summaryrefslogtreecommitdiff
path: root/app-admin/opensnitch/opensnitch-1.6.2-r1.ebuild
blob: 608a3cb2bb66590de320fac87cac0617f0f1091f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
# Copyright 1999-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2

EAPI=7

PYTHON_COMPAT=( python3_{10..12} )
inherit distutils-r1 linux-info systemd xdg-utils

DESCRIPTION="Desktop application firewall"
HOMEPAGE="https://github.com/evilsocket/opensnitch"

EGO_PN="github.com/evilsocket/opensnitch"
# modified from opensnitch/daemon/go.mod
# NOTE: build fails with github.com/josharian/native after commit 5c7d0dd6ab
EGO_VENDOR=(
	"github.com/fsnotify/fsnotify v1.4.7"
	"github.com/golang/protobuf v1.5.0"
	"github.com/google/gopacket v1.1.14"
	"github.com/google/nftables v0.1.0"
	"github.com/google/uuid v1.3.0"
	"github.com/iovisor/gobpf v0.2.0"
	"github.com/varlink/go v0.4.0"
	"github.com/vishvananda/netlink e1a867c6b452"
	"golang.org/x/net 491a49abca63 github.com/golang/net"
	"golang.org/x/sys v0.2.0 github.com/golang/sys"
	"google.golang.org/grpc v1.32.0 github.com/grpc/grpc-go"
	"google.golang.org/protobuf v1.27.1 github.com/protocolbuffers/protobuf-go"

	"golang.org/x/sync v0.1.0 github.com/golang/sync"
	"golang.org/x/text v0.7.0 github.com/golang/text"
	"google.golang.org/genproto 0dfe4f8abfcc github.com/googleapis/go-genproto"
	"github.com/mdlayher/netlink v1.7.1"
	"github.com/mdlayher/socket 41a913f399"
	"github.com/josharian/native v1.1.0"
	"github.com/vishvananda/netns 7a452d2d15"
)

inherit golang-vcs-snapshot

SRC_URI="
	https://github.com/evilsocket/opensnitch/archive/refs/tags/v${PV}.tar.gz -> ${P}.tar.gz
	${EGO_VENDOR_URI}
"

LICENSE="GPL-3"
SLOT="0"
IUSE="+audit bpf +iptables +nftables systemd"
REQUIRED_USE="|| ( iptables nftables )"
KEYWORDS="~amd64 ~x86"

DEPEND=">=dev-lang/go-1.19
	net-libs/libnetfilter_queue
	dev-go/go-protobuf
	dev-go/protoc-gen-go-grpc
"
RDEPEND="
	dev-python/grpcio-tools[${PYTHON_USEDEP}]
	dev-python/notify2[${PYTHON_USEDEP}]
	dev-python/python-slugify[${PYTHON_USEDEP}]
	dev-python/pyinotify[${PYTHON_USEDEP}]
	dev-python/pyqt5[network,sql,${PYTHON_USEDEP}]
	bpf? ( ~app-admin/opensnitch-ebpf-module-$PV )
"

RESTRICT+=" test"

pkg_setup() {
	# see https://github.com/evilsocket/opensnitch/discussions/978
	local CONFIG_CHECK="
		INET_TCP_DIAG
		INET_UDP_DIAG
		INET_RAW_DIAG
		INET_DIAG_DESTROY
		NETFILTER_NETLINK_ACCT
		NETFILTER_NETLINK_QUEUE
		NF_CONNTRACK
		NF_CT_NETLINK
		PROC_FS
	"

	# config needed for the audit monitoring method
	use audit && CONFIG_CHECK+="
		AUDIT
	"

	# config needed for using iptables as firewall
	use iptables && CONFIG_CHECK+="
		NETFILTER_XT_MATCH_CONNTRACK
		NETFILTER_XT_TARGET_NFQUEUE
	"

	# config needed for using nftables as firewall
	use nftables && CONFIG_CHECK+="
		NFT_CT
		NFT_QUEUE
	"

	linux-info_pkg_setup
}

src_prepare() {
	rm -rf src/${EGO_PN}/ui/tests || die

	if use systemd; then
		pushd ${WORKDIR}/${P}/src/${EGO_PN} > /dev/null || die
		eapply "${FILESDIR}/${P}-systemd.patch"
		popd > /dev/null || die
	fi

	pushd src/${EGO_PN} > /dev/null || die
	eapply_user
	popd > /dev/null || die
}

src_compile() {
	emake -C src/${EGO_PN} protocol

	pushd src/${EGO_PN}/ui > /dev/null || die
	pyrcc5 -o opensnitch/{resources_rc.py,/res/resources.qrc}
	# workaround for namespace conflict
	# see https://github.com/evilsocket/opensnitch/issues/496
	# and https://github.com/evilsocket/opensnitch/pull/442
	sed -i 's/^import ui_pb2/from . import ui_pb2/' opensnitch/ui_pb2* || die
	popd > /dev/null || die

	# see https://github.com/evilsocket/opensnitch/issues/851
	# opensnitch does not build without -fcf-protection when using go >= 1.19,
	# error message:
	# cgo: cannot load DWARF output from $WORK/..//_cgo_.o: zlib: invalid header
	GOPATH="${S}:$(get_golibdir_gopath)" \
	GOCACHE="${T}/go-cache" \
	CGO_CPPFLAGS="${CPPFLAGS} -fcf-protection" \
	CGO_CFLAGS="${CFLAGS} -fcf-protection" \
	CGO_CXXFLAGS="${CXXFLAGS} -fcf-protection" \
	go build -v \
		-buildmode=pie \
		-ldflags "-compressdwarf=false -linkmode external" \
		-o opensnitchd \
		"${EGO_PN}/daemon" || die

	pushd src/${EGO_PN}/ui > /dev/null || die
	distutils-r1_src_compile
	popd > /dev/null || die
}

src_install(){
	dobin opensnitchd

	pushd src/${EGO_PN}/ui > /dev/null || die
	distutils-r1_src_install
	popd > /dev/null || die

	pushd src/${EGO_PN}/daemon > /dev/null || die
	insinto /etc/opensnitchd/rules
	insinto /etc/opensnitchd/
	doins default-config.json
	doins system-fw.json
	popd > /dev/null || die

	if use systemd; then
		pushd src/${EGO_PN}/daemon > /dev/null || die
		systemd_dounit opensnitchd.service
		popd > /dev/null || die
	else
		newinitd "${FILESDIR}"/opensnitch.initd ${PN}
	fi
}

pkg_postinst() {
	xdg_icon_cache_update
}