fix: outbound freedom for xray (#2479)

* fix: outbound freedom for xray on linux * fix: outbound freedom for xray on macOS * build: auto-generate pf rules based on the build type
2026-05-08 14:33:23 +00:00 · 2026-05-04 15:39:07 +04:00
parent c28452a5da
commit c0cae0ff01
15 changed files with 221 additions and 7 deletions
--- a/deploy/data/macos/AmneziaVPN.plist
+++ b/deploy/data/macos/AmneziaVPN.plist
@@ -12,6 +12,8 @@
    <true/>
    <key>RunAtLoad</key>
    <true/>
+    <key>GroupName</key>
+    <string>amnvpn</string>
    <key>Sockets</key>
 	<dict>
 	    <key>Listeners</key>
--- a/deploy/data/macos/pf/amn.400.allowPIA.conf
+++ b/deploy/data/macos/pf/amn.400.allowPIA.conf
@@ -1,2 +0,0 @@
-# Allow traffic by privileged group (used by daemon)
-pass out proto { tcp, udp } group  { amnvpn } flags any no state
--- a/deploy/data/macos/post_install.sh
+++ b/deploy/data/macos/post_install.sh
@@ -1,6 +1,7 @@
 #!/bin/bash

 APP_NAME=AmneziaVPN
+SERVICE_GROUP=amnvpn
 PLIST_NAME=$APP_NAME.plist
 LAUNCH_DAEMONS_PLIST_NAME=/Library/LaunchDaemons/$PLIST_NAME
 LOG_FOLDER=/var/log/$APP_NAME
@@ -34,6 +35,18 @@ fi
 run_cmd launchctl bootout system "$LAUNCH_DAEMONS_PLIST_NAME" || run_cmd launchctl unload "$LAUNCH_DAEMONS_PLIST_NAME"
 run_cmd rm -f "$LAUNCH_DAEMONS_PLIST_NAME"

+# Add separate group for xray filtering
+if dscl . -read "/Groups/$SERVICE_GROUP" >/dev/null 2>&1; then
+  log "Group $SERVICE_GROUP already exists"
+  return 0
+else
+  local next_gid
+  next_gid=$(dscl . -list /Groups PrimaryGroupID 2>/dev/null | awk '{print $2}' | sort -n | awk '$1>=500{g=$1} END{print (g?g+1:501)}')
+  run_cmd dscl . -create "/Groups/$SERVICE_GROUP"
+  run_cmd dscl . -create "/Groups/$SERVICE_GROUP" PrimaryGroupID "$next_gid"
+  run_cmd dscl . -create "/Groups/$SERVICE_GROUP" RealName "Amnezia VPN Service Group"
+fi
+
 run_cmd sudo chmod -R a-w "$APP_PATH/"
 run_cmd sudo chown -R root "$APP_PATH/"
 run_cmd sudo chgrp -R wheel "$APP_PATH/"
--- a/deploy/data/macos/post_uninstall.sh
+++ b/deploy/data/macos/post_uninstall.sh
@@ -8,6 +8,7 @@ USER_APP_SUPPORT="$HOME/Library/Application Support/$APP_NAME"
 SYSTEM_APP_SUPPORT="/Library/Application Support/$APP_NAME"
 LOG_FOLDER="/var/log/$APP_NAME"
 CACHES_FOLDER="$HOME/Library/Caches/$APP_NAME"
+SERVICE_GROUP="amnvpn"

 # Attempt to quit the GUI application if it's currently running
 if pgrep -x "$APP_NAME" > /dev/null; then
@@ -81,4 +82,20 @@ if sudo pfctl -s info 2>/dev/null | grep -q '^Status: Enabled' && \
    sudo pfctl -d 2>/dev/null || true
 fi

+# Remove amnvpn group if it's not referenced by users
+if dscl . -read "/Groups/$SERVICE_GROUP" >/dev/null 2>&1; then
+    group_gid=$(dscl . -read "/Groups/$SERVICE_GROUP" PrimaryGroupID 2>/dev/null | awk '{print $2}')
+    users_with_primary_gid=""
+    if [ -n "$group_gid" ]; then
+        users_with_primary_gid=$(dscl . -list /Users PrimaryGroupID 2>/dev/null | awk -v gid="$group_gid" '$2 == gid {print $1}')
+    fi
+
+    if [ -z "$users_with_primary_gid" ]; then
+        echo "Removing group $SERVICE_GROUP"
+        sudo dscl . -delete "/Groups/$SERVICE_GROUP" || true
+    else
+        echo "Keeping group $SERVICE_GROUP (still used by users): $users_with_primary_gid"
+    fi
+fi
+
 # -----------------------------------------------------------
--- a/deploy/data/pf-templates/amn.400.allowPIA.conf.in
+++ b/deploy/data/pf-templates/amn.400.allowPIA.conf.in
@@ -0,0 +1,2 @@
+# Allow traffic by configured identity (set by CMake)
+pass out proto { tcp, udp } @AMN_PF_RULE_IDENTITY@ flags any no state