diff --git a/CHANGELOG.md b/CHANGELOG.md index 71e63f6084cd..b47012e17297 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -36,6 +36,10 @@ Line wrap the file at 100 chars. Th ### Fixed - (macOS and Windows only) Add the correct route when using obfuscation with Wireguard. +#### macOS +- Fix daemon ending up in blocked state if the user toggled split tunneling without having granted + Full Disk Access to `mullvad-daemon`. This could only ever be accomplished from the CLI. + ## [2025.2] - 2025-01-08 ### Fixed diff --git a/mullvad-daemon/src/lib.rs b/mullvad-daemon/src/lib.rs index b313e274bc2c..2d60395689c0 100644 --- a/mullvad-daemon/src/lib.rs +++ b/mullvad-daemon/src/lib.rs @@ -1539,11 +1539,26 @@ impl Daemon { tx: ResponseTx<(), Error>, ) { let save_result = match update { - ExcludedPathsUpdate::SetState(state) => self - .settings - .update(move |settings| settings.split_tunnel.enable_exclusions = state) - .await - .map_err(Error::SettingsError), + ExcludedPathsUpdate::SetState(state) => { + let split_tunnel_was_enabled = + self.settings.to_settings().split_tunnel.enable_exclusions; + let save_result = self + .settings + .update(move |settings| settings.split_tunnel.enable_exclusions = state) + .await + .map_err(Error::SettingsError); + // If FDA is disabled, we may want to reconnect after disabling split tunneling. We + // have observed users getting into the blocked state until they reconnect in these + // scenarios. Since FDA is an implementation detail of split tunneling, we don't + // actually have a way of getting this information at this point, so we default to + // always reconnecting on macOS. This code can be removed if we ever remove our + // dependency on FDA. + let split_tunnel_will_be_disabled = !state; + if split_tunnel_was_enabled && split_tunnel_will_be_disabled { + self.reconnect_tunnel(); + } + save_result + } ExcludedPathsUpdate::SetPaths(paths) => self .settings .update(move |settings| settings.split_tunnel.apps = paths)