File opensnitch.spec of Package opensnitch

#
# spec file for package opensnitch
#
# copyright (c) 2025 munix9@googlemail.com
#

%define cmt be34c8e84f48edb3433e441b4e2d3eba08e2b8a8

Name:           opensnitch
Version:        1.7.3~20250922
Release:        0
Summary:        GNU/Linux interactive application firewall
License:        GPL-3.0-or-later
URL:            https://github.com/evilsocket/opensnitch
#Source0:        %%{url}/archive/v%%{version}/%%{name}-%%{version}.tar.gz
Source0:        %{url}/archive/%{cmt}.tar.gz
Source1:        vendor.tar.xz
Source10:       %{name}-selinux-policy.txt
Source11:       https://github.com/evilsocket/opensnitch/files/7014033/%{name}-selinux-policy.zip
#Patch0:         fix-go_mod-require.patch
#Patch1:         fix-go_sum-require.patch
Patch2:         fix-daemon-Makefile.patch
Patch3:         fix-ui-Makefile.patch
Patch4:         fix-ebpf_prog-Makefile.patch
Patch5:         fix-setup_py-data_files.patch
Patch6:         fix-pyasn-data-path.patch
Patch7:         fix-systemd-service.patch
Patch8:         fix-system-sleep.patch
BuildRequires:  clang
BuildRequires:  fdupes
BuildRequires:  golang-packaging
BuildRequires:  kernel-devel
BuildRequires:  kernel-default-devel
BuildRequires:  llvm
BuildRequires:  pkgconfig
BuildRequires:  protoc-gen-go
BuildRequires:  protoc-gen-go-grpc = 1.3.0
BuildRequires:  python3-grpcio-tools
BuildRequires:  pkgconfig(libmnl)
BuildRequires:  pkgconfig(libnetfilter_queue)
BuildRequires:  pkgconfig(libpcap)
BuildRequires:  pkgconfig(protobuf)
Requires:       logrotate
Recommends:     %{name}-ui = %{version}
Suggests:       bpftool
Suggests:       systemd-network
%{?systemd_ordering}

%description
OpenSnitch is a GNU/Linux firewall application.
Whenever a program makes a connection, it'll prompt the user to allow or deny
it.

The user can decide if block the outgoing connection based on properties of
the connection: by port, by uid, by dst ip, by program or a combination
of them.

These rules can last forever, until the app restart or just one time.

The GUI allows the user to view live outgoing connections, as well as search
by process, user, host or port.

OpenSnitch can also work as a system-wide domains blocker, by using lists
of domains, list of IPs or list of regular expressions.

%package ui
Summary:        GNU/Linux interactive application firewall GUI
License:        GPL-3.0-only AND LGPL-2.1-or-later
BuildRequires:  desktop-file-utils
BuildRequires:  hicolor-icon-theme
BuildRequires:  python-rpm-macros
BuildRequires:  python3-pip
BuildRequires:  python3-qt6-devel
BuildRequires:  python3-setuptools
BuildRequires:  python3-wheel
BuildRequires:  qt6-tools-linguist
Requires:       python3-grpcio-tools
Requires:       python3-notify2
Requires:       python3-packaging
Requires:       python3-protobuf
Requires:       python3-pyinotify
Requires:       python3-python-slugify
Requires:       python3-qt6
Requires:       qt6-sql-sqlite
Recommends:     %{name} = %{version}
Recommends:     python3-pyasn
Recommends:     python3-qt-material
BuildArch:      noarch

%description ui
opensnitch-ui is a GUI for opensnitch written in Python.
It allows the user to view live outgoing connections, as well as search
for details of the intercepted connections.

The user can decide if block outgoing connections based on properties of
the connection: by port, by uid, by dst ip, by program or a combination
of them.

These rules can last forever, until restart the daemon or just one time.

OpenSnitch can also work as a system-wide domains blocker, by using lists
of domains, list of IPs or list of regular expressions.

%prep
%autosetup -a1 -p1 -n %{name}-%{cmt}
mv vendor daemon

# fix "E: non-executable-script"
sed '/^#!\/usr\/bin\/env python3$/d' -i ui/%{name}/utils/duration/duration.py

# fix "E: env-script-interpreter"
sed -e 's|^#!/usr/bin/env bash|#!/usr/bin/bash|' -i utils/scripts/ipasn_db_update.sh

# kernel for ebpf_prog
%ifarch %{arm} %{arm64}
cp -a %{_usrsrc}/linux/ .
patch linux/arch/arm/include/asm/unified.h -i ebpf_prog/arm-clang-asm-fix.patch
%else
ln -s %{_usrsrc}/linux
%endif

%build
export GOFLAGS="-mod=vendor -buildmode=pie -trimpath"
%make_build -j1
pushd ui
%python3_pyproject_wheel
popd

pushd ebpf_prog
# fix "warning: 'nocf_check' attribute ignored; use -fcf-protection to enable the attribute [-Wignored-attributes]"
%make_build -j1 \
%ifarch x86_64
	EXTRA_FLAGS="-fcf-protection" \
%endif
	KERNEL_DIR=../linux \
	KERNEL_HEADERS=%{_usrsrc}/linux-obj/%{_target_cpu}/default
popd

%install
# daemon
install -D -m 0755 -t %{buildroot}%{_sbindir} daemon/%{name}d
install -D -m 0644 -t %{buildroot}%{_unitdir} \
	utils/packaging/daemon/deb/debian/%{name}.service
install -D -m 0644 -t %{buildroot}%{_sysconfdir}/%{name}d \
	daemon/{default-config,network_aliases,system-fw}.json
install -D -m 0600 -t %{buildroot}%{_sysconfdir}/%{name}d/rules \
	daemon/data/rules/*.json
install -D -m 0600 -t %{buildroot}%{_sysconfdir}/%{name}d/tasks \
	daemon/data/tasks/*.json
install -D -m 0644 utils/packaging/daemon/deb/debian/%{name}.logrotate \
	%{buildroot}%{_sysconfdir}/logrotate.d/%{name}
install -d -m 0755 %{buildroot}%{_localstatedir}/log
touch %{buildroot}%{_localstatedir}/log/%{name}d.log
cp -p daemon/tasks/downloader/README.md tasks_downloader_README.md
cp -p daemon/tasks/iocscanner/README.md tasks_iocscanner_README.md

# ui
pushd ui
%python3_pyproject_install
install -D -m 0644 -t %{buildroot}%{_sysconfdir}/xdg/autostart \
	%{buildroot}%{_datadir}/applications/%{name}_ui.desktop
popd

# ebpf_prog
#export NO_BRP_STRIP_DEBUG=true
pushd ebpf_prog
llvm-strip -g %{name}{,-dns,-procs}.o
install -D -m 0644 -t %{buildroot}%{_prefix}/lib/%{name}d/ebpf \
	%{name}{,-dns,-procs}.o
popd

cp -p %{SOURCE10} %{SOURCE11} .
%fdupes %{buildroot}%{python3_sitelib}

%check
desktop-file-validate %{buildroot}%{_datadir}/applications/%{name}_ui.desktop
_tst="1 kprobe/tcp_v4_connect"
echo "check for '$_tst' in %{name}.o ..."
objdump -h ebpf_prog/%{name}.o | grep "$_tst"
#pushd daemon
#go test -v ./...
#popd

%pre
%service_add_pre %{name}.service

%post
%service_add_post %{name}.service

%preun
%service_del_preun %{name}.service

%postun
%service_del_postun %{name}.service

#%%posttrans
#if [ -x %%{_bindir}/systemctl ] ; then
#    %%{_bindir}/systemctl enable %%{name}.service
#    %%{_bindir}/systemctl restart %%{name}.service
#fi

%files
%license LICENSE
%doc README.md *_README.md
%doc %{name}-selinux-policy.{txt,zip}
%doc utils/scripts/restart-%{name}-onsleep.sh
%{_sbindir}/%{name}d
%dir %{_sysconfdir}/%{name}d
%dir %{_sysconfdir}/%{name}d/rules
%dir %{_sysconfdir}/%{name}d/tasks
%config(noreplace) %{_sysconfdir}/%{name}d/*.json
%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/%{name}d/rules/*.json
%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/%{name}d/tasks/*.json
%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
%dir %{_prefix}/lib/%{name}d
%dir %{_prefix}/lib/%{name}d/ebpf
%{_prefix}/lib/%{name}d/ebpf/%{name}{,-dns,-procs}.o
%{_unitdir}/%{name}.service
%ghost %{_localstatedir}/log/%{name}d.log

%files ui
%license ui/LICENSE
%doc README.md
%doc utils/scripts/ipasn_db_update.sh
%{_bindir}/%{name}-ui
%{_datadir}/applications/%{name}_ui.desktop
%{_datadir}/icons/hicolor/*/apps/%{name}-ui.{png,svg}
%dir %{_datadir}/kservices5
%{_datadir}/kservices5/kcm_%{name}.desktop
%{_datadir}/metainfo/io.github.evilsocket.%{name}.appdata.xml
%config %{_sysconfdir}/xdg/autostart/%{name}_ui.desktop
%{python3_sitelib}/%{name}
%{python3_sitelib}/%{name}_ui-*.dist-info
#%%{python3_sitelib}/%%{name}_ui-%%{version}.dist-info
%exclude %{python3_sitelib}/tests

%changelog