File opensnitch.spec of Package opensnitch

#
# spec file for package opensnitch
#
# copyright (c) 2023 munix9@googlemail.com
#

Name:           opensnitch
Version:        1.6.0
Release:        0
Summary:        GNU/Linux interactive application firewall
License:        GPL-3.0-or-later
URL:            https://github.com/evilsocket/opensnitch
Source0:        https://github.com/evilsocket/opensnitch/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
Source1:        vendor.tar.xz
# https://salsa.debian.org/go-team/packages/opensnitch/-/tree/debian/sid/debian/man
Source10:       opensnitchd.1
Source11:       opensnitch-ui.1
Patch0:         fix-systemd-service.patch
Patch1:         fix-go_mod-require.patch
Patch2:         fix-remove-go_get.patch
Patch3:         fix-remove-ui_deps.patch
Patch4:         fix-remove-dist_path.patch
Patch5:         fix-pyasn-data-path.patch
Patch6:         fix-potential-bashisms.patch
Patch7:         fix-setup_py.patch
Patch8:         fix-daemon-name.patch
BuildRequires:  AppStream
BuildRequires:  clang
BuildRequires:  fdupes
BuildRequires:  golang-packaging
BuildRequires:  kernel-default-devel
BuildRequires:  llvm
BuildRequires:  pkgconfig
BuildRequires:  protoc-gen-go
BuildRequires:  protoc-gen-go-grpc
BuildRequires:  pkgconfig(libmnl)
BuildRequires:  pkgconfig(libnetfilter_queue)
BuildRequires:  pkgconfig(libpcap)
BuildRequires:  pkgconfig(protobuf)
Requires:       logrotate
Recommends:     %{name}-ui = %{version}
Suggests:       systemd-network
%{?systemd_ordering}

%description
OpenSnitch is a GNU/Linux firewall application.
Whenever a program makes a connection, it'll prompt the user to allow or deny
it.

The user can decide if block the outgoing connection based on properties of
the connection: by port, by uid, by dst ip, by program or a combination
of them.

These rules can last forever, until the app restart or just one time.

The GUI allows the user to view live outgoing connections, as well as search
by process, user, host or port.

OpenSnitch can also work as a system-wide domains blocker, by using lists
of domains, list of IPs or list of regular expressions.

%package ui
Summary:        GNU/Linux interactive application firewall GUI
License:        GPL-3.0-only
BuildRequires:  hicolor-icon-theme
BuildRequires:  python-rpm-macros
BuildRequires:  python3-grpcio-tools
BuildRequires:  python3-pip
BuildRequires:  python3-qt5-devel
BuildRequires:  python3-setuptools
BuildRequires:  python3-wheel
BuildRequires:  update-desktop-files
Requires:       python3-grpcio-tools
Requires:       python3-notify2
Requires:       python3-protobuf
Requires:       python3-pyinotify
Requires:       python3-python-slugify
Requires:       python3-qt5
Requires:       xdg-user-dirs
Recommends:     %{name} = %{version}
Recommends:     python3-pyasn
Recommends:     python3-qt-material
BuildArch:      noarch

%description ui
opensnitch-ui is a GUI for opensnitch written in Python.

It allows the user to view live outgoing connections, as well as search
for details of the intercepted connections.

The user can decide if block outgoing connections based on properties of
the connection: by port, by uid, by dst ip, by program or a combination
of them.

These rules can last forever, until restart the daemon or just one time.

OpenSnitch can also work as a system-wide domains blocker, by using lists
of domains, list of IPs or list of regular expressions.

%prep
%autosetup -p1
tar -xf %{SOURCE1} -C daemon

rm -r ui/tests

%build
# "-ldflags='-linkmode=external -buildid='" moved in fix-remove-go_get.patch
export GOFLAGS="-mod=vendor -buildmode=pie -trimpath"
# daemon
make

# ui
pushd ui
%python3_pyproject_wheel
popd

# ebpf-modules
make -C ebpf_prog \
	KERNEL_DIR=/lib/modules/$(uname -r)/source \
	KERNEL_HEADERS=/lib/modules/$(uname -r)/build

%install
# daemon
install -D -m 0755 -t %{buildroot}%{_sbindir} daemon/opensnitchd
ln -s service %{buildroot}%{_sbindir}/rc%{name}
install -D -m 0644 -t %{buildroot}%{_unitdir} \
	utils/packaging/daemon/deb/debian/%{name}.service
install -D -m 0755 utils/scripts/restart-opensnitch-onsleep.sh \
	%{buildroot}%{_systemd_util_dir}/system-sleep/%{name}.sleep
install -d -m 0755 %{buildroot}%{_sysconfdir}/opensnitchd/rules
install -D -m 0644 -t %{buildroot}%{_sysconfdir}/opensnitchd \
	daemon/{default-config,system-fw}.json
install -D -m 0644 utils/packaging/daemon/deb/debian/%{name}.logrotate \
	%{buildroot}%{_sysconfdir}/logrotate.d/%{name}
install -d -m 0755 %{buildroot}%{_localstatedir}/log
touch %{buildroot}%{_localstatedir}/log/opensnitchd.log

# ui
pushd ui
%python3_pyproject_install
%suse_update_desktop_file %{name}_ui
appstreamcli validate --no-net \
	%{buildroot}%{_datadir}/metainfo/io.github.evilsocket.%{name}.appdata.xml
install -D -m 0644 -t %{buildroot}%{_sysconfdir}/xdg/autostart \
	%{buildroot}%{_datadir}/applications/%{name}_ui.desktop
popd

# ebpf-modules
#export NO_BRP_STRIP_DEBUG=true
pushd ebpf_prog
llvm-strip -g opensnitch{,-dns,-procs}.o
install -D -m 0644 -t %{buildroot}%{_prefix}/lib/opensnitchd/ebpf \
	opensnitch{,-dns,-procs}.o
popd

# man pages
install -D -m 0644 -t %{buildroot}%{_mandir}/man1 %{SOURCE10} %{SOURCE11}

%fdupes -s %{buildroot}%{_prefix}/lib

%check
#pushd daemon
#go test -v ./...
#popd
cd ebpf_prog
echo "check for '1 kprobe/tcp_v4_connect' in opensnitch.o ..."
objdump -h opensnitch.o | grep "1 kprobe/tcp_v4_connect"

%pre
%service_add_pre %{name}.service

%post
%service_add_post %{name}.service

%preun
%service_del_preun %{name}.service

%postun
%service_del_postun %{name}.service

%files
%license LICENSE
%doc README.md
%doc utils/scripts/debug-ebpf-maps.sh
%{_sbindir}/opensnitchd
%{_sbindir}/rc%{name}
%dir %{_sysconfdir}/opensnitchd
%dir %{_sysconfdir}/opensnitchd/rules
%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
%config(noreplace) %{_sysconfdir}/opensnitchd/*.json
%dir %{_prefix}/lib/opensnitchd
%dir %{_prefix}/lib/opensnitchd/ebpf
%{_prefix}/lib/opensnitchd/ebpf/opensnitch{,-dns,-procs}.o
%dir %{_systemd_util_dir}/system-sleep
%{_systemd_util_dir}/system-sleep/%{name}.sleep
%{_unitdir}/%{name}.service
%{_mandir}/man1/opensnitchd.1%{?ext_man}
%ghost %{_localstatedir}/log/opensnitchd.log

%files ui
%license ui/LICENSE
%doc README.md
%{_bindir}/%{name}-ui
%{_datadir}/applications/%{name}_ui.desktop
%{_datadir}/icons/hicolor/*/apps/%{name}-ui.*
%{_datadir}/kservices5
%{_datadir}/metainfo/io.github.evilsocket.%{name}.appdata.xml
%config %{_sysconfdir}/xdg/autostart/%{name}_ui.desktop
%{_mandir}/man1/opensnitch-ui.1%{?ext_man}
%{python3_sitelib}/%{name}
%{python3_sitelib}/%{name}_ui-*.dist-info

%changelog