From: Petter Reinholdtsen Date: Sat, 3 May 2025 03:50:32 +0000 (+0200) Subject: Import opensnitch_1.6.9-2.debian.tar.xz X-Git-Tag: archive/raspbian/1.6.9-3+rpi1~1^2~7^2 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=642e2ebb3312230af5f5298cb6a68b6db0c5e26f;p=opensnitch.git Import opensnitch_1.6.9-2.debian.tar.xz [dgit import tarball opensnitch 1.6.9-2 opensnitch_1.6.9-2.debian.tar.xz] --- 642e2ebb3312230af5f5298cb6a68b6db0c5e26f diff --git a/README.Debian b/README.Debian new file mode 100644 index 0000000..862f492 --- /dev/null +++ b/README.Debian @@ -0,0 +1,19 @@ +opensnitch for Debian +--------------------- + +In order to build the packages from sources using gbp: + + 1. git clone https://salsa.debian.org/go-team/packages/opensnitch.git + 2. cd opensnitch/ ; git checkout debian/sid + 3. origtargz + + it'll download upstream sources according to the d/changelog + version, and the upstream tag if it exists. + + 4. gbp buildpackage --git-debian-branch=debian/sid --git-tarball-dir=../ --git-no-pristine-tar + + New debian-go's workflow specifies debian/sid as the default branch, + so you need to specify the branch, or configure it in your gbp.conf. + https://go-team.pages.debian.net/workflow-changes.html#wf-2017-11-pristine-tar + + -- Gustavo Iñiguez Goya Wed, 08 Jun 2023 17:18:40 +0200 diff --git a/changelog b/changelog new file mode 100644 index 0000000..0d775f5 --- /dev/null +++ b/changelog @@ -0,0 +1,521 @@ +opensnitch (1.6.9-2) unstable; urgency=medium + + * Team upload. + + * Told lintian to accept EBPF objects in package. + + -- Petter Reinholdtsen Sat, 03 May 2025 05:50:32 +0200 + +opensnitch (1.6.9-1) experimental; urgency=medium + + * Team upload. + + * New upstream release 1.6.9. + * Removed upstreamed patches: + - 0000-ui-finally-service.patch + - 0020-unknown-rules-operator-crash.patch + - 0030-daemon-visible-version.patch + - 0040-delete-all-generated-protobuffers-with-make-clean.patch + - 0050-allow-to-configure-GC-percentage.patch + - 0060-make-connections-flushing-configurable.patch + + -- Petter Reinholdtsen Tue, 29 Apr 2025 07:35:00 +0200 + +opensnitch (1.6.8-11) unstable; urgency=medium + + * Team upload. + + * Corrected typo in patch metadata. + + -- Petter Reinholdtsen Tue, 29 Apr 2025 07:20:39 +0200 + +opensnitch (1.6.8-10) experimental; urgency=medium + + * Team upload. + + * Added 1050-ebpf-s390x.patch to fix ebpf build problem on s390x. + * Renamed to 0030-daemon-visible-version.patch as this patch + is from upstream now. + * Removed already dropped 0010-experimental-1.5.9.1.patch. + * Added three patches from the upstream 1.6.0 branch. + * Changed opensnitch package behaviour to not reset TCP connections on + reload (Closes: #1103496). + + -- Petter Reinholdtsen Sat, 26 Apr 2025 07:45:17 +0200 + +opensnitch (1.6.8-9) experimental; urgency=medium + + * Team upoad. + + * Added 2000-apt-not-pip.patch to recommend apt over pip. + * Passed patches upstream and introduced patch naming scheme. + * Added 1030-systemd-service-earlier.patch to start service earlier + and protect it from kernel OOM killer. + * Added 1040-daemon-visible-version.patch to correct visible daemon + version. + * Added 0020-unknown-rules-operator-crash.patch from upstream. + * Added needrestart conf to avoid opensnitch restarts. + * Added debian branch name to d/gbp.conf. + + -- Petter Reinholdtsen Thu, 24 Apr 2025 06:50:04 +0200 + +opensnitch (1.6.8-8) unstable; urgency=medium + + * Team upload. + + * Made test-fw-rules.sh autopkgtest check more robust + and updated it to only look for nftables. + + -- Petter Reinholdtsen Fri, 18 Apr 2025 19:46:18 +0200 + +opensnitch (1.6.8-7) unstable; urgency=medium + + * Team upload. + + * Upload to unstable. + + -- Petter Reinholdtsen Fri, 18 Apr 2025 01:32:00 +0200 + +opensnitch (1.6.8-6) experimental; urgency=medium + + * Team upload. + + * Replaced uploaders, out with no longer active Gustavo Iñiguez Goya + and in with Charles Allhands and myself. + * Thank you, Gustavo, for the great initial work with this package. + + -- Petter Reinholdtsen Fri, 18 Apr 2025 00:38:08 +0200 + +opensnitch (1.6.8-5) experimental; urgency=medium + + * Team upload. + + * Revert arch specific build dependency on golang-github-iovisor-gobpf-dev. + * Added 1010-ui-finally-service.patch to avoid python error on GUI exit. + * New upstream version available (Closes: #1051317). + * Uses corrected python regexes (Closes: #1085754). + + -- Petter Reinholdtsen Thu, 17 Apr 2025 16:34:43 +0200 + +opensnitch (1.6.8-4) experimental; urgency=medium + + * Team upload. + + * Corrected linux header package name for armhf. + * Limit EBPF support to architectures provided by bpfcc. + * Adjusted opensnitch to only recommend opensnitch-ebpf-modules on archs + where it exist. + * Dropped incorrect runtime dependency on python3-setuptools + (Closes: #1095252). + * Dropped obsolete runtime dependency on python3-six (Closes: #1067722). + + -- Petter Reinholdtsen Thu, 17 Apr 2025 14:45:27 +0200 + +opensnitch (1.6.8-3) experimental; urgency=medium + + * Team upload. + + * Switched to using kernel headers from debs, as local header copy + only worked on amd64. + + -- Petter Reinholdtsen Thu, 17 Apr 2025 12:54:58 +0200 + +opensnitch (1.6.8-2) experimental; urgency=medium + + * Team upload. + + * Added missing golang-github-varlink-go-dev build dependency. + + -- Petter Reinholdtsen Thu, 17 Apr 2025 10:55:29 +0200 + +opensnitch (1.6.8-1) experimental; urgency=medium + + * Team upload. + + * New upstream release. + * Updated Standards-Version from 4.6.2 to 4.7.2. + * List protoc-gen-go-1-3 as build depend alternative to protoc-gen-go-1-5 + for easier backporting. + + -- Petter Reinholdtsen Thu, 17 Apr 2025 09:08:49 +0200 + +opensnitch (1.5.9-4) experimental; urgency=medium + + * Team upload. + + * Added leftover build dependency protoc-gen-go-1-5. + + -- Petter Reinholdtsen Tue, 15 Apr 2025 06:18:52 +0200 + +opensnitch (1.5.9-3) experimental; urgency=medium + + * Team upload. + + [ Gustavo Iñiguez Goya ] + * New upstream release. + * d/control: removed kernel headers dependency. + + [ Petter Reinholdtsen ] + * Moved untagged upstream snapshot into 0010-experimental-1.5.9.1.patch. + * Adjusted build dependencies to work with current unstable. + * Correct roff notation for URLs in man pages. + * Renamed obsolete pkg-config build dependency to pkgconf. + + -- Petter Reinholdtsen Mon, 14 Apr 2025 18:43:07 +0200 + +opensnitch (1.5.9-2) experimental; urgency=medium + + [ Gustavo Iñiguez Goia ] + * d/control: fixed Build-Depends, kernel headers dep + * Upload sponsored by Petter Reinholdtsen. + + -- Gustavo Iñiguez Goya Sat, 10 Jun 2023 00:08:25 +0200 + +opensnitch (1.5.9-1) experimental; urgency=medium + + * New upstream release. + * d/control: + - New package opensnitch-ebpf-modules. + * d/man/: + - Updated dates. + - New page opensnitch-ebpf-modules.1 + * Added README.Debian. + + * Upload sponsored by Petter Reinholdtsen. + + -- Gustavo Iñiguez Goya Wed, 07 Jun 2023 23:18:40 +0200 + +opensnitch (1.5.8.1-2) unstable; urgency=medium + + * Team upload + * Update Build-Depends from golang-goprotobuf-dev to + golang-github-golang-protobuf-1-5-dev + + -- Mathias Gibbens Fri, 02 Aug 2024 07:08:08 +0000 + +opensnitch (1.5.8.1-1) unstable; urgency=medium + + * New upstream release. + * Upload sponsored by Petter Reinholdtsen. + + -- Gustavo Iñiguez Goya Mon, 06 Mar 2023 12:37:24 +0100 + +opensnitch (1.5.8-2) unstable; urgency=medium + + * Upload to unstable. + * Upload sponsored by Petter Reinholdtsen. + + -- Gustavo Iñiguez Goya Tue, 21 Feb 2023 21:26:21 +0100 + +opensnitch (1.5.8-1) experimental; urgency=medium + + * New upstream release. + + [ Gustavo Iñiguez Goia ] + * ui: added 64x64 icon. + * Added missing entry for GUI manual page. + * Updated appstream Summary field. + * Removed ftrace dependency from d/control. + * ui: updated appstream Summary field. + * Updated d/control Description. + + [ Petter Reinholdtsen ] + * Added appstream content rating, no restrictions. + * Corrected appstream icon name. + * Documented appstream metadata license in d/copyright. + * Place manual pages in correct packages. + + * Upload sponsored by Petter Reinholdtsen. + + -- Gustavo Iñiguez Goya Sun, 19 Feb 2023 10:26:46 +0100 + +opensnitch (1.5.7-3) experimental; urgency=medium + + [ Gustavo Iñiguez Goia ] + * fixed /etc/xdg/autostart/ link + + * Upload sponsored by Petter Reinholdtsen. + + -- Gustavo Iñiguez Goya Wed, 15 Feb 2023 22:41:19 +0100 + +opensnitch (1.5.7-2) experimental; urgency=medium + + [ Gustavo Iñiguez Goia ] + * added opensnitchd manual page + * added new manual page, updated opensnitchd.1 + * improved debian/tests/ + + * Upload sponsored by Petter Reinholdtsen. + + -- Gustavo Iñiguez Goya Mon, 13 Feb 2023 12:43:19 +0100 + +opensnitch (1.5.7-1) unstable; urgency=medium + + * New upstream release + + [ Gustavo Iñiguez Goia ] + * Set test-fw-rules.sh as flaky. + * Make test-fw-rules.sh more verbose. + + [ Petter Reinholdtsen ] + * Fixed typo in nb comment of desktop file. + * Added appstream desktop category to metadata XML. + + * Upload sponsored by Petter Reinholdtsen. + + -- Gustavo Iñiguez Goya Fri, 10 Feb 2023 13:28:23 +0100 + +opensnitch (1.5.6-1) unstable; urgency=medium + + * New upstream release + + [ Gustavo Iñiguez Goia ] + * tests: removed Architecture: restriction + * changed Maintainer: field to team+pkg-go + * added new test + * added Uploaders field + * updated Vcs* fields + + [ Petter Reinholdtsen ] + * Added Debian package relation between opensnitch and + python3-opensnitch-ui. + * Handle autopkgtest scripts differently, as they have different + requirements. + + * Upload sponsored by Petter Reinholdtsen. + + -- Gustavo Iñiguez Goya Tue, 07 Feb 2023 21:29:48 +0100 + +opensnitch (1.5.5-1) unstable; urgency=medium + + * New upstream release. + * Bump Standards-Version to 4.6.2. + * Upload sponsored by Petter Reinholdtsen. + + -- Gustavo Iñiguez Goya Wed, 01 Feb 2023 22:37:12 +0100 + +opensnitch (1.5.4-1) unstable; urgency=high + + * New upstream release. (Closes: #1030115) + * debian/control: + - Updated packages description. + - Removed debconf and whiptail|dialog dependencies. + - Added xdg-user-dirs, gtk-update-icon-cache dependencies. + - Point Vcs-Git field to the 1.5.0 branch. + * debian/postinst: + - Fixed opensnitch_ui.desktop installation. + - Fixed updating icons cache. + * debian/postrm: + - Fixed removing opensnitch_ui.desktop + * debian/tests/: + - Added autopkgtests. + * Upload sponsored by Petter Reinholdtsen. + + -- Gustavo Iñiguez Goya Tue, 31 Jan 2023 23:48:58 +0100 + +opensnitch (1.5.3-1) unstable; urgency=medium + + * Added debian/upstream/metadata. + * Updated Homepage url. + * Updated Copyright years. + + -- Gustavo-Iniguez-Goya Sun, 22 Jan 2023 21:30:45 +0100 + +opensnitch (1.5.2.1-1) unstable; urgency=medium + + * Initial release. (Closes: #909567) + + -- Gustavo-Iniguez-Goya Fri, 20 Jan 2023 22:26:40 +0000 + +opensnitch (1.5.2-1) unstable; urgency=medium + + * try to mount debugfs on boot up + + -- gustavo-iniguez-goya Wed, 27 Jul 2022 17:29:33 +0200 + +opensnitch (1.5.1-1) unstable; urgency=medium + + * Better eBPF cache. + * Fixed error resolving domains to localhost. + * Fixed error deleting our nftables rules. + + -- gustavo-iniguez-goya Fri, 25 Feb 2022 01:21:38 +0100 + +opensnitch (1.5.0-1) unstable; urgency=medium + + * New release. + * Added Reject option. + * New lists types to block ads/malware/... + * Better connections interception. + * Better VPNs handling. + * Bug fixes. + + -- gustavo-iniguez-goya Fri, 28 Jan 2022 23:20:38 +0100 + +opensnitch (1.5.0~rc2-1) unstable; urgency=medium + + * Better connections interception. + * Improvements. + + -- gustavo-iniguez-goya Sun, 16 Jan 2022 23:15:12 +0100 + +opensnitch (1.5.0~rc1-1) unstable; urgency=medium + + * New features. + + -- gustavo-iniguez-goya Thu, 07 Oct 2021 14:57:35 +0200 + +opensnitch (1.4.0-1) unstable; urgency=medium + + * final release. + + -- gustavo-iniguez-goya Fri, 27 Aug 2021 13:33:07 +0200 + +opensnitch (1.4.0~rc4-1) unstable; urgency=medium + + * Bug fix release. + + -- gustavo-iniguez-goya Wed, 11 Aug 2021 15:17:49 +0200 + +opensnitch (1.4.0~rc3-1) unstable; urgency=medium + + * Bug fix release. + + -- gustavo-iniguez-goya Fri, 16 Jul 2021 23:28:52 +0200 + +opensnitch (1.4.0~rc2-1) unstable; urgency=medium + + * Added eBPF support. + * Fixes and improvements. + + -- gustavo-iniguez-goya Fri, 07 May 2021 01:08:02 +0200 + +opensnitch (1.4.0~rc-1) unstable; urgency=medium + + * Bug fix and improvements release. + + -- gustavo-iniguez-goya Thu, 25 Mar 2021 01:02:31 +0100 + +opensnitch (1.3.6-1) unstable; urgency=medium + + * Bug fix and improvements release. + + -- gustavo-iniguez-goya Wed, 10 Feb 2021 10:17:43 +0100 + +opensnitch (1.3.5-1) unstable; urgency=medium + + * Bug fix and improvements release. + + -- gustavo-iniguez-goya Mon, 11 Jan 2021 18:01:53 +0100 + +opensnitch (1.3.0-1) unstable; urgency=medium + + * Fixed how we check rules + * Fixed cpu spike after disable interception. + * Fixed cleaning up fw rules on exit. + * make regexp rules case-insensitive by default + * allow to filter by dst network. + + -- gustavo-iniguez-goya Wed, 16 Dec 2020 01:15:03 +0100 + +opensnitch (1.3.0~rc-1) unstable; urgency=medium + + * Non-maintainer upload. + + -- gustavo-iniguez-goya Fri, 13 Nov 2020 00:51:34 +0100 + +opensnitch (1.2.0-1) unstable; urgency=medium + + * Fixed memleaks. + * Sort rules by name + * Added priority field to rules. + * Other fixes + + -- gustavo-iniguez-goya Mon, 09 Nov 2020 22:55:13 +0100 + +opensnitch (1.0.1-1) unstable; urgency=medium + + * Fixed app exit when IPv6 is not supported. + * Other fixes. + + -- gustavo-iniguez-goya Thu, 30 Jul 2020 21:56:20 +0200 + +opensnitch (1.0.0-1) unstable; urgency=medium + + * v1.0.0 released. + + -- gustavo-iniguez-goya Thu, 16 Jul 2020 00:19:26 +0200 + +opensnitch (1.0.0rc11-1) unstable; urgency=medium + + * Fixed multiple race conditions. + * Fixed CWD parsing when using audit proc monitor method. + + -- gustavo-iniguez-goya Wed, 24 Jun 2020 00:10:38 +0200 + +opensnitch (1.0.0rc10-1) unstable; urgency=medium + + * Fixed checking UID functions availability. + * Improved process path parsing. + * Fixed applying config from the UI. + * Fixed default log level. + * Gather CWD and process environment vars. + * Increase default timeout when asking for a rule. + + -- gustavo-iniguez-goya Sat, 13 Jun 2020 18:45:02 +0200 + +opensnitch (1.0.0rc9-1) unstable; urgency=medium + + * Ignore malformed rules from loading. + * Allow to modify and add rules from the UI. + + -- gustavo-iniguez-goya Sun, 17 May 2020 18:18:24 +0200 + +opensnitch (1.0.0rc8) unstable; urgency=medium + + * Allow to change settings from the UI. + * Improved connection handling with the UI. + + -- gustavo-iniguez-goya Wed, 29 Apr 2020 21:52:27 +0200 + +opensnitch (1.0.0rc7-1) unstable; urgency=medium + + * Stability, performance and realiability improvements. + + -- gustavo-iniguez-goya Sun, 12 Apr 2020 23:25:41 +0200 + +opensnitch (1.0.0rc6-1) unstable; urgency=medium + + * Fixed iptables rules deletion. + * Improved PIDs cache. + * Added audit process monitoring method. + * Added logrotate file. + * Added default configuration file. + + -- gustavo-iniguez-goya Sun, 08 Mar 2020 20:47:58 +0100 + +opensnitch (1.0.0rc-5) unstable; urgency=medium + + * Fixed netlink socket querying. + * Added check to reload firewall rules if missing. + + -- gustavo-iniguez-goya Mon, 24 Feb 2020 19:55:06 +0100 + +opensnitch (1.0.0rc-3) unstable; urgency=medium + + * @see: https://github.com/gustavo-iniguez-goya/opensnitch/releases + + -- gustavo-iniguez-goya Tue, 18 Feb 2020 10:09:45 +0100 + +opensnitch (1.0.0rc-2) unstable; urgency=medium + + * UI minor changes + * Expand deb package compatibility. + + -- gustavo-iniguez-goya Wed, 05 Feb 2020 21:50:20 +0100 + +opensnitch (1.0.0rc-1) unstable; urgency=medium + + * Initial release + + -- gustavo-iniguez-goya Fri, 22 Nov 2019 01:14:08 +0100 diff --git a/control b/control new file mode 100644 index 0000000..efecc11 --- /dev/null +++ b/control @@ -0,0 +1,112 @@ +Source: opensnitch +Maintainer: Debian Go Packaging Team +Uploaders: + Charles Allhands , + Petter Reinholdtsen +Section: devel +Priority: optional +Build-Depends: + debhelper-compat (= 11), + dh-golang, + dh-python, + golang-any, + golang-github-fsnotify-fsnotify-dev, + golang-github-google-gopacket-dev, + golang-github-google-nftables-dev, + golang-github-iovisor-gobpf-dev, + golang-github-varlink-go-dev, + golang-github-vishvananda-netlink-dev, + golang-golang-x-net-dev, + golang-google-grpc-dev, + golang-github-gogo-protobuf-dev | golang-goprotobuf-dev, + libmnl-dev, + libnetfilter-queue-dev, + linux-headers-amd64 [amd64] | linux-headers-arm64 [arm64] | linux-headers-armmp [armhf] | linux-headers-loong64 [loong64] | linux-headers-riscv64 [riscv64] | linux-headers-s390x [s390x] | linux-headers-generic, + pkgconf, + protoc-gen-go-1-5 | protoc-gen-go-1-3, + protoc-gen-go-grpc, + pyqt5-dev-tools, + qttools5-dev-tools, + python3-all, + python3-grpc-tools, + python3-setuptools, + clang, + llvm +Standards-Version: 4.7.2 +Vcs-Browser: https://salsa.debian.org/go-team/packages/opensnitch +Vcs-Git: https://salsa.debian.org/go-team/packages/opensnitch.git +Homepage: https://github.com/evilsocket/opensnitch +Rules-Requires-Root: no +XS-Go-Import-Path: github.com/evilsocket/opensnitch + +Package: opensnitch +Section: net +Architecture: any +Depends: + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: python3-opensnitch-ui, + opensnitch-ebpf-modules [amd64 arm64 riscv64 s390x loong64 ppc64] +Built-Using: ${misc:Built-Using} +Description: GNU/Linux interactive application firewall + Whenever a program makes a connection, it'll prompt the user to allow or deny + it. + . + The user can decide if block the outgoing connection based on properties of + the connection: by port, by uid, by dst ip, by program or a combination + of them. + . + These rules can last forever, until the app restart or just one time. + . + The GUI allows the user to view live outgoing connections, as well as search + by process, user, host or port. + . + OpenSnitch can also work as a system-wide domains blocker, by using lists + of domains, list of IPs or list of regular expressions. + + +Package: python3-opensnitch-ui +Architecture: all +Section: net +Depends: + ${misc:Depends}, + ${shlibs:Depends}, + libqt5sql5-sqlite, + python3-grpcio, + python3-notify2, + python3-pyinotify, + python3-pyqt5, + python3-pyqt5.qtsql, + python3-slugify, + python3:any, + xdg-user-dirs, + gtk-update-icon-cache +Recommends: + python3-pyasn +Suggests: opensnitch +Description: GNU/Linux interactive application firewall GUI + opensnitch-ui is a GUI for opensnitch written in Python. + It allows the user to view live outgoing connections, as well as search + for details of the intercepted connections. + . + The user can decide if block outgoing connections based on properties of + the connection: by port, by uid, by dst ip, by program or a combination + of them. + . + These rules can last forever, until restart the daemon or just one time. + . + OpenSnitch can also work as a system-wide domains blocker, by using lists + of domains, list of IPs or list of regular expressions. + + +Package: opensnitch-ebpf-modules +Architecture: amd64 arm64 riscv64 s390x loong64 ppc64 +Section: net +Depends: + ${misc:Depends}, + ${shlibs:Depends}, +Suggests: opensnitch +Description: GNU/Linux interactive application firewall eBPF modules + opensnitch-ebpf-modules provides the eBPF modules. + It provides the functionality to intercept connections at kernel level, + offering better performance and reliability. diff --git a/copyright b/copyright new file mode 100644 index 0000000..7054f76 --- /dev/null +++ b/copyright @@ -0,0 +1,203 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Source: https://github.com/evilsocket/opensnitch +Upstream-Contact: Gustavo Iñiguez Goia +Upstream-Name: opensnitch +Files-Excluded: + Godeps/_workspace + +Files: * +Copyright: + 2017-2018 evilsocket + 2019-2023 Gustavo Iñiguez Goia +Comment: Debian packaging is licensed under the same terms as upstream +License: GPL-3.0+ + This program is free software; you can redistribute it + and/or modify it under the terms of the GNU General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later + version. + . + This program is distributed in the hope that it will be + useful, but WITHOUT ANY WARRANTY; without even the implied + warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + PURPOSE. See the GNU General Public License for more + details. + . + You should have received a copy of the GNU General Public + License along with this program. If not, If not, see + http://www.gnu.org/licenses/. + . + On Debian systems, the full text of the GNU General Public + License version 3 can be found in the file + '/usr/share/common-licenses/GPL-3'. + +Files: ui/resources/io.github.evilsocket.opensnitch.appdata.xml +Copyright: + 2023 Gustavo Iñiguez Goia +License: FTL + The FreeType Project LICENSE + ---------------------------- + . + 2006-Jan-27 + . + Copyright 1996-2002, 2006 by + David Turner, Robert Wilhelm, and Werner Lemberg + . + . + . + Introduction + ============ + . + The FreeType Project is distributed in several archive packages; + some of them may contain, in addition to the FreeType font engine, + various tools and contributions which rely on, or relate to, the + FreeType Project. + . + This license applies to all files found in such packages, and + which do not fall under their own explicit license. The license + affects thus the FreeType font engine, the test programs, + documentation and makefiles, at the very least. + . + This license was inspired by the BSD, Artistic, and IJG + (Independent JPEG Group) licenses, which all encourage inclusion + and use of free software in commercial and freeware products + alike. As a consequence, its main points are that: + . + o We don't promise that this software works. However, we will be + interested in any kind of bug reports. (`as is' distribution) + . + o You can use this software for whatever you want, in parts or + full form, without having to pay us. (`royalty-free' usage) + . + o You may not pretend that you wrote this software. If you use + it, or only parts of it, in a program, you must acknowledge + somewhere in your documentation that you have used the + FreeType code. (`credits') + . + We specifically permit and encourage the inclusion of this + software, with or without modifications, in commercial products. + We disclaim all warranties covering The FreeType Project and + assume no liability related to The FreeType Project. + . + . + Finally, many people asked us for a preferred form for a + credit/disclaimer to use in compliance with this license. We thus + encourage you to use the following text: + . + """ + Portions of this software are copyright © The FreeType + Project (www.freetype.org). All rights reserved. + """ + . + Please replace with the value from the FreeType version you + actually use. + . + . + Legal Terms + =========== + . + 0. Definitions + -------------- + . + Throughout this license, the terms `package', `FreeType Project', + and `FreeType archive' refer to the set of files originally + distributed by the authors (David Turner, Robert Wilhelm, and + Werner Lemberg) as the `FreeType Project', be they named as alpha, + beta or final release. + . + `You' refers to the licensee, or person using the project, where + `using' is a generic term including compiling the project's source + code as well as linking it to form a `program' or `executable'. + This program is referred to as `a program using the FreeType + engine'. + . + This license applies to all files distributed in the original + FreeType Project, including all source code, binaries and + documentation, unless otherwise stated in the file in its + original, unmodified form as distributed in the original archive. + If you are unsure whether or not a particular file is covered by + this license, you must contact us to verify this. + . + The FreeType Project is copyright (C) 1996-2000 by David Turner, + Robert Wilhelm, and Werner Lemberg. All rights reserved except as + specified below. + . + 1. No Warranty + -------------- + . + THE FREETYPE PROJECT IS PROVIDED `AS IS' WITHOUT WARRANTY OF ANY + KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + PURPOSE. IN NO EVENT WILL ANY OF THE AUTHORS OR COPYRIGHT HOLDERS + BE LIABLE FOR ANY DAMAGES CAUSED BY THE USE OR THE INABILITY TO + USE, OF THE FREETYPE PROJECT. + . + 2. Redistribution + ----------------- + . + This license grants a worldwide, royalty-free, perpetual and + irrevocable right and license to use, execute, perform, compile, + display, copy, create derivative works of, distribute and + sublicense the FreeType Project (in both source and object code + forms) and derivative works thereof for any purpose; and to + authorize others to exercise some or all of the rights granted + herein, subject to the following conditions: + . + o Redistribution of source code must retain this license file + (`FTL.TXT') unaltered; any additions, deletions or changes to + the original files must be clearly indicated in accompanying + documentation. The copyright notices of the unaltered, + original files must be preserved in all copies of source + files. + . + o Redistribution in binary form must provide a disclaimer that + states that the software is based in part of the work of the + FreeType Team, in the distribution documentation. We also + encourage you to put an URL to the FreeType web page in your + documentation, though this isn't mandatory. + . + These conditions apply to any software derived from or based on + the FreeType Project, not just the unmodified files. If you use + our work, you must acknowledge us. However, no fee need be paid + to us. + . + 3. Advertising + -------------- + . + Neither the FreeType authors and contributors nor you shall use + the name of the other for commercial, advertising, or promotional + purposes without specific prior written permission. + . + We suggest, but do not require, that you use one or more of the + following phrases to refer to this software in your documentation + or advertising materials: `FreeType Project', `FreeType Engine', + `FreeType library', or `FreeType Distribution'. + . + As you have not signed this license, you are not required to + accept it. However, as the FreeType Project is copyrighted + material, only this license, or another one contracted with the + authors, grants you the right to use, distribute, and modify it. + Therefore, by using, distributing, or modifying the FreeType + Project, you indicate that you understand and accept all the terms + of this license. + . + 4. Contacts + ----------- + . + There are two mailing lists related to FreeType: + . + o freetype@nongnu.org + . + Discusses general use and applications of FreeType, as well as + future and wanted additions to the library and distribution. + If you are looking for support, start in this list if you + haven't found anything to help you in the documentation. + . + o freetype-devel@nongnu.org + . + Discusses bugs, as well as engine internals, design issues, + specific licenses, porting, etc. + . + Our home page can be found at + . + https://www.freetype.org diff --git a/gbp.conf b/gbp.conf new file mode 100644 index 0000000..94e6b84 --- /dev/null +++ b/gbp.conf @@ -0,0 +1,3 @@ +[DEFAULT] +debian-branch = debian/sid +pristine-tar = True diff --git a/gitlab-ci.yml b/gitlab-ci.yml new file mode 100644 index 0000000..91ff7ea --- /dev/null +++ b/gitlab-ci.yml @@ -0,0 +1,27 @@ +# auto-generated, DO NOT MODIFY. +# The authoritative copy of this file lives at: +# https://salsa.debian.org/go-team/ci/blob/master/config/gitlabciyml.go + +# TODO: publish under debian-go-team/ci +image: stapelberg/ci2 + +test_the_archive: + artifacts: + paths: + - before-applying-commit.json + - after-applying-commit.json + script: + # Create an overlay to discard writes to /srv/gopath/src after the build: + - "rm -rf /cache/overlay/{upper,work}" + - "mkdir -p /cache/overlay/{upper,work}" + - "mount -t overlay overlay -o lowerdir=/srv/gopath/src,upperdir=/cache/overlay/upper,workdir=/cache/overlay/work /srv/gopath/src" + - "export GOPATH=/srv/gopath" + - "export GOCACHE=/cache/go" + # Build the world as-is: + - "ci-build -exemptions=/var/lib/ci-build/exemptions.json > before-applying-commit.json" + # Copy this package into the overlay: + - "GBP_CONF_FILES=:debian/gbp.conf gbp buildpackage --git-no-pristine-tar --git-ignore-branch --git-ignore-new --git-export-dir=/tmp/export --git-no-overlay --git-tarball-dir=/nonexistant --git-cleaner=/bin/true --git-builder='dpkg-buildpackage -S -d --no-sign'" + - "pgt-gopath -dsc /tmp/export/*.dsc" + # Rebuild the world: + - "ci-build -exemptions=/var/lib/ci-build/exemptions.json > after-applying-commit.json" + - "ci-diff before-applying-commit.json after-applying-commit.json" diff --git a/man/opensnitch-ebpf-modules.1 b/man/opensnitch-ebpf-modules.1 new file mode 100644 index 0000000..018b4b6 --- /dev/null +++ b/man/opensnitch-ebpf-modules.1 @@ -0,0 +1,59 @@ +.\" Copyright (c) 2023 Gustavo Iñiguez Goya +.\" All rights reserved. +.\" +.\" SPDX-License-Identifier: GPL-3.0-or-later +.de CW +.sp +.in +4n +.nf +.ft CW +.. +.de CE +.ft R +.fi +.in +.sp +.. +.\" Like .OP, but with ellipsis at the end in order to signify that option +.\" can be provided multiple times. Based on .OP definition in groff's +.\" an-ext.tmac. +.de OM +. ie \\n(.$-1 \ +. RI "[\fB\\$1\fP" "\ \\$2" "]...\&" +. el \ +. RB "[" "\\$1" "]...\&" +.. +.\" Required option. +.de OR +. ie \\n(.$-1 \ +. RI "\fB\\$1\fP" "\ \\$2" +. el \ +. BR "\\$1" +.. +.TH OPENSNITCH-EBPF_MODULES 1 "2023-06-07" "opensnitch-ebpf-modules 1.5.9" +.SH NAME +opensnitch-ebpf-modules \- GNU/Linux interactive firewall application +.SH DESCRIPTION +.LP +opensnitch-ebpf-modules provides the eBPF kernel modules to intercept +network connections. It offers better performance and reliability. +.LP +The modules are installed under /usr/lib/opensnitchd/ebpf/ +.LP +.SH KNOWN BUGS +When coming back from suspend state, the eBPF modules stop working. +.LP +The only solution for now is to restart the daemon when the computer +wakes up: +.PP +https://github.com/evilsocket/opensnitch/blob/master/utils/scripts/restart-opensnitch-onsleep.sh +.SH "SEE ALSO" +.PP +.UR https://github.com/evilsocket/opensnitch/ebpf_prog/ +.B OpenSnitch +Home Page +.UE +.SH AUTHORS +The complete list of +.B OpenSnitch +contributors can be found on https://github.com/evilsocket/opensnitch diff --git a/man/opensnitch-ui.1 b/man/opensnitch-ui.1 new file mode 100644 index 0000000..b9ab2d9 --- /dev/null +++ b/man/opensnitch-ui.1 @@ -0,0 +1,112 @@ +.\" Copyright (c) 2023 Gustavo Iñiguez Goya +.\" All rights reserved. +.\" +.\" SPDX-License-Identifier: GPL-3.0-or-later +.de CW +.sp +.in +4n +.nf +.ft CW +.. +.de CE +.ft R +.fi +.in +.sp +.. +.\" Like .OP, but with ellipsis at the end in order to signify that option +.\" can be provided multiple times. Based on .OP definition in groff's +.\" an-ext.tmac. +.de OM +. ie \\n(.$-1 \ +. RI "[\fB\\$1\fP" "\ \\$2" "]...\&" +. el \ +. RB "[" "\\$1" "]...\&" +.. +.\" Required option. +.de OR +. ie \\n(.$-1 \ +. RI "\fB\\$1\fP" "\ \\$2" +. el \ +. BR "\\$1" +.. +.TH OPENSNITCH-UI 1 "2023-06-07" "opensnitchd 1.5.9" +.SH NAME +opensnitch-ui \- GNU/Linux interactive firewall application +.SH SYNOPSIS +.SY opensnitch-ui +.OP \-\-socket path +.OP \-\-max-clients num +.YS +.SH DESCRIPTION +.LP +opensnitch-ui is the OpenSnitch GUI to view events intercepted by the daemon, +and to manage the rules. +The GUI is composed of 2 components in the same script: a server and a GUI. +Once the GUI is launched, an icon will appear on the system tray. +If the system tray is not available or can't be used, the Events dialog will +be launched. +.LP +The GUI (i.e.: the server) will listen for new connections from daemons. You +can have the daemon installed on multiple machines, and manage them from a +centralized GUI. +.UR https://github.com/evilsocket/opensnitch/wiki/Nodes +.UE +.LP +.SH OPTIONS +.TP +.BI "\--socket " path +Specifies the path or network address where the GUI (i.e.: the server) will +listen on. +.PP + Examples: +.PP + Default: unix:///tmp/osui.sock +.PP + - Listening on a Unix socket: + $ opensnitch-ui --socket unix:///tmp/osui.sock + * Use unix:///run/user/YOUR_USER_ID/opensnitch/osui.sock for better privacy. +.PP + - Listening on port 50051, all interfaces: + $ opensnitch-ui --socket "[::]:50051" +.TP +.BI "\--max-clients " num +Maximum number of clients to allow (default: 10). +.SH FILES +.I /home/$USER/.config/opensnitch/ +.RS +Path of the GUI configuration. +.RE +.SH DIAGNOSTICS +If something goes wrong, like a crash, launch the GUI from a shell to view debugging messages: +.LP +.RS +$ opensnitch-ui +.RE +.SH REPORTING BUGS +Problems with +.B opensnitch-ui +should be reported on github +.UR https://github.com/evilsocket/opensnitch/issues +.UE +.SH "SEE ALSO" +.PP +.B OpenSnitch +Home Page +.UR https://github.com/evilsocket/opensnitch +.UE +.LP +.SH HISTORY +.B OpenSnitch +was originally written by Simone Margaritelli (evilsocket) in 2017-2018. +.LP +In 2019, after some time of inactivity, Gustavo Iñiguez Goya started +contributing, fixing bugs and adding new functionality, with +the esential help of the community, and valuable contributions from themighty1 and +calesanz among others. +.SH AUTHORS +The complete list of +.B OpenSnitch +contributors can be found on +.UR https://github.com/evilsocket/opensnitch +.UE diff --git a/man/opensnitchd.1 b/man/opensnitchd.1 new file mode 100644 index 0000000..a5e108f --- /dev/null +++ b/man/opensnitchd.1 @@ -0,0 +1,183 @@ +.\" Copyright (c) 2023 Gustavo Iñiguez Goya +.\" All rights reserved. +.\" +.\" SPDX-License-Identifier: GPL-3.0-or-later +.de CW +.sp +.in +4n +.nf +.ft CW +.. +.de CE +.ft R +.fi +.in +.sp +.. +.\" Like .OP, but with ellipsis at the end in order to signify that option +.\" can be provided multiple times. Based on .OP definition in groff's +.\" an-ext.tmac. +.de OM +. ie \\n(.$-1 \ +. RI "[\fB\\$1\fP" "\ \\$2" "]...\&" +. el \ +. RB "[" "\\$1" "]...\&" +.. +.\" Required option. +.de OR +. ie \\n(.$-1 \ +. RI "\fB\\$1\fP" "\ \\$2" +. el \ +. BR "\\$1" +.. +.TH OPENSNITCHD 1 "2023-06-07" "opensnitchd 1.5.9" +.SH NAME +opensnitchd \- GNU/Linux interactive firewall application +.SH SYNOPSIS +.SY opensnitchd +.OP \-rules-path path +.OP \-cpu-profile path +.OP \-debug +.OP \-error +.OP \-warning +.OP \-important +.OM \-log-file path +.OM \-mem-profile path +.OP \-no-live-reload +.OM \-process-monitor-method name +.OM \-queue-num num +.OM \-ui-socket path +.OP \-version +.OM \-workers num +.YS +.SH DESCRIPTION +.LP +opensnitchd is the OpenSnitch agent that intercepts outbound connections, +and send them to the server. The server can be a GUI, a TUI, or a +.I headless +component to just log the network activity (a SIEM for example). +By default it'll allow all connections, creating temporal rules for you +so you can review them later. +.LP +.SH OPTIONS +.TP +.BI "\-rules-path " path +Specifies where the rules will be written to. Default "rules". +.TP +.BI "\-cpu-profile " path +A file path where the CPU data for later use will be written. +.TP +.BI "\-debug" +Set LogLevel to DEBUG. +.TP +.BI "\-warning" +Set LogLevel to WARNING. +.TP +.BI "\-important" +Set LogLevel to IMPORTANT. +.TP +.BI "\-log-file " path +A file path where the logs will be written to. This path can be a device file, +like /dev/stdout to print logs to standard output. +.TP +.BI "\-mem-profile " path +A file path where the memory data will be written once the daemon exits. +.TP +.BI "\-no-live-reload" +By default daemon's rules and configuration is reloaded whenever it changes. +This option disables this feature. +.TP +.BI "\-process-monitor-method " method +Force process monitor method, overriding what is defined in the configuration. +Valid methods: ebpf, audit, proc +.TP +.BI "\-queue-num " num +Force to use this netfilter queue num. The default queue number is 0, but if +it's already used by other software, you can set another queue number here. +.TP +.BI "\-ui-socket " path +Force to use this socket path, instead of the one defined in the configuration. +The path format is unix:///path/to/socket.sock or ip:port ("127.0.0.1:50051") +.RS +( +.UR https://github.com/grpc/grpc/blob/master/doc/naming.md +.UE +) +.RE +.TP +.BI "\-version" +Prints out daemon version. +.TP +.BI "\-workers " num +Change maximum number of workers to process outbound connections. +By default 16 workers are launched, but if it's not enough increase this number. +.SH FILES +.I /etc/opensnitchd/rules/ +.RS +Default daemon directory rules. +.RE +.I /etc/opensnitchd/default-config.json +.RS +Default daemon configuration. +.RE +.I /etc/opensnitchd/system-fw.json +.RS +Configuration of system firewall rules (iptables/nftables). +.TP +Firewall rules defined here bypasses OpenSnitch interception. Use it to allow VPNs or other services. +.SH DIAGNOSTICS +OpenSnitch needs at least one firewall rule to intercept outbound connections: +.LP +iptables -t mangle -L OUTPUT | grep NFQUEUE +.RS +NFQUEUE all -- anywhere anywhere ctstate NEW,RELATED NFQUEUE num 0 bypass +.RE +.LP +If you suspect that OpenSnitch blocks an application and doesn't prompt you to allow or deny it, +using the GUI enable the option +.I [x] Debug invalid connections +under Preferences -> Nodes. +Or set the configuration option +.B InterceptUnknown +to true. +.LP +.I Tip: +You can also add rules to the file /etc/opensnitchd/system-fw.json, to allow network services without being intercepted by the daemon. +.LP +Another way of debugging errors is by launching the daemon from the command line: +.IP +.PD 0 +.IP 1. 4 +Set LogLevel to DEBUG under Preferences -> Nodes (or LogLevel to 0 in the configuration) +.IP 2. 4 +Stop the daemon: systemctl stop opensnitch +.IP 3. 4 +Launch it from cli: /usr/bin/opensnitchd -rules-path /etc/opensnitchd/rules/ +.PD +.LP +.SH REPORTING BUGS +Problems with +.B opensnitchd +should be reported on github +.UR https://github.com/evilsocket/opensnitch/issues +.UE +.SH HISTORY +.B OpenSnitch +was originally written by Simone Margaritelli (evilsocket) in 2017-2018. +.LP +In 2019, after some time of inactivity, Gustavo Iñiguez Goya started +contributing, fixing bugs and adding new functionality, with +the esential help of the community, and valuable contributions from themighty1 and +calesanz among others. +.SH "SEE ALSO" +.PP +.B OpenSnitch +Home Page +.UR https://github.com/evilsocket/opensnitch +.UE +.SH AUTHORS +The complete list of +.B OpenSnitch +contributors can be found on +.UR https://github.com/evilsocket/opensnitch +.UE diff --git a/opensnitch-ebpf-modules.lintian-overrides b/opensnitch-ebpf-modules.lintian-overrides new file mode 100644 index 0000000..9ae16b6 --- /dev/null +++ b/opensnitch-ebpf-modules.lintian-overrides @@ -0,0 +1,4 @@ +# These are EBPF objects. +binary-from-other-architecture [usr/lib/opensnitchd/ebpf/opensnitch-dns.o] +binary-from-other-architecture [usr/lib/opensnitchd/ebpf/opensnitch-procs.o] +binary-from-other-architecture [usr/lib/opensnitchd/ebpf/opensnitch.o] diff --git a/opensnitch-ebpf-modules.manpages b/opensnitch-ebpf-modules.manpages new file mode 100644 index 0000000..fcad479 --- /dev/null +++ b/opensnitch-ebpf-modules.manpages @@ -0,0 +1 @@ +debian/man/opensnitch-ebpf-modules.1 diff --git a/opensnitch.init b/opensnitch.init new file mode 100644 index 0000000..77ce353 --- /dev/null +++ b/opensnitch.init @@ -0,0 +1,78 @@ +#!/bin/sh + +### BEGIN INIT INFO +# Provides: opensnitchd +# Required-Start: $network $local_fs +# Required-Stop: $network $local_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: opensnitchd daemon +# Description: opensnitch application firewall +### END INIT INFO + +NAME=opensnitchd +PIDDIR=/var/run/$NAME +OPENSNITCHDPID=$PIDDIR/$NAME.pid + +# clear conflicting settings from the environment +unset TMPDIR + +test -x /usr/bin/$NAME || exit 0 + +. /lib/lsb/init-functions + +case $1 in + start) + log_daemon_msg "Starting opensnitch daemon" $NAME + if [ ! -d /etc/$NAME/rules ]; then + mkdir -p /etc/$NAME/rules &>/dev/null + fi + + # Make sure we have our PIDDIR, even if it's on a tmpfs + install -o root -g root -m 755 -d $PIDDIR + + if ! start-stop-daemon --start --quiet --oknodo --pidfile $OPENSNITCHDPID --background --exec /usr/bin/$NAME -- -rules-path /etc/$NAME/rules; then + log_end_msg 1 + exit 1 + fi + + log_end_msg 0 + ;; + stop) + + log_daemon_msg "Stopping $NAME daemon" $NAME + + start-stop-daemon --stop --quiet --signal QUIT --name $NAME + # Wait a little and remove stale PID file + sleep 1 + if [ -f $OPENSNITCHDPID ] && ! ps h `cat $OPENSNITCHDPID` > /dev/null + then + rm -f $OPENSNITCHDPID + fi + + log_end_msg 0 + + ;; + reload) + log_daemon_msg "Reloading $NAME" $NAME + + start-stop-daemon --stop --quiet --signal HUP --pidfile $OPENSNITCHDPID + + log_end_msg 0 + ;; + restart|force-reload) + $0 stop + sleep 1 + $0 start + ;; + status) + status_of_proc /usr/bin/$NAME $NAME + exit $? + ;; + *) + echo "Usage: /etc/init.d/opensnitchd {start|stop|reload|restart|force-reload|status}" + exit 1 + ;; +esac + +exit 0 diff --git a/opensnitch.install b/opensnitch.install new file mode 100644 index 0000000..751664c --- /dev/null +++ b/opensnitch.install @@ -0,0 +1,3 @@ +daemon/default-config.json etc/opensnitchd/ +daemon/system-fw.json etc/opensnitchd/ +#ebpf_prog/opensnitch.o etc/opensnitchd/ diff --git a/opensnitch.logrotate b/opensnitch.logrotate new file mode 100644 index 0000000..7e1d486 --- /dev/null +++ b/opensnitch.logrotate @@ -0,0 +1,13 @@ +/var/log/opensnitchd.log { + rotate 7 +# order of the fields is important + maxsize 50M +# we need this option in order to keep logging + copytruncate + missingok + notifempty + delaycompress + compress + create 640 root root + weekly +} diff --git a/opensnitch.maintscript b/opensnitch.maintscript new file mode 100644 index 0000000..3967ebd --- /dev/null +++ b/opensnitch.maintscript @@ -0,0 +1 @@ +rm_conffile /etc/needrestart/conf.d/no-opensnitch-restart.conf 1.6.8-9 opensnitch diff --git a/opensnitch.manpages b/opensnitch.manpages new file mode 100644 index 0000000..89a1536 --- /dev/null +++ b/opensnitch.manpages @@ -0,0 +1 @@ +debian/man/opensnitchd.1 diff --git a/opensnitch.service b/opensnitch.service new file mode 100644 index 0000000..8d1b52f --- /dev/null +++ b/opensnitch.service @@ -0,0 +1,16 @@ +[Unit] +Description=OpenSnitch is a GNU/Linux application firewall. +Documentation=https://github.com/gustavo-iniguez-goya/opensnitch/wiki +Wants=network.target +After=network.target + +[Service] +Type=simple +PermissionsStartOnly=true +ExecStartPre=/bin/mkdir -p /etc/opensnitchd/rules +ExecStart=/usr/bin/opensnitchd -rules-path /etc/opensnitchd/rules +Restart=always +RestartSec=30 + +[Install] +WantedBy=multi-user.target diff --git a/patches/1000-installed-kernel-headers.patch b/patches/1000-installed-kernel-headers.patch new file mode 100644 index 0000000..59fb30e --- /dev/null +++ b/patches/1000-installed-kernel-headers.patch @@ -0,0 +1,22 @@ +Description: Changed how ebpf build find kernel headers from running to installed version. + The installed kernel do not match running kernel in chroots and containers. +Author: Petter Reinholdtsen +Forwarded: https://github.com/evilsocket/opensnitch/pull/1327 +Last-Update: 2025-04-20 +--- +Index: opensnitch-salsa/ebpf_prog/Makefile +=================================================================== +--- opensnitch-salsa.orig/ebpf_prog/Makefile 2025-04-20 09:53:55.679288526 +0200 ++++ opensnitch-salsa/ebpf_prog/Makefile 2025-04-20 09:54:12.000000000 +0200 +@@ -3,8 +3,9 @@ + # On Debian based distros we need the following 2 directories. + # Otherwise, just use the kernel headers from the kernel sources. + # +-KERNEL_DIR ?= /lib/modules/$(shell uname -r)/source +-KERNEL_HEADERS ?= /usr/src/linux-headers-$(shell uname -r)/ ++KERNEL_VER ?= $(shell ls -d /lib/modules/*/source | sort | tail -1 | cut -d/ -f4) ++KERNEL_DIR ?= /lib/modules/$(KERNEL_VER)/source ++KERNEL_HEADERS ?= /usr/src/linux-headers-$(KERNEL_VER)/ + CLANG ?= clang + LLC ?= llc + LLVM_STRIP ?= llvm-strip -g diff --git a/patches/1020-ebpf-armv8l.patch b/patches/1020-ebpf-armv8l.patch new file mode 100644 index 0000000..1483114 --- /dev/null +++ b/patches/1020-ebpf-armv8l.patch @@ -0,0 +1,18 @@ +Description: Added ebpf build rule mapping for armv8 to work with more armhf machines. +Author: Petter Reinholdtsen +Forwarded: https://github.com/evilsocket/opensnitch/pull/1326 +Last-Update: 2025-04-20 +--- +Index: opensnitch-salsa/ebpf_prog/Makefile +=================================================================== +--- opensnitch-salsa.orig/ebpf_prog/Makefile 2025-04-20 09:53:55.739289007 +0200 ++++ opensnitch-salsa/ebpf_prog/Makefile 2025-04-20 09:53:55.731288942 +0200 +@@ -19,6 +19,8 @@ + ARCH := x86 + else ifeq ($(ARCH),armv7l) + ARCH := arm ++else ifeq ($(ARCH),armv8l) ++ ARCH := arm + else ifeq ($(ARCH),aarch64) + ARCH := arm64 + endif diff --git a/patches/1030-systemd-service-earlier.patch b/patches/1030-systemd-service-earlier.patch new file mode 100644 index 0000000..2ab42d9 --- /dev/null +++ b/patches/1030-systemd-service-earlier.patch @@ -0,0 +1,33 @@ +Description: Start firewall rules before network is brought up. + Also protect the firewall daemon from the kernel OOM killer. Partly + based on proposal from + https://github.com/evilsocket/opensnitch/pull/1019/. +Author: Petter Reinholdtsen +Forwarded: https://github.com/evilsocket/opensnitch/pull/1019 +Last-Update: 2025-04-20 +diff --git a/daemon/opensnitchd.service b/daemon/opensnitchd.service +index 3f05fad2..3bfd94d6 100644 +--- a/daemon/opensnitchd.service ++++ b/daemon/opensnitchd.service +@@ -1,6 +1,10 @@ + [Unit] + Description=Application firewall OpenSnitch + Documentation=https://github.com/evilsocket/opensnitch/wiki ++DefaultDependencies=no ++Before=network-pre.target shutdown.target ++Wants=network-pre.target ++Conflicts=shutdown.target + + [Service] + Type=simple +@@ -10,6 +14,9 @@ ExecStart=/usr/local/bin/opensnitchd -rules-path /etc/opensnitchd/rules + Restart=always + RestartSec=30 + TimeoutStopSec=10 ++# Ensure it is not killed by the Linux kernel's Out-Of-Memory (OOM) killer. ++# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#OOMScoreAdjust= ++OOMScoreAdjust=-1000 + + [Install] +-WantedBy=multi-user.target ++WantedBy=basic.target diff --git a/patches/1050-ebpf-s390x.patch b/patches/1050-ebpf-s390x.patch new file mode 100644 index 0000000..d2284fc --- /dev/null +++ b/patches/1050-ebpf-s390x.patch @@ -0,0 +1,19 @@ +Description: Added ebpf build rule mapping for s390x to s390. + This ensure the kernel headers are found during compilation. +Author: Petter Reinholdtsen +Forwarded: https://github.com/evilsocket/opensnitch/pull/1333 +Last-Update: 2025-04-25 +--- +Index: opensnitch-salsa/ebpf_prog/Makefile +=================================================================== +--- opensnitch-salsa.orig/ebpf_prog/Makefile 2025-04-25 07:58:50.785702284 +0200 ++++ opensnitch-salsa/ebpf_prog/Makefile 2025-04-25 07:59:34.170084431 +0200 +@@ -23,6 +23,8 @@ + ARCH := arm + else ifeq ($(ARCH),aarch64) + ARCH := arm64 ++else ifeq ($(ARCH),s390x) ++ ARCH := s390 + endif + + ifeq ($(ARCH),arm) diff --git a/patches/2000-apt-not-pip.patch b/patches/2000-apt-not-pip.patch new file mode 100644 index 0000000..15e4820 --- /dev/null +++ b/patches/2000-apt-not-pip.patch @@ -0,0 +1,39 @@ +Description: Do not propose use of pip on Debian + Dependencies should be fetched from the curated Debian archive. +Author: Petter Reinholdtsen +Forwarded: not-needed +Last-Update: 2025-04-19 +--- +--- opensnitch-1.6.8.orig/ui/opensnitch/dialogs/firewall_rule.py ++++ opensnitch-1.6.8/ui/opensnitch/dialogs/firewall_rule.py +@@ -377,7 +377,7 @@ The value must be in the format: VALUE/U + self._set_status_error( + QC.translate( + "firewall", +- "Your protobuf version is incompatible, you need to install protobuf 3.8.0 or superior\n(pip3 install --ignore-installed protobuf==3.8.0)" ++ "Your protobuf version is incompatible, you need to install protobuf 3.8.0 or superior\n(apt install protobuf-api-32-0)" + ) + ) + return False +--- opensnitch-1.6.8.orig/ui/opensnitch/dialogs/preferences.py ++++ opensnitch-1.6.8/ui/opensnitch/dialogs/preferences.py +@@ -258,7 +258,7 @@ class PreferencesDialog(QtWidgets.QDialo + self._saved_theme = "" + self.labelThemeError.setStyleSheet('color: red') + self.labelThemeError.setVisible(True) +- self.labelThemeError.setText(QC.translate("preferences", "Themes not available. Install qt-material: pip3 install qt-material")) ++ self.labelThemeError.setText(QC.translate("preferences", "Themes not available. Install qt-material: apt install python3-qt-material")) + + self.comboUITheme.setCurrentIndex(theme_idx) + self._show_ui_density_widgets(theme_idx) +--- opensnitch-1.6.8.orig/ui/opensnitch/utils/__init__.py ++++ opensnitch-1.6.8/ui/opensnitch/utils/__init__.py +@@ -109,7 +109,7 @@ class Themes(): + from qt_material import list_themes as qtmaterial_themes + AVAILABLE = True + except Exception: +- print("Themes not available. Install qt-material if you want to change GUI's appearance: pip3 install qt-material.") ++ print("Themes not available. Install qt-material if you want to change GUI's appearance: apt install python3-qt-material.") + + @staticmethod + def instance(): diff --git a/patches/2010-no-tcp-flush-on-restart.patch b/patches/2010-no-tcp-flush-on-restart.patch new file mode 100644 index 0000000..4af9c7c --- /dev/null +++ b/patches/2010-no-tcp-flush-on-restart.patch @@ -0,0 +1,20 @@ +Description: Tell opensnitch daemon to not flush al TCP connections on restart. + This avoid killing connections like SSH and IRC when upgrading or restarting + the service. See discussion in https://github.com/evilsocket/opensnitch/issues/1329 . +Author: Petter Reinholdtsen +Bug-Debian: https://bugs.debian.org/1103496 +Forwarded: not-needed +Last-update: 2025-05-26 +--- +Index: opensnitch-salsa/daemon/default-config.json +=================================================================== +--- opensnitch-salsa.orig/daemon/default-config.json 2025-04-26 07:33:06.345354492 +0200 ++++ opensnitch-salsa/daemon/default-config.json 2025-04-26 07:33:52.681782972 +0200 +@@ -22,6 +22,6 @@ + }, + "Internal": { + "GCPercent": 100, +- "FlushConnsOnStart": true ++ "FlushConnsOnStart": false + } + } diff --git a/patches/README b/patches/README new file mode 100644 index 0000000..80c1584 --- /dev/null +++ b/patches/README @@ -0,0 +1,3 @@ +0xxx: Grabbed from upstream development. +1xxx: Possibly relevant for upstream adoption. +2xxx: Only relevant for official Debian release. diff --git a/patches/series b/patches/series new file mode 100644 index 0000000..c74a6bc --- /dev/null +++ b/patches/series @@ -0,0 +1,6 @@ +1000-installed-kernel-headers.patch +1020-ebpf-armv8l.patch +1030-systemd-service-earlier.patch +1050-ebpf-s390x.patch +2000-apt-not-pip.patch +2010-no-tcp-flush-on-restart.patch diff --git a/python3-opensnitch-ui.manpages b/python3-opensnitch-ui.manpages new file mode 100644 index 0000000..3392b6a --- /dev/null +++ b/python3-opensnitch-ui.manpages @@ -0,0 +1 @@ +debian/man/opensnitch-ui.1 diff --git a/python3-opensnitch-ui.postinst b/python3-opensnitch-ui.postinst new file mode 100755 index 0000000..dea2517 --- /dev/null +++ b/python3-opensnitch-ui.postinst @@ -0,0 +1,27 @@ +#!/bin/sh +set -e + +autostart_by_default() +{ + deskfile=/etc/xdg/autostart/opensnitch_ui.desktop + if [ -d /etc/xdg/autostart -a ! -h $deskfile -a ! -f $deskfile ]; then + ln -s /usr/share/applications/opensnitch_ui.desktop /etc/xdg/autostart/ + fi +} + +if command -v gtk-update-icon-cache >/dev/null && test -f /usr/share/icons/hicolor/index.theme ; then + gtk-update-icon-cache --quiet /usr/share/icons/hicolor/ +fi + +case "$1" in + configure) + # first install + if [ -z $2 ]; then + autostart_by_default + elif dpkg --compare-versions "$2" le "1.5.7-2"; then + autostart_by_default + fi + ;; +esac + +#DEBHELPER# diff --git a/python3-opensnitch-ui.postrm b/python3-opensnitch-ui.postrm new file mode 100755 index 0000000..cb17ba5 --- /dev/null +++ b/python3-opensnitch-ui.postrm @@ -0,0 +1,16 @@ +#!/bin/sh +set -e + +case "$1" in + purge) + deskfile=/etc/xdg/autostart/opensnitch_ui.desktop + if [ -f $deskfile -o -h $deskfile ];then + rm -f /etc/xdg/autostart/opensnitch_ui.desktop + fi + ;; + remove) + pkill -15 opensnitch-ui || true + ;; +esac + +#DEBHELPER# diff --git a/rules b/rules new file mode 100755 index 0000000..d516373 --- /dev/null +++ b/rules @@ -0,0 +1,68 @@ +#!/usr/bin/make -f +export DH_VERBOSE = 1 +export DESTDIR := $(shell pwd)/debian/opensnitch +export UIDESTDIR := $(shell pwd)/debian/python3-opensnitch-ui +export EBPFDESTDIR := $(shell pwd)/debian/opensnitch-ebpf-modules + +ifeq ($(DEB_BUILD_ARCH),amd64) + WITH_EBPF := true +else ifeq ($(DEB_BUILD_ARCH),arm64) + WITH_EBPF := true +else ifeq ($(DEB_BUILD_ARCH),riscv64) + WITH_EBPF := true +else ifeq ($(DEB_BUILD_ARCH),s390x) + WITH_EBPF := true +else ifeq ($(DEB_BUILD_ARCH),loong64) + WITH_EBPF := true +else ifeq ($(DEB_BUILD_ARCH),ppc64) + WITH_EBPF := true +else + WITH_EBPF := false +endif + +override_dh_installsystemd: + dh_installsystemd --restart-after-upgrade + +override_dh_auto_build: + $(MAKE) protocol +# Workaround for Go build problem when building in _build + mkdir -p _build/src/github.com/evilsocket/opensnitch/daemon/ui/protocol/ + cp daemon/ui/protocol/* _build/src/github.com/evilsocket/opensnitch/daemon/ui/protocol/ + dh_auto_build + cd ui && python3 setup.py build --force + if $(WITH_EBPF) ; then make -C ebpf_prog; fi + +override_dh_auto_install: +# daemon + mkdir -p $(DESTDIR)/usr/bin + cp _build/bin/daemon $(DESTDIR)/usr/bin/opensnitchd +# GUI + make -C ui/i18n + cp -r ui/i18n/locales/ ui/opensnitch/i18n/ + pyrcc5 -o ui/opensnitch/resources_rc.py ui/opensnitch/res/resources.qrc + sed -i 's/^import ui_pb2/from . import ui_pb2/' ui/opensnitch/ui_pb2* + cd ui && python3 setup.py install --force --root=$(UIDESTDIR) --no-compile -O0 --install-layout=deb + +# ebpf modules + if $(WITH_EBPF); then \ + mkdir -p $(EBPFDESTDIR)/usr/lib/opensnitchd/ebpf ; \ + make -C ebpf_prog && cp ebpf_prog/opensnitch*o $(EBPFDESTDIR)/usr/lib/opensnitchd/ebpf/ ; \ + fi + +# daemon + dh_auto_install + +%: + dh $@ --builddirectory=_build --buildsystem=golang --with=golang,python3 + +override_dh_auto_clean: + dh_auto_clean + $(MAKE) clean + $(RM) daemon/ui/protocol/ui_grpc.pb.go + $(RM) ui/opensnitch/resources_rc.py + $(RM) -r ui/opensnitch/i18n/ + $(RM) ui/i18n/locales/*/*.qm + cd ui && python3 setup.py clean -a + $(RM) -r ui/opensnitch_ui.egg-info/ + find ui -name \*.pyc -exec rm {} \; + $(MAKE) -C ebpf_prog/ clean diff --git a/source/format b/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/source/options b/source/options new file mode 100644 index 0000000..bcc4bbb --- /dev/null +++ b/source/options @@ -0,0 +1 @@ +extend-diff-ignore="\.egg-info$" \ No newline at end of file diff --git a/tests/control b/tests/control new file mode 100644 index 0000000..c9752e7 --- /dev/null +++ b/tests/control @@ -0,0 +1,7 @@ +Tests: test-resources.sh +Depends: opensnitch +Restrictions: superficial + +Tests: test-fw-rules.sh +Depends: nftables, opensnitch +Restrictions: needs-root diff --git a/tests/test-fw-rules.sh b/tests/test-fw-rules.sh new file mode 100755 index 0000000..a03f00e --- /dev/null +++ b/tests/test-fw-rules.sh @@ -0,0 +1,31 @@ +#!/bin/sh +set -e + +retval=0 + +# for some reason, go.exec.LookPath() fails to obtain the path of iptables +# on the ci environment, even if $PATH is set correctly. +echo "[+] PATH: $PATH" + +log="/var/log/opensnitchd.log" + +if [ -f /proc/modules ]; then + echo "[+] loaded modules:" + cat /proc/modules +fi + +if [ -f $log ]; then + echo "[+] opensnitchd log:" + cat $log +fi + +nft list ruleset +if nft list ruleset | \ + grep -q "ct state related,new queue flags bypass to 0" ; then + echo "[+] Interception rule (nftables): OK" +else + echo "[!] Interception rule (nftables): Missing" + retval=1 +fi + +exit $retval diff --git a/tests/test-resources.sh b/tests/test-resources.sh new file mode 100755 index 0000000..560d7c5 --- /dev/null +++ b/tests/test-resources.sh @@ -0,0 +1,13 @@ +#!/bin/sh +set -e + +ophome="/etc/opensnitchd" + +ls -dl $ophome 1>/dev/null +echo "installed OK: $ophome" +ls -l $ophome/system-fw.json 1>/dev/null +echo "installed OK: $ophome/system-fw.json" +ls -l $ophome/default-config.json 1>/dev/null +echo "installed OK: $ophome/default-config.json" +ls -dl $ophome/rules 1>/dev/null +echo "installed OK: $ophome/rules/" diff --git a/upstream/metadata b/upstream/metadata new file mode 100644 index 0000000..556a1cf --- /dev/null +++ b/upstream/metadata @@ -0,0 +1,9 @@ +--- +Name: opensnitch +Bug-Database: https://github.com/evilsocket/opensnitch/issues +Bug-Submit: https://github.com/evilsocket/opensnitch/issues/new +Contact: Gustavo Iñiguez Goia +Documentation: https://github.com/evilsocket/opensnitch/wiki +CPE: cpe:/a:evilsocket:opensnitch +Repository: https://github.com/evilsocket/opensnitch.git +Repository-Browse: https://github.com/evilsocket/opensnitch diff --git a/watch b/watch new file mode 100644 index 0000000..383dd73 --- /dev/null +++ b/watch @@ -0,0 +1,4 @@ +version=4 +opts=filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/opensnitch-\$1\.tar\.gz/,\ +uversionmangle=s/(\d)[_\.\-\+]?(RC|rc|pre|dev|beta|alpha)[.]?(\d*)$/\$1~\$2\$3/ \ + https://github.com/evilsocket/opensnitch/tags .*/v?(\d\S*)\.tar\.gz