opensnitch-1.6.7.ebuild

app-admin/opensnitch-ebpf-module/Manifest

@@ -1 +1,2 @@
 DIST opensnitch-1.6.6.gh.tar.gz 1359621 BLAKE2B b6b2fa5b13f39413deb622fc7b0ebaab1789f41f25522da2e0a86262754861e9407697362b4af3a5106f9b4f781c7f5727a089a8ae2d648aafa8994f1c4b9bf4 SHA512 2fcdcc3a6ae44b5d5ed1a436f6622e74d5834e01856c9a072bb759638192f8ba9f49cbb48bfd875978d87284a20d1206352690a0e6e5f584e247506c8829d99f
+DIST opensnitch-1.6.7.gh.tar.gz 1374914 BLAKE2B 0797f2c41db320c95b88b27b4e1f119a0b92e8fd12f35bf8fe9c73f8c642ead1be866ceedf99e819777b882b63cfdab900663910d99253475f9399f3c8922fd8 SHA512 12234304b4fb1a8af0f57a3cdfa684e91f36839fb1862e567912bcc8e9bd09adb2d837b88d6f4461647968cffe2c2260d07873c435cb50825ecb806499c8d3ca

app-admin/opensnitch-ebpf-module/opensnitch-ebpf-module-1.6.7.ebuild

@@ -0,0 +1,74 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit linux-info
+
+DESCRIPTION="eBPF process monitor module for opensnitch"
+HOMEPAGE="https://github.com/evilsocket/opensnitch"
+# NOTE: app-admin/opensnitch and this ebuild share the same source
+SRC_URI="
+	https://github.com/evilsocket/opensnitch/archive/refs/tags/v${PV}.tar.gz -> opensnitch-${PV}.gh.tar.gz
+"
+
+S="${WORKDIR}/opensnitch-${PV}"
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="amd64"
+IUSE="dist-kernel"
+
+EBPF_DIR=ebpf_prog
+MINKV=5.5 # only compatible with kernels >= 5.5
+
+RDEPEND="
+	dist-kernel? ( virtual/dist-kernel:= )
+	~app-admin/opensnitch-$PV
+"
+
+DEPEND="
+	virtual/linux-sources
+	>=sys-kernel/linux-headers-${MINKV}
+"
+
+BDEPEND="
+	sys-devel/bc
+	llvm-core/clang
+	llvm-core/llvm
+"
+
+RESTRICT="strip test"
+QA_PREBUILT="*"
+
+pkg_setup() {
+	# see https://github.com/evilsocket/opensnitch/discussions/978
+	local CONFIG_CHECK="
+		CGROUP_BPF
+		BPF_EVENTS
+		FTRACE_SYSCALLS
+		KPROBES_ON_FTRACE
+		KPROBE_EVENTS
+		UPROBE_EVENTS
+	"
+
+	linux-info_pkg_setup
+	kernel_is -ge ${MINKV//./ } || die "Kernel version at least ${MINKV} required"
+}
+
+src_compile() {
+	MODULES_MAKEARGS+=(
+		ARCH="x86"
+		EXTRA_FLAGS="-fno-stack-protector -fcf-protection"
+		KERNEL_DIR="${KV_DIR}"
+		KERNEL_HEADERS=/usr # gentoo installs linux-headers to /usr
+	)
+	emake "${MODULES_MAKEARGS[@]}" -C "$EBPF_DIR" || die
+	llvm-strip -g "$EBPF_DIR"/opensnitch*.o
+}
+
+src_install(){
+	insinto /usr/lib/opensnitchd/ebpf/
+	doins "$EBPF_DIR"/opensnitch.o
+	doins "$EBPF_DIR"/opensnitch-dns.o
+	doins "$EBPF_DIR"/opensnitch-procs.o
+}

app-admin/opensnitch/Manifest

@@ -1,2 +1,4 @@
 DIST opensnitch-1.6.6-deps.tar.gz 52512745 BLAKE2B 5333a4cf94a19fba18a18ff2a0fac46d02f8b3ea65b772bbf3dee39d023cb3073b3e5247aa9061d23f77d04e950863536753c5c83d7ce7ce8bf809d74f96180a SHA512 9dcace493782cf061520fb94b9855d8f249216b6b2df8ee69e9aa534a72e562b41e36c72a2c4f4fbedc785a7f024d3f0645050d2eda2d11c2ac997c570d0af4f
 DIST opensnitch-1.6.6.gh.tar.gz 1359621 BLAKE2B b6b2fa5b13f39413deb622fc7b0ebaab1789f41f25522da2e0a86262754861e9407697362b4af3a5106f9b4f781c7f5727a089a8ae2d648aafa8994f1c4b9bf4 SHA512 2fcdcc3a6ae44b5d5ed1a436f6622e74d5834e01856c9a072bb759638192f8ba9f49cbb48bfd875978d87284a20d1206352690a0e6e5f584e247506c8829d99f
+DIST opensnitch-1.6.7-deps.tar.xz 33462988 BLAKE2B ad609b1e3de4592a5ebe5ce931047fd35426e8e09090412903b2d9f437cbe84bd67a420ecff559eb0df001bc45953388df158c08f753268d28411ebaa608e315 SHA512 d7152675345a6150cff576150c06e4d03fa37542dd13a4b666a4d041ca23482c8a23273b37a0734ec394c211a4c1a3001b74e8101635b9720b8a7e5f544a8bfb
+DIST opensnitch-1.6.7.gh.tar.gz 1374914 BLAKE2B 0797f2c41db320c95b88b27b4e1f119a0b92e8fd12f35bf8fe9c73f8c642ead1be866ceedf99e819777b882b63cfdab900663910d99253475f9399f3c8922fd8 SHA512 12234304b4fb1a8af0f57a3cdfa684e91f36839fb1862e567912bcc8e9bd09adb2d837b88d6f4461647968cffe2c2260d07873c435cb50825ecb806499c8d3ca

app-admin/opensnitch/opensnitch-1.6.7.ebuild

@@ -0,0 +1,141 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DISTUTILS_USE_PEP517=setuptools
+PYTHON_COMPAT=( python3_{11..13} )
+inherit distutils-r1 go-module linux-info systemd xdg-utils
+
+DESCRIPTION="Desktop application firewall"
+HOMEPAGE="https://github.com/evilsocket/opensnitch"
+
+SRC_URI="
+	https://github.com/evilsocket/opensnitch/archive/refs/tags/v${PV}.tar.gz -> ${P}.gh.tar.gz
+	https://dev.pentoo.ch/~blshkv/distfiles/${P}-deps.tar.xz
+	"
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="amd64"
+IUSE="+audit bpf +iptables +nftables systemd"
+REQUIRED_USE="|| ( iptables nftables )"
+
+DEPEND=">=dev-lang/go-1.19
+	net-libs/libnetfilter_queue
+	dev-go/protobuf-go
+	dev-go/protoc-gen-go-grpc
+"
+RDEPEND="
+	dev-python/grpcio-tools[${PYTHON_USEDEP}]
+	dev-python/notify2[${PYTHON_USEDEP}]
+	dev-python/python-slugify[${PYTHON_USEDEP}]
+	dev-python/pyinotify[${PYTHON_USEDEP}]
+	dev-python/pyqt5[network,sql,${PYTHON_USEDEP}]
+	bpf? ( ~app-admin/opensnitch-ebpf-module-$PV )
+"
+
+RESTRICT+=" test"
+
+pkg_setup() {
+	# see https://github.com/evilsocket/opensnitch/discussions/978
+	local CONFIG_CHECK="
+		INET_TCP_DIAG
+		INET_UDP_DIAG
+		INET_RAW_DIAG
+		INET_DIAG_DESTROY
+		NETFILTER_NETLINK_ACCT
+		NETFILTER_NETLINK_QUEUE
+		NF_CONNTRACK
+		NF_CT_NETLINK
+		PROC_FS
+	"
+
+	# config needed for the audit monitoring method
+	use audit && CONFIG_CHECK+="
+		AUDIT
+	"
+
+	# config needed for using iptables as firewall
+	use iptables && CONFIG_CHECK+="
+		NETFILTER_XT_MATCH_CONNTRACK
+		NETFILTER_XT_TARGET_NFQUEUE
+	"
+
+	# config needed for using nftables as firewall
+	use nftables && CONFIG_CHECK+="
+		NFT_CT
+		NFT_QUEUE
+	"
+
+	linux-info_pkg_setup
+}
+
+PATCHES=(
+	"${FILESDIR}/fix-setup.py.patch"
+)
+
+src_unpack() {
+	unpack ${A} # skip go module verification
+}
+
+src_prepare() {
+	rm -rf ui/tests || die
+	use systemd && eapply "${FILESDIR}/systemd.patch"
+	default
+}
+
+src_compile() {
+	emake protocol || die
+
+	pushd ui || die
+	pyrcc5 -o opensnitch/{resources_rc.py,/res/resources.qrc} || die
+	# workaround for namespace conflict
+	# see https://github.com/evilsocket/opensnitch/issues/496
+	# and https://github.com/evilsocket/opensnitch/pull/442
+	sed -i 's/^import ui_pb2/from . import ui_pb2/' opensnitch/ui_pb2* || die
+	popd > /dev/null || die
+
+	pushd daemon || die
+	GOCACHE="${T}/go-cache" \
+	GOMODCACHE="${WORKDIR}/${PN}-${PV}/vendor" \
+	ego build -v -buildmode=pie -o opensnitchd || die
+	popd > /dev/null || die
+
+	pushd ui || die
+	distutils-r1_src_compile
+	popd > /dev/null || die
+}
+
+src_install(){
+	pushd ui || die
+	distutils-r1_src_install
+	popd > /dev/null || die
+
+	pushd daemon || die
+	dobin opensnitchd
+	keepdir /etc/opensnitchd/rules
+	insinto /etc/opensnitchd/
+	doins default-config.json
+	doins system-fw.json
+	popd > /dev/null || die
+
+	if use systemd; then
+		pushd daemon || die
+		systemd_dounit opensnitchd.service
+		popd > /dev/null || die
+	else
+		newinitd "${FILESDIR}"/opensnitch.initd ${PN}
+	fi
+}
+
+pkg_postinst() {
+	xdg_icon_cache_update
+
+	#FIXME upstream bug: https://github.com/evilsocket/opensnitch/issues/795
+	elog "Under regular user, run the following commands to display IP's network name:"
+	elog "cd ~/.config/opensnitch/"
+	elog "wget https://github.com/hadiasghari/pyasn/blob/master/data/ipasn_20140513_v12.dat.gz?raw=true -O ipasn_db.dat.gz"
+	elog  "wget https://github.com/hadiasghari/pyasn/blob/master/data/asnames.json?raw=true"
+
+}