From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1629655-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 10656158064
	for <garchives@archives.gentoo.org>; Fri, 10 May 2024 18:24:11 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id ED7AEE2A23;
	Fri, 10 May 2024 18:24:09 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id C0A6EE2A23
	for <gentoo-commits@lists.gentoo.org>; Fri, 10 May 2024 18:24:09 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 7F046343003
	for <gentoo-commits@lists.gentoo.org>; Fri, 10 May 2024 18:24:08 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id E26531779
	for <gentoo-commits@lists.gentoo.org>; Fri, 10 May 2024 18:24:06 +0000 (UTC)
From: "Itai Ferber" <itai@itaiferber.net>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Itai Ferber" <itai@itaiferber.net>
Message-ID: <1715365391.f5a3836facfa2dc8192eb0a306cd8a92274c121e.itai@gentoo>
Subject: [gentoo-commits] repo/proj/guru:dev commit in: net-vpn/mullvadvpn-app/
X-VCS-Repository: repo/proj/guru
X-VCS-Files: net-vpn/mullvadvpn-app/mullvadvpn-app-2024.2.ebuild
X-VCS-Directories: net-vpn/mullvadvpn-app/
X-VCS-Committer: itai
X-VCS-Committer-Name: Itai Ferber
X-VCS-Revision: f5a3836facfa2dc8192eb0a306cd8a92274c121e
X-VCS-Branch: dev
Date: Fri, 10 May 2024 18:24:06 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: 83dfc01c-bf20-4ee9-a358-6bfe44ad3ffd
X-Archives-Hash: c95fb2e6532f979e471f1064cf080e8f

commit:     f5a3836facfa2dc8192eb0a306cd8a92274c121e
Author:     Itai Ferber <itai <AT> itaiferber <DOT> net>
AuthorDate: Fri May 10 18:23:11 2024 +0000
Commit:     Itai Ferber <itai <AT> itaiferber <DOT> net>
CommitDate: Fri May 10 18:23:11 2024 +0000
URL:        https://gitweb.gentoo.org/repo/proj/guru.git/commit/?id=f5a3836f

net-vpn/mullvadvpn-app: Enable setuid bit for mullvad-exclude

Signed-off-by: Itai Ferber <itai <AT> itaiferber.net>

 net-vpn/mullvadvpn-app/mullvadvpn-app-2024.2.ebuild | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net-vpn/mullvadvpn-app/mullvadvpn-app-2024.2.ebuild b/net-vpn/mullvadvpn-app/mullvadvpn-app-2024.2.ebuild
index 1efc699958..4332496f1a 100644
--- a/net-vpn/mullvadvpn-app/mullvadvpn-app-2024.2.ebuild
+++ b/net-vpn/mullvadvpn-app/mullvadvpn-app-2024.2.ebuild
@@ -49,6 +49,12 @@ src_install() {
 	dobin "${S}"/usr/bin/mullvad-exclude
 	dosym "../../opt/Mullvad VPN/resources/mullvad-problem-report" /usr/bin/mullvad-problem-report
 
+	# mullvad-exclude uses cgroups to manage exclusions, which requires root permissions, but is
+	# also most often used to exclude graphical applications which can't or shouldn't run as root
+	# (i.e., can't be run under `sudo/doas /usr/bin/mullvad-exclude ...`, because `sudo`/`doas`
+	# change user). The setuid bit allows any user to exclude executables under their own UID.
+	fperms 4755 /usr/bin/mullvad-exclude
+
 	newinitd "${FILESDIR}"/mullvad-daemon.initd mullvad-daemon
 
 	systemd_newunit "${S}"/usr/lib/systemd/system/mullvad-daemon.service mullvad-daemon.service