File opensnitch.spec of Package opensnitch

#
# spec file for package opensnitch
#
# copyright (c) 2025 munix9@googlemail.com
# copyright (c) 2025 juergen@leohel.de
#

Name:           opensnitch
Version:        1.7.2
Release:        0
Summary:        GNU/Linux interactive application firewall
License:        GPL-3.0-or-later
URL:            https://github.com/evilsocket/opensnitch
Source0:        %{name}-%{version}.tar.gz
Source1:        vendor.tar.xz
Source10:       %{name}-selinux-policy.txt
# https://github.com/evilsocket/opensnitch/issues/475#issuecomment-901838324
Source11:       https://github.com/evilsocket/opensnitch/files/7014033/%{name}-selinux-policy.zip
Source12:       opensnitch.logrotate
Patch1:         fix-daemon-Makefile.patch
Patch2:         fix-ui-Makefile.patch
Patch3:         fix-ebpf_prog-Makefile.patch
Patch4:         fix-setup_py-data_files.patch
Patch5:         fix-pyasn-data-path.patch
Patch6:         fix-systemd-service.patch
Patch7:         fix-system-sleep.patch
BuildRequires:  clang
BuildRequires:  fdupes
BuildRequires:  golang-packaging
BuildRequires:  kernel-devel
BuildRequires:  kernel-default-devel
BuildRequires:  llvm
BuildRequires:  pkgconfig
BuildRequires:  protoc-gen-go
BuildRequires:  python3-grpcio-tools
# TODO: Check why it's not possible to use a newer version
BuildRequires:  protoc-gen-go-grpc = 1.3.0
BuildRequires:  pkgconfig(libmnl)
BuildRequires:  pkgconfig(libnetfilter_queue)
BuildRequires:  pkgconfig(libpcap)
BuildRequires:  pkgconfig(protobuf)
Requires:       logrotate
Recommends:     %{name}-ui = %{version}
Suggests:       bpftool
Suggests:       systemd-network
%{?systemd_ordering}

%description
OpenSnitch is a GNU/Linux firewall application.
Whenever a program makes a connection, it'll prompt the user to allow or deny
it.

The user can decide if block the outgoing connection based on properties of
the connection: by port, by uid, by dst ip, by program or a combination
of them.

These rules can last forever, until the app restart or just one time.

The GUI allows the user to view live outgoing connections, as well as search
by process, user, host or port.

OpenSnitch can also work as a system-wide domains blocker, by using lists
of domains, list of IPs or list of regular expressions.

%package ui
Summary:        GNU/Linux interactive application firewall GUI
License:        GPL-3.0-only AND LGPL-2.1-or-later
BuildRequires:  desktop-file-utils
BuildRequires:  hicolor-icon-theme
BuildRequires:  python-rpm-macros
BuildRequires:  python3-pip
BuildRequires:  python3-qt5-devel
BuildRequires:  python3-setuptools
BuildRequires:  python3-wheel
BuildRequires:  libqt5-linguist
Requires:       python3-grpcio-tools
Requires:       python3-notify2
Requires:       python3-packaging
Requires:       python3-protobuf
Requires:       python3-pyinotify
Requires:       python3-python-slugify
Requires:       python3-qt5
Recommends:     %{name} = %{version}
Recommends:     python3-pyasn
Recommends:     python3-qt-material
BuildArch:      noarch

%description ui
opensnitch-ui is a GUI for opensnitch written in Python.
It allows the user to view live outgoing connections, as well as search
for details of the intercepted connections.

The user can decide if block outgoing connections based on properties of
the connection: by port, by uid, by dst ip, by program or a combination
of them.

These rules can last forever, until restart the daemon or just one time.

OpenSnitch can also work as a system-wide domains blocker, by using lists
of domains, list of IPs or list of regular expressions.

%prep
%autosetup -a1 -p1 -n %{name}-%{version}
mv vendor daemon

# fix "E: non-executable-script"
sed '/^#!\/usr\/bin\/env python3$/d' -i ui/%{name}/utils/duration/duration.py

# fix "E: env-script-interpreter"
sed -e 's|^#!/usr/bin/env bash|#!/usr/bin/bash|' -i utils/scripts/ipasn_db_update.sh

# kernel for ebpf_prog
%ifarch %{arm} %{arm64}
cp -a %{_usrsrc}/linux/ .
patch linux/arch/arm/include/asm/unified.h -i ebpf_prog/arm-clang-asm-fix.patch
%else
ln -s %{_usrsrc}/linux
%endif

%build
export GOFLAGS="-mod=vendor -buildmode=pie -trimpath"
%make_build -j1
pushd ui
%python3_pyproject_wheel
popd

pushd ebpf_prog
# fix "warning: 'nocf_check' attribute ignored; use -fcf-protection to enable the attribute [-Wignored-attributes]"
%make_build -j1 \
%ifarch x86_64
	EXTRA_FLAGS="-fcf-protection" \
%endif
	KERNEL_DIR=../linux \
	KERNEL_HEADERS=%{_usrsrc}/linux-obj/%{_target_cpu}/default
popd

%install
# daemon
install -D -m 0755 -t %{buildroot}%{_bindir} daemon/%{name}d
install -D -m 0644 -t %{buildroot}%{_unitdir} \
	utils/packaging/daemon/deb/debian/%{name}.service
install -D -m 0644 -t %{buildroot}%{_sysconfdir}/%{name}d \
	daemon/{default-config,network_aliases,system-fw}.json
install -D -m 0600 -t %{buildroot}%{_sysconfdir}/%{name}d/rules \
	daemon/data/rules/*.json
install -D -m 0644  %{SOURCE12} \
	%{buildroot}%{_sysconfdir}/logrotate.d/%{name}
install -d -m 0755 %{buildroot}%{_localstatedir}/log/%{name}
touch %{buildroot}%{_localstatedir}/log/%{name}/%{name}d.log

# ui
pushd ui
%python3_pyproject_install
install -D -m 0644 -t %{buildroot}%{_sysconfdir}/xdg/autostart \
	%{buildroot}%{_datadir}/applications/%{name}_ui.desktop
popd

# ebpf_prog
#export NO_BRP_STRIP_DEBUG=true
pushd ebpf_prog
llvm-strip -g %{name}{,-dns,-procs}.o
install -D -m 0644 -t %{buildroot}%{_prefix}/lib/%{name}d/ebpf \
	%{name}{,-dns,-procs}.o
popd

cp -p %{SOURCE10} %{SOURCE11} .
%fdupes %{buildroot}%{python3_sitelib}

%check
desktop-file-validate %{buildroot}%{_datadir}/applications/%{name}_ui.desktop
_tst="1 kprobe/tcp_v4_connect"
echo "check for '$_tst' in %{name}.o ..."
objdump -h ebpf_prog/%{name}.o | grep "$_tst"

%pre
%service_add_pre %{name}.service

%post
%service_add_post %{name}.service

%preun
%service_del_preun %{name}.service

%postun
%service_del_postun %{name}.service

#%%posttrans
#if [ -x %%{_bindir}/systemctl ] ; then
#    %%{_bindir}/systemctl enable %%{name}.service
#    %%{_bindir}/systemctl restart %%{name}.service
#fi

%files
%license LICENSE
%doc README.md
%doc %{name}-selinux-policy.{txt,zip}
%doc utils/scripts/restart-%{name}-onsleep.sh
%{_bindir}/%{name}d
%dir %{_sysconfdir}/%{name}d
%dir %{_sysconfdir}/%{name}d/rules
%config(noreplace) %{_sysconfdir}/%{name}d/*.json
%config(noreplace) %{_sysconfdir}/%{name}d/rules/*.json
%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
%dir %{_prefix}/lib/%{name}d
%dir %{_prefix}/lib/%{name}d/ebpf
%{_prefix}/lib/%{name}d/ebpf/%{name}{,-dns,-procs}.o
%{_unitdir}/%{name}.service
%dir %{_localstatedir}/log/%{name}
%ghost %{_localstatedir}/log/%{name}/%{name}d.log

%files ui
%license ui/LICENSE
%doc README.md
%doc utils/scripts/ipasn_db_update.sh
%{_bindir}/%{name}-ui
%{_datadir}/applications/%{name}_ui.desktop
%{_datadir}/icons/hicolor/*/apps/%{name}-ui.{png,svg}
%dir %{_datadir}/kservices5
%{_datadir}/kservices5/kcm_%{name}.desktop
%{_datadir}/metainfo/io.github.evilsocket.%{name}.appdata.xml
%config %{_sysconfdir}/xdg/autostart/%{name}_ui.desktop
%{python3_sitelib}/%{name}
%{python3_sitelib}/%{name}_ui-*.dist-info
#%%{python3_sitelib}/%%{name}_ui-%%{version}.dist-info
%exclude %{python3_sitelib}/tests

%changelog