron sandbox to work
+# This disables user namespace restrictions
+os=$(grep -oP '^ID=\K.+' /etc/os-release | tr -d '"')
+version=$(grep -oP '^VERSION_ID=\K.+' /etc/os-release | tr -d '"')
+
+if [[ "$os" == "ubuntu" ]] && version_is_ge "$version" "24.04"; then
+    echo "Creating apparmor profile"
+    cp /opt/Mullvad\ VPN/resources/apparmor_mullvad /etc/apparmor.d/mullvad
+    apparmor_parser -r /etc/apparmor.d/mullvad || echo "Failed to reload apparmor profile"
+fi
diff --git a/dist-assets/linux/after-remove.sh b/dist-assets/linux/after-remove.sh
@@ -74,3 +74,9 @@ esac
 # Different electron versions can have incompatible GPU caches. Clearing it on upgrades makes sure
 # the same cache is not used across versions.
 clear_gpu_cache
+
+# Remove apparmor profile
+if apparmor_parser -R /etc/apparmor.d/mullvad &>/dev/null; then
+    echo "Removing apparmor profile"
+    rm -f /etc/apparmor.d/mullvad || echo "Failed to delete apparmor profile"
+fi
diff --git a/dist-assets/linux/apparmor_mullvad b/dist-assets/linux/apparmor_mullvad
@@ -0,0 +1,8 @@
+abi <abi/4.0>,
+include <tunables/global>
+
+profile mullvad /opt/Mullvad\ VPN/mullvad-gui flags=(unconfined) {
+  userns,
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/mullvad>
+}
diff --git a/gui/tasks/distribution.js b/gui/tasks/distribution.js
@@ -175,6 +175,7 @@ const config = {
       { from: distAssets(path.join(getLinuxTargetSubdir(), 'mullvad-problem-report')), to: '.' },
       { from: distAssets(path.join(getLinuxTargetSubdir(), 'mullvad-setup')), to: '.' },
       { from: distAssets(path.join(getLinuxTargetSubdir(), 'libtalpid_openvpn_plugin.so')), to: '.' },
+      { from: distAssets(path.join('linux', 'apparmor_mullvad')), to: '.' },
       { from: distAssets(path.join('binaries', '${env.TARGET_TRIPLE}', 'openvpn')), to: '.' },
     ],
   },