From 9ae3b8ea74b9b328b6cd4f09d35e0071f7a7f010 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Gustavo=20I=C3=B1iguez=20Goya?= Date: Mon, 6 Mar 2023 12:37:24 +0100 Subject: [PATCH] Import opensnitch_1.5.8.1-1.debian.tar.xz [dgit import tarball opensnitch 1.5.8.1-1 opensnitch_1.5.8.1-1.debian.tar.xz] --- changelog | 326 +++++++++++++++++++++++++++++++++ control | 93 ++++++++++ copyright | 203 ++++++++++++++++++++ gbp.conf | 2 + gitlab-ci.yml | 27 +++ man/opensnitch-ui.1 | 107 +++++++++++ man/opensnitchd.1 | 177 ++++++++++++++++++ opensnitch.init | 78 ++++++++ opensnitch.install | 3 + opensnitch.logrotate | 13 ++ opensnitch.manpages | 1 + opensnitch.service | 16 ++ python3-opensnitch-ui.manpages | 1 + python3-opensnitch-ui.postinst | 27 +++ python3-opensnitch-ui.postrm | 16 ++ rules | 42 +++++ source/format | 1 + source/options | 1 + tests/control | 7 + tests/test-fw-rules.sh | 27 +++ tests/test-resources.sh | 13 ++ upstream/metadata | 9 + watch | 4 + 23 files changed, 1194 insertions(+) create mode 100644 changelog create mode 100644 control create mode 100644 copyright create mode 100644 gbp.conf create mode 100644 gitlab-ci.yml create mode 100644 man/opensnitch-ui.1 create mode 100644 man/opensnitchd.1 create mode 100644 opensnitch.init create mode 100644 opensnitch.install create mode 100644 opensnitch.logrotate create mode 100644 opensnitch.manpages create mode 100644 opensnitch.service create mode 100644 python3-opensnitch-ui.manpages create mode 100755 python3-opensnitch-ui.postinst create mode 100755 python3-opensnitch-ui.postrm create mode 100755 rules create mode 100644 source/format create mode 100644 source/options create mode 100644 tests/control create mode 100755 tests/test-fw-rules.sh create mode 100755 tests/test-resources.sh create mode 100644 upstream/metadata create mode 100644 watch diff --git a/changelog b/changelog new file mode 100644 index 0000000..5acbeb1 --- /dev/null +++ b/changelog @@ -0,0 +1,326 @@ +opensnitch (1.5.8.1-1) unstable; urgency=medium + + * New upstream release. + * Upload sponsored by Petter Reinholdtsen. + + -- Gustavo Iñiguez Goya Mon, 06 Mar 2023 12:37:24 +0100 + +opensnitch (1.5.8-2) unstable; urgency=medium + + * Upload to unstable. + * Upload sponsored by Petter Reinholdtsen. + + -- Gustavo Iñiguez Goya Tue, 21 Feb 2023 21:26:21 +0100 + +opensnitch (1.5.8-1) experimental; urgency=medium + + * New upstream release. + + [ Gustavo Iñiguez Goia ] + * ui: added 64x64 icon. + * Added missing entry for GUI manual page. + * Updated appstream Summary field. + * Removed ftrace dependency from d/control. + * ui: updated appstream Summary field. + * Updated d/control Description. + + [ Petter Reinholdtsen ] + * Added appstream content rating, no restrictions. + * Corrected appstream icon name. + * Documented appstream metadata license in d/copyright. + * Place manual pages in correct packages. + + * Upload sponsored by Petter Reinholdtsen. + + -- Gustavo Iñiguez Goya Sun, 19 Feb 2023 10:26:46 +0100 + +opensnitch (1.5.7-3) experimental; urgency=medium + + [ Gustavo Iñiguez Goia ] + * fixed /etc/xdg/autostart/ link + + * Upload sponsored by Petter Reinholdtsen. + + -- Gustavo Iñiguez Goya Wed, 15 Feb 2023 22:41:19 +0100 + +opensnitch (1.5.7-2) experimental; urgency=medium + + [ Gustavo Iñiguez Goia ] + * added opensnitchd manual page + * added new manual page, updated opensnitchd.1 + * improved debian/tests/ + + * Upload sponsored by Petter Reinholdtsen. + + -- Gustavo Iñiguez Goya Mon, 13 Feb 2023 12:43:19 +0100 + +opensnitch (1.5.7-1) unstable; urgency=medium + + * New upstream release + + [ Gustavo Iñiguez Goia ] + * Set test-fw-rules.sh as flaky. + * Make test-fw-rules.sh more verbose. + + [ Petter Reinholdtsen ] + * Fixed typo in nb comment of desktop file. + * Added appstream desktop category to metadata XML. + + * Upload sponsored by Petter Reinholdtsen. + + -- Gustavo Iñiguez Goya Fri, 10 Feb 2023 13:28:23 +0100 + +opensnitch (1.5.6-1) unstable; urgency=medium + + * New upstream release + + [ Gustavo Iñiguez Goia ] + * tests: removed Architecture: restriction + * changed Maintainer: field to team+pkg-go + * added new test + * added Uploaders field + * updated Vcs* fields + + [ Petter Reinholdtsen ] + * Added Debian package relation between opensnitch and + python3-opensnitch-ui. + * Handle autopkgtest scripts differently, as they have different + requirements. + + * Upload sponsored by Petter Reinholdtsen. + + -- Gustavo Iñiguez Goya Tue, 07 Feb 2023 21:29:48 +0100 + +opensnitch (1.5.5-1) unstable; urgency=medium + + * New upstream release. + * Bump Standards-Version to 4.6.2. + * Upload sponsored by Petter Reinholdtsen. + + -- Gustavo Iñiguez Goya Wed, 01 Feb 2023 22:37:12 +0100 + +opensnitch (1.5.4-1) unstable; urgency=high + + * New upstream release. (Closes: #1030115) + * debian/control: + - Updated packages description. + - Removed debconf and whiptail|dialog dependencies. + - Added xdg-user-dirs, gtk-update-icon-cache dependencies. + - Point Vcs-Git field to the 1.5.0 branch. + * debian/postinst: + - Fixed opensnitch_ui.desktop installation. + - Fixed updating icons cache. + * debian/postrm: + - Fixed removing opensnitch_ui.desktop + * debian/tests/: + - Added autopkgtests. + * Upload sponsored by Petter Reinholdtsen. + + -- Gustavo Iñiguez Goya Tue, 31 Jan 2023 23:48:58 +0100 + +opensnitch (1.5.3-1) unstable; urgency=medium + + * Added debian/upstream/metadata. + * Updated Homepage url. + * Updated Copyright years. + + -- Gustavo-Iniguez-Goya Sun, 22 Jan 2023 21:30:45 +0100 + +opensnitch (1.5.2.1-1) unstable; urgency=medium + + * Initial release. (Closes: #909567) + + -- Gustavo-Iniguez-Goya Fri, 20 Jan 2023 22:26:40 +0000 + +opensnitch (1.5.2-1) unstable; urgency=medium + + * try to mount debugfs on boot up + + -- gustavo-iniguez-goya Wed, 27 Jul 2022 17:29:33 +0200 + +opensnitch (1.5.1-1) unstable; urgency=medium + + * Better eBPF cache. + * Fixed error resolving domains to localhost. + * Fixed error deleting our nftables rules. + + -- gustavo-iniguez-goya Fri, 25 Feb 2022 01:21:38 +0100 + +opensnitch (1.5.0-1) unstable; urgency=medium + + * New release. + * Added Reject option. + * New lists types to block ads/malware/... + * Better connections interception. + * Better VPNs handling. + * Bug fixes. + + -- gustavo-iniguez-goya Fri, 28 Jan 2022 23:20:38 +0100 + +opensnitch (1.5.0~rc2-1) unstable; urgency=medium + + * Better connections interception. + * Improvements. + + -- gustavo-iniguez-goya Sun, 16 Jan 2022 23:15:12 +0100 + +opensnitch (1.5.0~rc1-1) unstable; urgency=medium + + * New features. + + -- gustavo-iniguez-goya Thu, 07 Oct 2021 14:57:35 +0200 + +opensnitch (1.4.0-1) unstable; urgency=medium + + * final release. + + -- gustavo-iniguez-goya Fri, 27 Aug 2021 13:33:07 +0200 + +opensnitch (1.4.0~rc4-1) unstable; urgency=medium + + * Bug fix release. + + -- gustavo-iniguez-goya Wed, 11 Aug 2021 15:17:49 +0200 + +opensnitch (1.4.0~rc3-1) unstable; urgency=medium + + * Bug fix release. + + -- gustavo-iniguez-goya Fri, 16 Jul 2021 23:28:52 +0200 + +opensnitch (1.4.0~rc2-1) unstable; urgency=medium + + * Added eBPF support. + * Fixes and improvements. + + -- gustavo-iniguez-goya Fri, 07 May 2021 01:08:02 +0200 + +opensnitch (1.4.0~rc-1) unstable; urgency=medium + + * Bug fix and improvements release. + + -- gustavo-iniguez-goya Thu, 25 Mar 2021 01:02:31 +0100 + +opensnitch (1.3.6-1) unstable; urgency=medium + + * Bug fix and improvements release. + + -- gustavo-iniguez-goya Wed, 10 Feb 2021 10:17:43 +0100 + +opensnitch (1.3.5-1) unstable; urgency=medium + + * Bug fix and improvements release. + + -- gustavo-iniguez-goya Mon, 11 Jan 2021 18:01:53 +0100 + +opensnitch (1.3.0-1) unstable; urgency=medium + + * Fixed how we check rules + * Fixed cpu spike after disable interception. + * Fixed cleaning up fw rules on exit. + * make regexp rules case-insensitive by default + * allow to filter by dst network. + + -- gustavo-iniguez-goya Wed, 16 Dec 2020 01:15:03 +0100 + +opensnitch (1.3.0~rc-1) unstable; urgency=medium + + * Non-maintainer upload. + + -- gustavo-iniguez-goya Fri, 13 Nov 2020 00:51:34 +0100 + +opensnitch (1.2.0-1) unstable; urgency=medium + + * Fixed memleaks. + * Sort rules by name + * Added priority field to rules. + * Other fixes + + -- gustavo-iniguez-goya Mon, 09 Nov 2020 22:55:13 +0100 + +opensnitch (1.0.1-1) unstable; urgency=medium + + * Fixed app exit when IPv6 is not supported. + * Other fixes. + + -- gustavo-iniguez-goya Thu, 30 Jul 2020 21:56:20 +0200 + +opensnitch (1.0.0-1) unstable; urgency=medium + + * v1.0.0 released. + + -- gustavo-iniguez-goya Thu, 16 Jul 2020 00:19:26 +0200 + +opensnitch (1.0.0rc11-1) unstable; urgency=medium + + * Fixed multiple race conditions. + * Fixed CWD parsing when using audit proc monitor method. + + -- gustavo-iniguez-goya Wed, 24 Jun 2020 00:10:38 +0200 + +opensnitch (1.0.0rc10-1) unstable; urgency=medium + + * Fixed checking UID functions availability. + * Improved process path parsing. + * Fixed applying config from the UI. + * Fixed default log level. + * Gather CWD and process environment vars. + * Increase default timeout when asking for a rule. + + -- gustavo-iniguez-goya Sat, 13 Jun 2020 18:45:02 +0200 + +opensnitch (1.0.0rc9-1) unstable; urgency=medium + + * Ignore malformed rules from loading. + * Allow to modify and add rules from the UI. + + -- gustavo-iniguez-goya Sun, 17 May 2020 18:18:24 +0200 + +opensnitch (1.0.0rc8) unstable; urgency=medium + + * Allow to change settings from the UI. + * Improved connection handling with the UI. + + -- gustavo-iniguez-goya Wed, 29 Apr 2020 21:52:27 +0200 + +opensnitch (1.0.0rc7-1) unstable; urgency=medium + + * Stability, performance and realiability improvements. + + -- gustavo-iniguez-goya Sun, 12 Apr 2020 23:25:41 +0200 + +opensnitch (1.0.0rc6-1) unstable; urgency=medium + + * Fixed iptables rules deletion. + * Improved PIDs cache. + * Added audit process monitoring method. + * Added logrotate file. + * Added default configuration file. + + -- gustavo-iniguez-goya Sun, 08 Mar 2020 20:47:58 +0100 + +opensnitch (1.0.0rc-5) unstable; urgency=medium + + * Fixed netlink socket querying. + * Added check to reload firewall rules if missing. + + -- gustavo-iniguez-goya Mon, 24 Feb 2020 19:55:06 +0100 + +opensnitch (1.0.0rc-3) unstable; urgency=medium + + * @see: https://github.com/gustavo-iniguez-goya/opensnitch/releases + + -- gustavo-iniguez-goya Tue, 18 Feb 2020 10:09:45 +0100 + +opensnitch (1.0.0rc-2) unstable; urgency=medium + + * UI minor changes + * Expand deb package compatibility. + + -- gustavo-iniguez-goya Wed, 05 Feb 2020 21:50:20 +0100 + +opensnitch (1.0.0rc-1) unstable; urgency=medium + + * Initial release + + -- gustavo-iniguez-goya Fri, 22 Nov 2019 01:14:08 +0100 diff --git a/control b/control new file mode 100644 index 0000000..2ae6b71 --- /dev/null +++ b/control @@ -0,0 +1,93 @@ +Source: opensnitch +Maintainer: Debian Go Packaging Team +Uploaders: Gustavo Iñiguez Goya +Section: devel +Priority: optional +Build-Depends: + debhelper-compat (= 11), + dh-golang, + dh-python, + golang-any, + golang-github-fsnotify-fsnotify-dev, + golang-github-google-gopacket-dev, + golang-github-google-nftables-dev, + golang-github-iovisor-gobpf-dev, + golang-github-vishvananda-netlink-dev, + golang-golang-x-net-dev, + golang-google-grpc-dev, + golang-goprotobuf-dev, + libmnl-dev, + libnetfilter-queue-dev, + pkg-config, + protoc-gen-go-grpc, + pyqt5-dev-tools, + qttools5-dev-tools, + python3-all, + python3-grpc-tools, + python3-setuptools +Standards-Version: 4.6.2 +Vcs-Browser: https://salsa.debian.org/go-team/packages/opensnitch +Vcs-Git: https://salsa.debian.org/go-team/packages/opensnitch.git +Homepage: https://github.com/evilsocket/opensnitch +Rules-Requires-Root: no +XS-Go-Import-Path: github.com/evilsocket/opensnitch + +Package: opensnitch +Section: net +Architecture: any +Depends: + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: python3-opensnitch-ui +Built-Using: ${misc:Built-Using} +Description: GNU/Linux interactive application firewall + Whenever a program makes a connection, it'll prompt the user to allow or deny + it. + . + The user can decide if block the outgoing connection based on properties of + the connection: by port, by uid, by dst ip, by program or a combination + of them. + . + These rules can last forever, until the app restart or just one time. + . + The GUI allows the user to view live outgoing connections, as well as search + by process, user, host or port. + . + OpenSnitch can also work as a system-wide domains blocker, by using lists + of domains, list of IPs or list of regular expressions. + + +Package: python3-opensnitch-ui +Architecture: all +Section: net +Depends: + ${misc:Depends}, + ${shlibs:Depends}, + libqt5sql5-sqlite, + python3-grpcio, + python3-notify2, + python3-pyinotify, + python3-pyqt5, + python3-pyqt5.qtsql, + python3-setuptools, + python3-six, + python3-slugify, + python3:any, + xdg-user-dirs, + gtk-update-icon-cache +Recommends: + python3-pyasn +Suggests: opensnitch +Description: GNU/Linux interactive application firewall GUI + opensnitch-ui is a GUI for opensnitch written in Python. + It allows the user to view live outgoing connections, as well as search + for details of the intercepted connections. + . + The user can decide if block outgoing connections based on properties of + the connection: by port, by uid, by dst ip, by program or a combination + of them. + . + These rules can last forever, until restart the daemon or just one time. + . + OpenSnitch can also work as a system-wide domains blocker, by using lists + of domains, list of IPs or list of regular expressions. diff --git a/copyright b/copyright new file mode 100644 index 0000000..7054f76 --- /dev/null +++ b/copyright @@ -0,0 +1,203 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Source: https://github.com/evilsocket/opensnitch +Upstream-Contact: Gustavo Iñiguez Goia +Upstream-Name: opensnitch +Files-Excluded: + Godeps/_workspace + +Files: * +Copyright: + 2017-2018 evilsocket + 2019-2023 Gustavo Iñiguez Goia +Comment: Debian packaging is licensed under the same terms as upstream +License: GPL-3.0+ + This program is free software; you can redistribute it + and/or modify it under the terms of the GNU General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later + version. + . + This program is distributed in the hope that it will be + useful, but WITHOUT ANY WARRANTY; without even the implied + warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + PURPOSE. See the GNU General Public License for more + details. + . + You should have received a copy of the GNU General Public + License along with this program. If not, If not, see + http://www.gnu.org/licenses/. + . + On Debian systems, the full text of the GNU General Public + License version 3 can be found in the file + '/usr/share/common-licenses/GPL-3'. + +Files: ui/resources/io.github.evilsocket.opensnitch.appdata.xml +Copyright: + 2023 Gustavo Iñiguez Goia +License: FTL + The FreeType Project LICENSE + ---------------------------- + . + 2006-Jan-27 + . + Copyright 1996-2002, 2006 by + David Turner, Robert Wilhelm, and Werner Lemberg + . + . + . + Introduction + ============ + . + The FreeType Project is distributed in several archive packages; + some of them may contain, in addition to the FreeType font engine, + various tools and contributions which rely on, or relate to, the + FreeType Project. + . + This license applies to all files found in such packages, and + which do not fall under their own explicit license. The license + affects thus the FreeType font engine, the test programs, + documentation and makefiles, at the very least. + . + This license was inspired by the BSD, Artistic, and IJG + (Independent JPEG Group) licenses, which all encourage inclusion + and use of free software in commercial and freeware products + alike. As a consequence, its main points are that: + . + o We don't promise that this software works. However, we will be + interested in any kind of bug reports. (`as is' distribution) + . + o You can use this software for whatever you want, in parts or + full form, without having to pay us. (`royalty-free' usage) + . + o You may not pretend that you wrote this software. If you use + it, or only parts of it, in a program, you must acknowledge + somewhere in your documentation that you have used the + FreeType code. (`credits') + . + We specifically permit and encourage the inclusion of this + software, with or without modifications, in commercial products. + We disclaim all warranties covering The FreeType Project and + assume no liability related to The FreeType Project. + . + . + Finally, many people asked us for a preferred form for a + credit/disclaimer to use in compliance with this license. We thus + encourage you to use the following text: + . + """ + Portions of this software are copyright © The FreeType + Project (www.freetype.org). All rights reserved. + """ + . + Please replace with the value from the FreeType version you + actually use. + . + . + Legal Terms + =========== + . + 0. Definitions + -------------- + . + Throughout this license, the terms `package', `FreeType Project', + and `FreeType archive' refer to the set of files originally + distributed by the authors (David Turner, Robert Wilhelm, and + Werner Lemberg) as the `FreeType Project', be they named as alpha, + beta or final release. + . + `You' refers to the licensee, or person using the project, where + `using' is a generic term including compiling the project's source + code as well as linking it to form a `program' or `executable'. + This program is referred to as `a program using the FreeType + engine'. + . + This license applies to all files distributed in the original + FreeType Project, including all source code, binaries and + documentation, unless otherwise stated in the file in its + original, unmodified form as distributed in the original archive. + If you are unsure whether or not a particular file is covered by + this license, you must contact us to verify this. + . + The FreeType Project is copyright (C) 1996-2000 by David Turner, + Robert Wilhelm, and Werner Lemberg. All rights reserved except as + specified below. + . + 1. No Warranty + -------------- + . + THE FREETYPE PROJECT IS PROVIDED `AS IS' WITHOUT WARRANTY OF ANY + KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + PURPOSE. IN NO EVENT WILL ANY OF THE AUTHORS OR COPYRIGHT HOLDERS + BE LIABLE FOR ANY DAMAGES CAUSED BY THE USE OR THE INABILITY TO + USE, OF THE FREETYPE PROJECT. + . + 2. Redistribution + ----------------- + . + This license grants a worldwide, royalty-free, perpetual and + irrevocable right and license to use, execute, perform, compile, + display, copy, create derivative works of, distribute and + sublicense the FreeType Project (in both source and object code + forms) and derivative works thereof for any purpose; and to + authorize others to exercise some or all of the rights granted + herein, subject to the following conditions: + . + o Redistribution of source code must retain this license file + (`FTL.TXT') unaltered; any additions, deletions or changes to + the original files must be clearly indicated in accompanying + documentation. The copyright notices of the unaltered, + original files must be preserved in all copies of source + files. + . + o Redistribution in binary form must provide a disclaimer that + states that the software is based in part of the work of the + FreeType Team, in the distribution documentation. We also + encourage you to put an URL to the FreeType web page in your + documentation, though this isn't mandatory. + . + These conditions apply to any software derived from or based on + the FreeType Project, not just the unmodified files. If you use + our work, you must acknowledge us. However, no fee need be paid + to us. + . + 3. Advertising + -------------- + . + Neither the FreeType authors and contributors nor you shall use + the name of the other for commercial, advertising, or promotional + purposes without specific prior written permission. + . + We suggest, but do not require, that you use one or more of the + following phrases to refer to this software in your documentation + or advertising materials: `FreeType Project', `FreeType Engine', + `FreeType library', or `FreeType Distribution'. + . + As you have not signed this license, you are not required to + accept it. However, as the FreeType Project is copyrighted + material, only this license, or another one contracted with the + authors, grants you the right to use, distribute, and modify it. + Therefore, by using, distributing, or modifying the FreeType + Project, you indicate that you understand and accept all the terms + of this license. + . + 4. Contacts + ----------- + . + There are two mailing lists related to FreeType: + . + o freetype@nongnu.org + . + Discusses general use and applications of FreeType, as well as + future and wanted additions to the library and distribution. + If you are looking for support, start in this list if you + haven't found anything to help you in the documentation. + . + o freetype-devel@nongnu.org + . + Discusses bugs, as well as engine internals, design issues, + specific licenses, porting, etc. + . + Our home page can be found at + . + https://www.freetype.org diff --git a/gbp.conf b/gbp.conf new file mode 100644 index 0000000..cec628c --- /dev/null +++ b/gbp.conf @@ -0,0 +1,2 @@ +[DEFAULT] +pristine-tar = True diff --git a/gitlab-ci.yml b/gitlab-ci.yml new file mode 100644 index 0000000..91ff7ea --- /dev/null +++ b/gitlab-ci.yml @@ -0,0 +1,27 @@ +# auto-generated, DO NOT MODIFY. +# The authoritative copy of this file lives at: +# https://salsa.debian.org/go-team/ci/blob/master/config/gitlabciyml.go + +# TODO: publish under debian-go-team/ci +image: stapelberg/ci2 + +test_the_archive: + artifacts: + paths: + - before-applying-commit.json + - after-applying-commit.json + script: + # Create an overlay to discard writes to /srv/gopath/src after the build: + - "rm -rf /cache/overlay/{upper,work}" + - "mkdir -p /cache/overlay/{upper,work}" + - "mount -t overlay overlay -o lowerdir=/srv/gopath/src,upperdir=/cache/overlay/upper,workdir=/cache/overlay/work /srv/gopath/src" + - "export GOPATH=/srv/gopath" + - "export GOCACHE=/cache/go" + # Build the world as-is: + - "ci-build -exemptions=/var/lib/ci-build/exemptions.json > before-applying-commit.json" + # Copy this package into the overlay: + - "GBP_CONF_FILES=:debian/gbp.conf gbp buildpackage --git-no-pristine-tar --git-ignore-branch --git-ignore-new --git-export-dir=/tmp/export --git-no-overlay --git-tarball-dir=/nonexistant --git-cleaner=/bin/true --git-builder='dpkg-buildpackage -S -d --no-sign'" + - "pgt-gopath -dsc /tmp/export/*.dsc" + # Rebuild the world: + - "ci-build -exemptions=/var/lib/ci-build/exemptions.json > after-applying-commit.json" + - "ci-diff before-applying-commit.json after-applying-commit.json" diff --git a/man/opensnitch-ui.1 b/man/opensnitch-ui.1 new file mode 100644 index 0000000..cc2befb --- /dev/null +++ b/man/opensnitch-ui.1 @@ -0,0 +1,107 @@ +.\" Copyright (c) 2023 Gustavo Iñiguez Goya +.\" All rights reserved. +.\" +.\" SPDX-License-Identifier: GPL-3.0-or-later +.de CW +.sp +.in +4n +.nf +.ft CW +.. +.de CE +.ft R +.fi +.in +.sp +.. +.\" Like .OP, but with ellipsis at the end in order to signify that option +.\" can be provided multiple times. Based on .OP definition in groff's +.\" an-ext.tmac. +.de OM +. ie \\n(.$-1 \ +. RI "[\fB\\$1\fP" "\ \\$2" "]...\&" +. el \ +. RB "[" "\\$1" "]...\&" +.. +.\" Required option. +.de OR +. ie \\n(.$-1 \ +. RI "\fB\\$1\fP" "\ \\$2" +. el \ +. BR "\\$1" +.. +.TH OPENSNITCH-UI 1 "2023-02-12" "opensnitchd 1.5.6" +.SH NAME +opensnitch-ui \- GNU/Linux interactive firewall application +.SH SYNOPSIS +.SY opensnitch-ui +.OP \-\-socket path +.OP \-\-max-clients num +.YS +.SH DESCRIPTION +.LP +opensnitch-ui is the OpenSnitch GUI to view events intercepted by the daemon, +and to manage the rules. +The GUI is composed of 2 components in the same script: a server and a GUI. +Once the GUI is launched, an icon will appear on the system tray. +If the system tray is not available or can't be used, the Events dialog will +be launched. +.LP +The GUI (i.e.: the server) will listen for new connections from daemons. You +can have the daemon installed on multiple machines, and manage them from a +centralized GUI. https://github.com/evilsocket/opensnitch/wiki/Nodes +.LP +.SH OPTIONS +.TP +.BI "\--socket " path +Specifies the path or network address where the GUI (i.e.: the server) will +listen on. +.PP + Examples: +.PP + Default: unix:///tmp/osui.sock +.PP + - Listening on a Unix socket: + $ opensnitch-ui --socket unix:///tmp/osui.sock + * Use unix:///run/user/YOUR_USER_ID/opensnitch/osui.sock for better privacy. +.PP + - Listening on port 50051, all interfaces: + $ opensnitch-ui --socket "[::]:50051" +.TP +.BI "\--max-clients " num +Maximum number of clients to allow (default: 10). +.SH FILES +.I /home/$USER/.config/opensnitch/ +.RS +Path of the GUI configuration. +.RE +.SH DIAGNOSTICS +If something goes wrong, like a crash, launch the GUI from a shell to view debugging messages: +.LP +.RS +$ opensnitch-ui +.RE +.SH REPORTING BUGS +Problems with +.B opensnitch-ui +should be reported on github https://github.com/evilsocket/opensnitch/issues +.UR https://github.com/evilsocket/opensnitch/issues +.SH "SEE ALSO" +.PP +.UR https://github.com/evilsocket/opensnitch +.B OpenSnitch +Home Page +.UE +.LP +.SH HISTORY +.B OpenSnitch +was originally written by Simone Margaritelli (evilsocket) in 2017-2018. +.LP +In 2019, after some time of inactivity, Gustavo Iñiguez Goya started +contributing, fixing bugs and adding new functionality, with +the esential help of the community, and valuable contributions from themighty1 and +calesanz among others. +.SH AUTHORS +The complete list of +.B OpenSnitch +contributors can be found on https://github.com/evilsocket/opensnitch diff --git a/man/opensnitchd.1 b/man/opensnitchd.1 new file mode 100644 index 0000000..1e92934 --- /dev/null +++ b/man/opensnitchd.1 @@ -0,0 +1,177 @@ +.\" Copyright (c) 2023 Gustavo Iñiguez Goya +.\" All rights reserved. +.\" +.\" SPDX-License-Identifier: GPL-3.0-or-later +.de CW +.sp +.in +4n +.nf +.ft CW +.. +.de CE +.ft R +.fi +.in +.sp +.. +.\" Like .OP, but with ellipsis at the end in order to signify that option +.\" can be provided multiple times. Based on .OP definition in groff's +.\" an-ext.tmac. +.de OM +. ie \\n(.$-1 \ +. RI "[\fB\\$1\fP" "\ \\$2" "]...\&" +. el \ +. RB "[" "\\$1" "]...\&" +.. +.\" Required option. +.de OR +. ie \\n(.$-1 \ +. RI "\fB\\$1\fP" "\ \\$2" +. el \ +. BR "\\$1" +.. +.TH OPENSNITCHD 1 "2023-02-12" "opensnitchd 1.5.6" +.SH NAME +opensnitchd \- GNU/Linux interactive firewall application +.SH SYNOPSIS +.SY opensnitchd +.OP \-rules-path path +.OP \-cpu-profile path +.OP \-debug +.OP \-error +.OP \-warning +.OP \-important +.OM \-log-file path +.OM \-mem-profile path +.OP \-no-live-reload +.OM \-process-monitor-method name +.OM \-queue-num num +.OM \-ui-socket path +.OP \-version +.OM \-workers num +.YS +.SH DESCRIPTION +.LP +opensnitchd is the OpenSnitch agent that intercepts outbound connections, +and send them to the server. The server can be a GUI, a TUI, or a +.I headless +component to just log the network activity (a SIEM for example). +By default it'll allow all connections, creating temporal rules for you +so you can review them later. +.LP +.SH OPTIONS +.TP +.BI "\-rules-path " path +Specifies where the rules will be written to. Default "rules". +.TP +.BI "\-cpu-profile " path +A file path where the CPU data for later use will be written. +.TP +.BI "\-debug" +Set LogLevel to DEBUG. +.TP +.BI "\-warning" +Set LogLevel to WARNING. +.TP +.BI "\-important" +Set LogLevel to IMPORTANT. +.TP +.BI "\-log-file " path +A file path where the logs will be written to. This path can be a device file, +like /dev/stdout to print logs to standard output. +.TP +.BI "\-mem-profile " path +A file path where the memory data will be written once the daemon exits. +.TP +.BI "\-no-live-reload" +By default daemon's rules and configuration is reloaded whenever it changes. +This option disables this feature. +.TP +.BI "\-process-monitor-method " method +Force process monitor method, overriding what is defined in the configuration. +Valid methods: ebpf, audit, proc +.TP +.BI "\-queue-num " num +Force to use this netfilter queue num. The default queue number is 0, but if +it's already used by other software, you can set another queue number here. +.TP +.BI "\-ui-socket " path +Force to use this socket path, instead of the one defined in the configuration. +The path format is unix:///path/to/socket.sock or ip:port ("127.0.0.1:50051") +.RS +(https://github.com/grpc/grpc/blob/master/doc/naming.md) +.RE +.TP +.BI "\-version" +Prints out daemon version. +.TP +.BI "\-workers " num +Change maximum number of workers to process outbound connections. +By default 16 workers are launched, but if it's not enough increase this number. +.SH FILES +.I /etc/opensnitchd/rules/ +.RS +Default daemon directory rules. +.RE +.I /etc/opensnitchd/default-config.json +.RS +Default daemon configuration. +.RE +.I /etc/opensnitchd/system-fw.json +.RS +Configuration of system firewall rules (iptables/nftables). +.TP +Firewall rules defined here bypasses OpenSnitch interception. Use it to allow VPNs or other services. +.SH DIAGNOSTICS +OpenSnitch needs at least one firewall rule to intercept outbound connections: +.LP +iptables -t mangle -L OUTPUT | grep NFQUEUE +.RS +NFQUEUE all -- anywhere anywhere ctstate NEW,RELATED NFQUEUE num 0 bypass +.RE +.LP +If you suspect that OpenSnitch blocks an application and doesn't prompt you to allow or deny it, +using the GUI enable the option +.I [x] Debug invalid connections +under Preferences -> Nodes. +Or set the configuration option +.B InterceptUnknown +to true. +.LP +.I Tip: +You can also add rules to the file /etc/opensnitchd/system-fw.json, to allow network services without being intercepted by the daemon. +.LP +Another way of debugging errors is by launching the daemon from the command line: +.IP +.PD 0 +.IP 1. 4 +Set LogLevel to DEBUG under Preferences -> Nodes (or LogLevel to 0 in the configuration) +.IP 2. 4 +Stop the daemon: systemctl stop opensnitch +.IP 3. 4 +Launch it from cli: /usr/bin/opensnitchd -rules-path /etc/opensnitchd/rules/ +.PD +.LP +.SH REPORTING BUGS +Problems with +.B opensnitchd +should be reported on github https://github.com/evilsocket/opensnitch/issues +.UR https://github.com/evilsocket/opensnitch/issues +.SH HISTORY +.B OpenSnitch +was originally written by Simone Margaritelli (evilsocket) in 2017-2018. +.LP +In 2019, after some time of inactivity, Gustavo Iñiguez Goya started +contributing, fixing bugs and adding new functionality, with +the esential help of the community, and valuable contributions from themighty1 and +calesanz among others. +.SH "SEE ALSO" +.PP +.UR https://github.com/evilsocket/opensnitch +.B OpenSnitch +Home Page +.UE +.SH AUTHORS +The complete list of +.B OpenSnitch +contributors can be found on https://github.com/evilsocket/opensnitch diff --git a/opensnitch.init b/opensnitch.init new file mode 100644 index 0000000..77ce353 --- /dev/null +++ b/opensnitch.init @@ -0,0 +1,78 @@ +#!/bin/sh + +### BEGIN INIT INFO +# Provides: opensnitchd +# Required-Start: $network $local_fs +# Required-Stop: $network $local_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: opensnitchd daemon +# Description: opensnitch application firewall +### END INIT INFO + +NAME=opensnitchd +PIDDIR=/var/run/$NAME +OPENSNITCHDPID=$PIDDIR/$NAME.pid + +# clear conflicting settings from the environment +unset TMPDIR + +test -x /usr/bin/$NAME || exit 0 + +. /lib/lsb/init-functions + +case $1 in + start) + log_daemon_msg "Starting opensnitch daemon" $NAME + if [ ! -d /etc/$NAME/rules ]; then + mkdir -p /etc/$NAME/rules &>/dev/null + fi + + # Make sure we have our PIDDIR, even if it's on a tmpfs + install -o root -g root -m 755 -d $PIDDIR + + if ! start-stop-daemon --start --quiet --oknodo --pidfile $OPENSNITCHDPID --background --exec /usr/bin/$NAME -- -rules-path /etc/$NAME/rules; then + log_end_msg 1 + exit 1 + fi + + log_end_msg 0 + ;; + stop) + + log_daemon_msg "Stopping $NAME daemon" $NAME + + start-stop-daemon --stop --quiet --signal QUIT --name $NAME + # Wait a little and remove stale PID file + sleep 1 + if [ -f $OPENSNITCHDPID ] && ! ps h `cat $OPENSNITCHDPID` > /dev/null + then + rm -f $OPENSNITCHDPID + fi + + log_end_msg 0 + + ;; + reload) + log_daemon_msg "Reloading $NAME" $NAME + + start-stop-daemon --stop --quiet --signal HUP --pidfile $OPENSNITCHDPID + + log_end_msg 0 + ;; + restart|force-reload) + $0 stop + sleep 1 + $0 start + ;; + status) + status_of_proc /usr/bin/$NAME $NAME + exit $? + ;; + *) + echo "Usage: /etc/init.d/opensnitchd {start|stop|reload|restart|force-reload|status}" + exit 1 + ;; +esac + +exit 0 diff --git a/opensnitch.install b/opensnitch.install new file mode 100644 index 0000000..751664c --- /dev/null +++ b/opensnitch.install @@ -0,0 +1,3 @@ +daemon/default-config.json etc/opensnitchd/ +daemon/system-fw.json etc/opensnitchd/ +#ebpf_prog/opensnitch.o etc/opensnitchd/ diff --git a/opensnitch.logrotate b/opensnitch.logrotate new file mode 100644 index 0000000..7e1d486 --- /dev/null +++ b/opensnitch.logrotate @@ -0,0 +1,13 @@ +/var/log/opensnitchd.log { + rotate 7 +# order of the fields is important + maxsize 50M +# we need this option in order to keep logging + copytruncate + missingok + notifempty + delaycompress + compress + create 640 root root + weekly +} diff --git a/opensnitch.manpages b/opensnitch.manpages new file mode 100644 index 0000000..89a1536 --- /dev/null +++ b/opensnitch.manpages @@ -0,0 +1 @@ +debian/man/opensnitchd.1 diff --git a/opensnitch.service b/opensnitch.service new file mode 100644 index 0000000..8d1b52f --- /dev/null +++ b/opensnitch.service @@ -0,0 +1,16 @@ +[Unit] +Description=OpenSnitch is a GNU/Linux application firewall. +Documentation=https://github.com/gustavo-iniguez-goya/opensnitch/wiki +Wants=network.target +After=network.target + +[Service] +Type=simple +PermissionsStartOnly=true +ExecStartPre=/bin/mkdir -p /etc/opensnitchd/rules +ExecStart=/usr/bin/opensnitchd -rules-path /etc/opensnitchd/rules +Restart=always +RestartSec=30 + +[Install] +WantedBy=multi-user.target diff --git a/python3-opensnitch-ui.manpages b/python3-opensnitch-ui.manpages new file mode 100644 index 0000000..3392b6a --- /dev/null +++ b/python3-opensnitch-ui.manpages @@ -0,0 +1 @@ +debian/man/opensnitch-ui.1 diff --git a/python3-opensnitch-ui.postinst b/python3-opensnitch-ui.postinst new file mode 100755 index 0000000..dea2517 --- /dev/null +++ b/python3-opensnitch-ui.postinst @@ -0,0 +1,27 @@ +#!/bin/sh +set -e + +autostart_by_default() +{ + deskfile=/etc/xdg/autostart/opensnitch_ui.desktop + if [ -d /etc/xdg/autostart -a ! -h $deskfile -a ! -f $deskfile ]; then + ln -s /usr/share/applications/opensnitch_ui.desktop /etc/xdg/autostart/ + fi +} + +if command -v gtk-update-icon-cache >/dev/null && test -f /usr/share/icons/hicolor/index.theme ; then + gtk-update-icon-cache --quiet /usr/share/icons/hicolor/ +fi + +case "$1" in + configure) + # first install + if [ -z $2 ]; then + autostart_by_default + elif dpkg --compare-versions "$2" le "1.5.7-2"; then + autostart_by_default + fi + ;; +esac + +#DEBHELPER# diff --git a/python3-opensnitch-ui.postrm b/python3-opensnitch-ui.postrm new file mode 100755 index 0000000..cb17ba5 --- /dev/null +++ b/python3-opensnitch-ui.postrm @@ -0,0 +1,16 @@ +#!/bin/sh +set -e + +case "$1" in + purge) + deskfile=/etc/xdg/autostart/opensnitch_ui.desktop + if [ -f $deskfile -o -h $deskfile ];then + rm -f /etc/xdg/autostart/opensnitch_ui.desktop + fi + ;; + remove) + pkill -15 opensnitch-ui || true + ;; +esac + +#DEBHELPER# diff --git a/rules b/rules new file mode 100755 index 0000000..72f3a4d --- /dev/null +++ b/rules @@ -0,0 +1,42 @@ +#!/usr/bin/make -f +export DH_VERBOSE = 1 +export DESTDIR := $(shell pwd)/debian/opensnitch +export UIDESTDIR := $(shell pwd)/debian/python3-opensnitch-ui + +override_dh_installsystemd: + dh_installsystemd --restart-after-upgrade + +override_dh_auto_build: + $(MAKE) protocol +# Workaround for Go build problem when building in _build + mkdir -p _build/src/github.com/evilsocket/opensnitch/daemon/ui/protocol/ + cp daemon/ui/protocol/* _build/src/github.com/evilsocket/opensnitch/daemon/ui/protocol/ + dh_auto_build + cd ui && python3 setup.py build --force + +override_dh_auto_install: +# daemon + mkdir -p $(DESTDIR)/usr/bin + cp _build/bin/daemon $(DESTDIR)/usr/bin/opensnitchd +# GUI + make -C ui/i18n + cp -r ui/i18n/locales/ ui/opensnitch/i18n/ + pyrcc5 -o ui/opensnitch/resources_rc.py ui/opensnitch/res/resources.qrc + sed -i 's/^import ui_pb2/from . import ui_pb2/' ui/opensnitch/ui_pb2* + cd ui && python3 setup.py install --force --root=$(UIDESTDIR) --no-compile -O0 --install-layout=deb + +# daemon + dh_auto_install + +%: + dh $@ --builddirectory=_build --buildsystem=golang --with=golang,python3 + +override_dh_auto_clean: + dh_auto_clean + $(MAKE) clean + $(RM) ui/opensnitch/resources_rc.py + $(RM) -r ui/opensnitch/i18n/ + $(RM) ui/i18n/locales/*/*.qm + cd ui && python3 setup.py clean -a + $(RM) -r ui/opensnitch_ui.egg-info/ + find ui -name \*.pyc -exec rm {} \; diff --git a/source/format b/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/source/options b/source/options new file mode 100644 index 0000000..bcc4bbb --- /dev/null +++ b/source/options @@ -0,0 +1 @@ +extend-diff-ignore="\.egg-info$" \ No newline at end of file diff --git a/tests/control b/tests/control new file mode 100644 index 0000000..40698ed --- /dev/null +++ b/tests/control @@ -0,0 +1,7 @@ +Tests: test-resources.sh +Depends: opensnitch +Restrictions: superficial + +Tests: test-fw-rules.sh +Depends: iptables, nftables, opensnitch +Restrictions: needs-root diff --git a/tests/test-fw-rules.sh b/tests/test-fw-rules.sh new file mode 100755 index 0000000..633c17d --- /dev/null +++ b/tests/test-fw-rules.sh @@ -0,0 +1,27 @@ +#!/bin/sh +set -e + +# for some reason, go.exec.LookPath() fails to obtain the path of iptables +# on the ci environment, even if $PATH is set correctly. +echo "[+] PATH: $PATH" + +log="/var/log/opensnitchd.log" + +if [ -f /proc/modules ]; then + echo "[+] loaded modules:" + cat /proc/modules +fi + +if [ -f $log ]; then + echo "[+] opensnitchd log:" + cat $log +fi +if grep "iptables not available" $log >/dev/null; then + echo "[!] iptables not available, falling back to nftables" + nft list ruleset | grep "ct state related,new queue flags bypass to 0" + echo "[+] Interception rule (nftables): OK" +else + /usr/sbin/iptables -t mangle -L OUTPUT + /usr/sbin/iptables -t mangle -L OUTPUT | grep "NFQUEUE.*ctstate NEW,RELATED.*NFQUEUE num.*bypass" + echo "[+] Interception rule (iptables): OK" +fi diff --git a/tests/test-resources.sh b/tests/test-resources.sh new file mode 100755 index 0000000..560d7c5 --- /dev/null +++ b/tests/test-resources.sh @@ -0,0 +1,13 @@ +#!/bin/sh +set -e + +ophome="/etc/opensnitchd" + +ls -dl $ophome 1>/dev/null +echo "installed OK: $ophome" +ls -l $ophome/system-fw.json 1>/dev/null +echo "installed OK: $ophome/system-fw.json" +ls -l $ophome/default-config.json 1>/dev/null +echo "installed OK: $ophome/default-config.json" +ls -dl $ophome/rules 1>/dev/null +echo "installed OK: $ophome/rules/" diff --git a/upstream/metadata b/upstream/metadata new file mode 100644 index 0000000..556a1cf --- /dev/null +++ b/upstream/metadata @@ -0,0 +1,9 @@ +--- +Name: opensnitch +Bug-Database: https://github.com/evilsocket/opensnitch/issues +Bug-Submit: https://github.com/evilsocket/opensnitch/issues/new +Contact: Gustavo Iñiguez Goia +Documentation: https://github.com/evilsocket/opensnitch/wiki +CPE: cpe:/a:evilsocket:opensnitch +Repository: https://github.com/evilsocket/opensnitch.git +Repository-Browse: https://github.com/evilsocket/opensnitch diff --git a/watch b/watch new file mode 100644 index 0000000..383dd73 --- /dev/null +++ b/watch @@ -0,0 +1,4 @@ +version=4 +opts=filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/opensnitch-\$1\.tar\.gz/,\ +uversionmangle=s/(\d)[_\.\-\+]?(RC|rc|pre|dev|beta|alpha)[.]?(\d*)$/\$1~\$2\$3/ \ + https://github.com/evilsocket/opensnitch/tags .*/v?(\d\S*)\.tar\.gz -- 2.30.2