Overview

File opensnitch.spec of Package opensnitch

#
# spec file for package opensnitch
#
# copyright (c) 2023 munix9@googlemail.com
#

%global _pver %(uname -r | cut -d'.' -f-2)
%global _kver %(printf "%%d%%03d" $(echo "%{_pver}" | tr '.' ' '))
%if %{_kver} < 5019
%define _lxv 5.8
%define _lsc %{SOURCE20}
%else
%define _lxv 5.19
%define _lsc %{SOURCE22}
%endif

%bcond_with ui_tests

Name:           opensnitch
Version:        1.5.8.1
Release:        0
Summary:        GNU/Linux interactive application firewall
License:        GPL-3.0-or-later
URL:            https://github.com/evilsocket/opensnitch
Source0:        https://github.com/evilsocket/opensnitch/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
Source1:        vendor.tar.xz
Source2:        %{name}-ui
Source3:        %{name}-ui-actions
Source4:        locale-sh.tar.gz
# https://salsa.debian.org/go-team/packages/opensnitch/-/tree/debian/sid/debian/man
Source10:       opensnitchd.1
Source11:       opensnitch-ui.1
# ebpf-modules
Source20:       https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.8.tar.xz
Source21:       https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.8.tar.sign
Source22:       https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.19.tar.xz
Source23:       https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.19.tar.sign
Source25:       linux.keyring
NoSource:       20
NoSource:       22
#KEEP NOSOURCE DEBUGINFO
# https://github.com/evilsocket/opensnitch/wiki/Known-problems#cannot-open-kprove_events
Source30:       %{name}-selinux-policy.zip
# https://github.com/evilsocket/opensnitch/wiki/Known-problems#desktop-environment-does-not-boot-up
Source31:       000-allow-localhost.json
Patch0:         fix-opensnitchd_service.patch
Patch1:         fix-opensnitch_ui_desktop.patch
Patch2:         fix-make_ads_rules_py.patch
Patch3:         fix-go_mod-require.patch
Patch4:         fix-remove-go_get.patch
Patch5:         fix-remove-dist_path.patch
BuildRequires:  AppStream
BuildRequires:  fdupes
BuildRequires:  golang-packaging
BuildRequires:  pkgconfig
BuildRequires:  protoc-gen-go
BuildRequires:  protoc-gen-go-grpc
BuildRequires:  pkgconfig(libmnl)
BuildRequires:  pkgconfig(libnetfilter_queue)
BuildRequires:  pkgconfig(libpcap)
BuildRequires:  pkgconfig(protobuf)
# ebpf-modules
BuildRequires:  bc
BuildRequires:  bison
BuildRequires:  clang
BuildRequires:  flex
BuildRequires:  libelf-devel
BuildRequires:  libopenssl-devel
BuildRequires:  llvm
BuildRequires:  python3
BuildRequires:  rsync
Requires:       logrotate
Recommends:     %{name}-ui = %{version}
Provides:       %{name}-ebpf-modules-%{_lxv} = %{version}
Provides:       %{name}-ebpf-modules = %{version}
Obsoletes:      %{name}-ebpf-modules < %{version}
%{?systemd_ordering}

%description
OpenSnitch is a GNU/Linux firewall application.
Whenever a program makes a connection, it'll prompt the user to allow or deny
it.

The user can decide if block the outgoing connection based on properties of
the connection: by port, by uid, by dst ip, by program or a combination
of them.

These rules can last forever, until the app restart or just one time.

The GUI allows the user to view live outgoing connections, as well as search
by process, user, host or port.

OpenSnitch can also work as a system-wide domains blocker, by using lists
of domains, list of IPs or list of regular expressions.

%package ui
Summary:        GNU/Linux interactive application firewall GUI
License:        GPL-3.0-only
BuildRequires:  hicolor-icon-theme
BuildRequires:  python-rpm-macros
BuildRequires:  python3-grpcio-tools
BuildRequires:  python3-qt5-devel
BuildRequires:  python3-setuptools
BuildRequires:  update-desktop-files
Requires:       %{_bindir}/notify-send
Requires:       gettext-runtime
Requires:       python3-grpcio-tools
Requires:       python3-notify2
Requires:       python3-protobuf
Requires:       python3-pyinotify
Requires:       python3-python-slugify
Requires:       python3-qt5
Requires:       xdg-user-dirs
Requires:       xdg-utils
Recommends:     python3-pyasn1
Recommends:     python3-qt-material
Suggests:       %{name} = %{version}
BuildArch:      noarch

%description ui
opensnitch-ui is a GUI for opensnitch written in Python.

It allows the user to view live outgoing connections, as well as search
for details of the intercepted connections.

The user can decide if block outgoing connections based on properties of
the connection: by port, by uid, by dst ip, by program or a combination
of them.

These rules can last forever, until restart the daemon or just one time.

OpenSnitch can also work as a system-wide domains blocker, by using lists
of domains, list of IPs or list of regular expressions.

%if %{with ui_tests}
%package ui-tests
Summary:        GUI unit tests
License:        GPL-3.0-only
Requires:       %{name}-ui = %{version}
Requires:       python3-pytest-qt
BuildArch:      noarch

%description ui-tests
This package provides GUI unit tests for the OpenSnitch application firewall.
%endif

%prep
%autosetup -a4 -p1
tar -xf %{SOURCE1} -C daemon
tar -xf %{_lsc}

%if %{without ui_tests}
rm -r ui/tests
%endif

# remove shebang, fix non-executable-script error
sed -e '/^#!\/usr\/bin\/python.*/d' -i ui/opensnitch/notifications.py

# ebpf-modules
%ifarch %{arm32} %{arm64}
patch linux-%{_lxv}/arch/arm/include/asm/unified.h -i ebpf_prog/arm-clang-asm-fix.patch
%endif
patch linux-%{_lxv}/tools/lib/bpf/bpf_helpers.h -i ebpf_prog/file.patch
cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-%{_lxv}/samples/bpf

%build
# "-ldflags='-linkmode=external -buildid='" moved in fix-remove-go_get.patch
export GOFLAGS="-mod=vendor -buildmode=pie -trimpath"
# daemon
make

# ui
pushd ui
%python3_build
popd

# ebpf-modules
pushd linux-%{_lxv}
yes "" | make oldconfig
make prepare
make headers_install
cd samples/bpf
make
popd

%install
# daemon
install -D -m 0755 -t %{buildroot}%{_sbindir} daemon/opensnitchd
ln -s service %{buildroot}%{_sbindir}/rcopensnitchd
install -D -m 0644 -t %{buildroot}%{_unitdir} daemon/opensnitchd.service
install -d -m 0755 %{buildroot}%{_sysconfdir}/opensnitchd/rules
install -D -m 0644 -t %{buildroot}%{_sysconfdir}/opensnitchd daemon/{default-config,system-fw}.json
install -D -m 0644 debian/opensnitch.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
install -d -m 0755 %{buildroot}%{_localstatedir}/log
touch %{buildroot}%{_localstatedir}/log/opensnitchd.log
install -m 0644 -t . %{SOURCE30} %{SOURCE31}

# ui
pushd ui
%python3_install
# wrapper/actions
install -D -m 0755 -t %{buildroot}%{_prefix}/lib/opensnitchd %{buildroot}%{_bindir}/%{name}-ui %{SOURCE3}
install -D -m 0755 -t %{buildroot}%{_bindir} %{SOURCE2}
%suse_update_desktop_file %{name}_ui
appstreamcli validate --no-net %{buildroot}%{_datadir}/metainfo/io.github.evilsocket.%{name}.appdata.xml
install -D -m 0644 opensnitch/res/icon.png %{buildroot}%{_prefix}/lib/opensnitchd/ui/check.png
install -D -m 0644 opensnitch/res/icon-red.png %{buildroot}%{_prefix}/lib/opensnitchd/ui/disable.png
install -D -m 0644 opensnitch/res/icon-white.png %{buildroot}%{_prefix}/lib/opensnitchd/ui/enable.png
# https://github.com/evilsocket/opensnitch/wiki/Known-problems#opensnicth-gui-not-working-across-reboots
install -D -m 0644 -t %{buildroot}%{_sysconfdir}/xdg/autostart \
	%{buildroot}%{_datadir}/applications/%{name}_ui.desktop
popd
install -d -m 0755 %{buildroot}%{_datadir}/locale
cp -a locale-sh/* %{buildroot}%{_datadir}/locale

# ebpf-modules
#export NO_BRP_STRIP_DEBUG=true
pushd linux-%{_lxv}/samples/bpf
llvm-strip -g opensnitch.o
install -D -m 0644 -t %{buildroot}%{_prefix}/lib/opensnitchd/ebpf opensnitch.o
ln -s %{_prefix}/lib/opensnitchd/ebpf/opensnitch.o %{buildroot}%{_sysconfdir}/opensnitchd/
popd

# man pages
install -D -m 0644 -t %{buildroot}%{_mandir}/man1 %{SOURCE10} %{SOURCE11}

%fdupes -s %{buildroot}%{_prefix}/lib

%find_lang %{name}-ui-actions

%check
#pushd daemon
#go test -v ./...
#popd
cd linux-%{_lxv}/samples/bpf
echo "check for '1 kprobe/tcp_v4_connect' in opensnitch.o ..."
objdump -h opensnitch.o | grep "1 kprobe/tcp_v4_connect"

%pre
%service_add_pre opensnitchd.service

%post
%service_add_post opensnitchd.service

%preun
%service_del_preun opensnitchd.service

%postun
%service_del_postun opensnitchd.service

%files
%license LICENSE
%doc README.md
%doc 000-allow-localhost.json opensnitch-selinux-policy.zip
%doc utils/legacy/make_ads_rules.py utils/scripts/ads/update_adlists.sh
%{_sbindir}/opensnitchd
%{_sbindir}/rcopensnitchd
%dir %{_sysconfdir}/opensnitchd
%dir %{_sysconfdir}/opensnitchd/rules
%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
%config(noreplace) %{_sysconfdir}/opensnitchd/*.json
%{_sysconfdir}/opensnitchd/opensnitch.o
%dir %{_prefix}/lib/opensnitchd
%{_prefix}/lib/opensnitchd/ebpf
%{_unitdir}/opensnitchd.service
%{_mandir}/man1/opensnitchd.1%{?ext_man}
%ghost %{_localstatedir}/log/opensnitchd.log

%files ui -f %{name}-ui-actions.lang
%license ui/LICENSE
%doc README.md
%{_bindir}/%{name}-ui
%{_datadir}/applications/%{name}_ui.desktop
%{_datadir}/icons/hicolor/*/apps/%{name}-ui.*
%{_datadir}/kservices5
%{_datadir}/metainfo/io.github.evilsocket.%{name}.appdata.xml
%dir %{_prefix}/lib/opensnitchd
%{_prefix}/lib/opensnitchd/%{name}-ui
%{_prefix}/lib/opensnitchd/%{name}-ui-actions
%{_prefix}/lib/opensnitchd/ui
%config %{_sysconfdir}/xdg/autostart/%{name}_ui.desktop
%{_mandir}/man1/opensnitch-ui.1%{?ext_man}
%{python3_sitelib}/%{name}
%{python3_sitelib}/%{name}_ui-*.egg-info

%if %{with ui_tests}
%files ui-tests
%doc ui/tests/README.md
%{python3_sitelib}/tests
%endif

%changelog
openSUSE Build Service is sponsored by
Places