From cb154076c205370a5688ddde8a55534158065277 Mon Sep 17 00:00:00 2001 From: "Kai-Chun Ning (Github Signing key)" Date: Mon, 8 Jul 2024 19:15:56 +0200 Subject: [PATCH 1/2] app-admin/opensnitch-ebpf-module: add 1.6.6 Signed-off-by: Kai-Chun Ning (Github Signing key) --- app-admin/opensnitch-ebpf-module/Manifest | 1 + .../opensnitch-ebpf-module-1.6.6.ebuild | 74 +++++++++++++++++++ 2 files changed, 75 insertions(+) create mode 100644 app-admin/opensnitch-ebpf-module/opensnitch-ebpf-module-1.6.6.ebuild diff --git a/app-admin/opensnitch-ebpf-module/Manifest b/app-admin/opensnitch-ebpf-module/Manifest index 3eaea797f9..dfbe752e67 100644 --- a/app-admin/opensnitch-ebpf-module/Manifest +++ b/app-admin/opensnitch-ebpf-module/Manifest @@ -1 +1,2 @@ DIST opensnitch-1.6.5.1.gh.tar.gz 1354814 BLAKE2B a3e0ce0b799a59d8d5e5cf9adc16d73b710d42b5325774118da3886a8c25507ef3a3e618796a56edd0cdde2ba8730604275a36d560e105d51744abef42fb833c SHA512 8ea1ad5a00c6b8c4649db5774e2fe7997ebdd52ed24610084ba236992c740b31b2bb19a88778b68d880aad54ff21a387d7388bdb4a8692a0456a4afbd7f47347 +DIST opensnitch-1.6.6.gh.tar.gz 1359621 BLAKE2B b6b2fa5b13f39413deb622fc7b0ebaab1789f41f25522da2e0a86262754861e9407697362b4af3a5106f9b4f781c7f5727a089a8ae2d648aafa8994f1c4b9bf4 SHA512 2fcdcc3a6ae44b5d5ed1a436f6622e74d5834e01856c9a072bb759638192f8ba9f49cbb48bfd875978d87284a20d1206352690a0e6e5f584e247506c8829d99f diff --git a/app-admin/opensnitch-ebpf-module/opensnitch-ebpf-module-1.6.6.ebuild b/app-admin/opensnitch-ebpf-module/opensnitch-ebpf-module-1.6.6.ebuild new file mode 100644 index 0000000000..bda801b411 --- /dev/null +++ b/app-admin/opensnitch-ebpf-module/opensnitch-ebpf-module-1.6.6.ebuild @@ -0,0 +1,74 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit linux-info + +DESCRIPTION="eBPF process monitor module for opensnitch" +HOMEPAGE="https://github.com/evilsocket/opensnitch" +# NOTE: app-admin/opensnitch and this ebuild share the same source +SRC_URI=" + https://github.com/evilsocket/opensnitch/archive/refs/tags/v${PV}.tar.gz -> opensnitch-${PV}.gh.tar.gz +" + +S="${WORKDIR}/opensnitch-${PV}" +LICENSE="GPL-3" +SLOT="0" +KEYWORDS="~amd64" +IUSE="dist-kernel" + +EBPF_DIR=ebpf_prog +MINKV=5.5 # only compatible with kernels >= 5.5 + +RDEPEND=" + dist-kernel? ( virtual/dist-kernel:= ) + ~app-admin/opensnitch-$PV +" + +DEPEND=" + virtual/linux-sources + >=sys-kernel/linux-headers-${MINKV} +" + +BDEPEND=" + sys-devel/bc + sys-devel/clang + sys-devel/llvm +" + +RESTRICT="strip test" +QA_PREBUILT="*" + +pkg_setup() { + # see https://github.com/evilsocket/opensnitch/discussions/978 + local CONFIG_CHECK=" + CGROUP_BPF + BPF_EVENTS + FTRACE_SYSCALLS + KPROBES_ON_FTRACE + KPROBE_EVENTS + UPROBE_EVENTS + " + + linux-info_pkg_setup + kernel_is -ge ${MINKV//./ } || die "Kernel version at least ${MINKV} required" +} + +src_compile() { + MODULES_MAKEARGS+=( + ARCH="x86" + EXTRA_FLAGS="-fno-stack-protector -fcf-protection" + KERNEL_DIR="${KV_DIR}" + KERNEL_HEADERS=/usr # gentoo installs linux-headers to /usr + ) + emake "${MODULES_MAKEARGS[@]}" -C "$EBPF_DIR" || die + llvm-strip -g "$EBPF_DIR"/opensnitch*.o +} + +src_install(){ + insinto /usr/lib/opensnitchd/ebpf/ + doins "$EBPF_DIR"/opensnitch.o + doins "$EBPF_DIR"/opensnitch-dns.o + doins "$EBPF_DIR"/opensnitch-procs.o +} From f628620fbe796e72e7a08cf01f42a3c19379a05d Mon Sep 17 00:00:00 2001 From: "Kai-Chun Ning (Github Signing key)" Date: Mon, 8 Jul 2024 19:16:42 +0200 Subject: [PATCH 2/2] app-admin/opensnitch: add 1.6.6 Signed-off-by: Kai-Chun Ning (Github Signing key) --- app-admin/opensnitch/Manifest | 2 + app-admin/opensnitch/opensnitch-1.6.6.ebuild | 134 +++++++++++++++++++ 2 files changed, 136 insertions(+) create mode 100644 app-admin/opensnitch/opensnitch-1.6.6.ebuild diff --git a/app-admin/opensnitch/Manifest b/app-admin/opensnitch/Manifest index 2cac270aab..61bd16a3c0 100644 --- a/app-admin/opensnitch/Manifest +++ b/app-admin/opensnitch/Manifest @@ -1,2 +1,4 @@ DIST opensnitch-1.6.5.1-deps.tar.gz 51527916 BLAKE2B f2c3fd8fa3f325ac86d072d9a5d2f40b82f8925970a846822aea42ca4ff849fde716c9dd13f91da7268dcc06bc85764f5633e1acaf1ccd392f76ae071e949690 SHA512 ee1d2613814e9cdbef1c63c96dfa6c328b43d7becc2285e445686d743c78b2026550f60ac63984a9a2fb1b620fcebdd6be6db1b1aa855795dbdc460087e7cfe5 DIST opensnitch-1.6.5.1.gh.tar.gz 1354814 BLAKE2B a3e0ce0b799a59d8d5e5cf9adc16d73b710d42b5325774118da3886a8c25507ef3a3e618796a56edd0cdde2ba8730604275a36d560e105d51744abef42fb833c SHA512 8ea1ad5a00c6b8c4649db5774e2fe7997ebdd52ed24610084ba236992c740b31b2bb19a88778b68d880aad54ff21a387d7388bdb4a8692a0456a4afbd7f47347 +DIST opensnitch-1.6.6-deps.tar.gz 52512745 BLAKE2B 5333a4cf94a19fba18a18ff2a0fac46d02f8b3ea65b772bbf3dee39d023cb3073b3e5247aa9061d23f77d04e950863536753c5c83d7ce7ce8bf809d74f96180a SHA512 9dcace493782cf061520fb94b9855d8f249216b6b2df8ee69e9aa534a72e562b41e36c72a2c4f4fbedc785a7f024d3f0645050d2eda2d11c2ac997c570d0af4f +DIST opensnitch-1.6.6.gh.tar.gz 1359621 BLAKE2B b6b2fa5b13f39413deb622fc7b0ebaab1789f41f25522da2e0a86262754861e9407697362b4af3a5106f9b4f781c7f5727a089a8ae2d648aafa8994f1c4b9bf4 SHA512 2fcdcc3a6ae44b5d5ed1a436f6622e74d5834e01856c9a072bb759638192f8ba9f49cbb48bfd875978d87284a20d1206352690a0e6e5f584e247506c8829d99f diff --git a/app-admin/opensnitch/opensnitch-1.6.6.ebuild b/app-admin/opensnitch/opensnitch-1.6.6.ebuild new file mode 100644 index 0000000000..1a8e500792 --- /dev/null +++ b/app-admin/opensnitch/opensnitch-1.6.6.ebuild @@ -0,0 +1,134 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +DISTUTILS_USE_PEP517=setuptools +PYTHON_COMPAT=( python3_{10..12} ) +inherit distutils-r1 go-module linux-info systemd xdg-utils + +DESCRIPTION="Desktop application firewall" +HOMEPAGE="https://github.com/evilsocket/opensnitch" + +SRC_URI=" + https://github.com/evilsocket/opensnitch/archive/refs/tags/v${PV}.tar.gz -> ${P}.gh.tar.gz + https://github.com/kcning/opensnitch/archive/refs/tags/${PV}.tar.gz -> ${P}-deps.tar.gz +" + +LICENSE="GPL-3" +SLOT="0" +KEYWORDS="~amd64" +IUSE="+audit bpf +iptables +nftables systemd" +REQUIRED_USE="|| ( iptables nftables )" + +DEPEND=">=dev-lang/go-1.19 + net-libs/libnetfilter_queue + dev-go/go-protobuf + dev-go/protoc-gen-go-grpc +" +RDEPEND=" + dev-python/grpcio-tools[${PYTHON_USEDEP}] + dev-python/notify2[${PYTHON_USEDEP}] + dev-python/python-slugify[${PYTHON_USEDEP}] + dev-python/pyinotify[${PYTHON_USEDEP}] + dev-python/PyQt5[network,sql,${PYTHON_USEDEP}] + bpf? ( ~app-admin/opensnitch-ebpf-module-$PV ) +" + +RESTRICT+=" test" + +pkg_setup() { + # see https://github.com/evilsocket/opensnitch/discussions/978 + local CONFIG_CHECK=" + INET_TCP_DIAG + INET_UDP_DIAG + INET_RAW_DIAG + INET_DIAG_DESTROY + NETFILTER_NETLINK_ACCT + NETFILTER_NETLINK_QUEUE + NF_CONNTRACK + NF_CT_NETLINK + PROC_FS + " + + # config needed for the audit monitoring method + use audit && CONFIG_CHECK+=" + AUDIT + " + + # config needed for using iptables as firewall + use iptables && CONFIG_CHECK+=" + NETFILTER_XT_MATCH_CONNTRACK + NETFILTER_XT_TARGET_NFQUEUE + " + + # config needed for using nftables as firewall + use nftables && CONFIG_CHECK+=" + NFT_CT + NFT_QUEUE + " + + linux-info_pkg_setup +} + +PATCHES=( + "${FILESDIR}/fix-setup.py.patch" +) + +src_unpack() { + unpack ${A} # skip go module verification +} + +src_prepare() { + rm -rf ui/tests || die + use systemd && eapply "${FILESDIR}/systemd.patch" + default +} + +src_compile() { + emake protocol || die + + pushd ui || die + pyrcc5 -o opensnitch/{resources_rc.py,/res/resources.qrc} || die + # workaround for namespace conflict + # see https://github.com/evilsocket/opensnitch/issues/496 + # and https://github.com/evilsocket/opensnitch/pull/442 + sed -i 's/^import ui_pb2/from . import ui_pb2/' opensnitch/ui_pb2* || die + popd > /dev/null || die + + pushd daemon || die + GOCACHE="${T}/go-cache" \ + GOMODCACHE="${WORKDIR}/${PN}-${PV}/vendor" \ + ego build -v -buildmode=pie -o opensnitchd || die + popd > /dev/null || die + + pushd ui || die + distutils-r1_src_compile + popd > /dev/null || die +} + +src_install(){ + pushd ui || die + distutils-r1_src_install + popd > /dev/null || die + + pushd daemon || die + dobin opensnitchd + insinto /etc/opensnitchd/rules + insinto /etc/opensnitchd/ + doins default-config.json + doins system-fw.json + popd > /dev/null || die + + if use systemd; then + pushd daemon || die + systemd_dounit opensnitchd.service + popd > /dev/null || die + else + newinitd "${FILESDIR}"/opensnitch.initd ${PN} + fi +} + +pkg_postinst() { + xdg_icon_cache_update +}