diff options
| author | bgme | 2021-10-29 22:51:17 +0800 |
|---|---|---|
| committer | bgme | 2021-10-29 22:51:17 +0800 |
| commit | c1fd31a461bac915f1eb6f701d2acecfd5f5346a (patch) | |
| tree | aa09e2dbbaafd3f014b4d7b46dafad6f3d6007fa | |
| parent | f16538e2525163bc3181a8c14aa377c25d400754 (diff) | |
| download | aur-c1fd31a461bac915f1eb6f701d2acecfd5f5346a.tar.gz | |
95.0.4638.54-3
| -rw-r--r-- | .SRCINFO | 12 | ||||
| -rw-r--r-- | PKGBUILD | 48 | ||||
| -rw-r--r-- | naiveproxy.service | 37 | ||||
| -rw-r--r-- | naiveproxy.sysusers | 1 | ||||
| -rw-r--r-- | naiveproxy@.service | 37 |
5 files changed, 89 insertions, 46 deletions
@@ -1,7 +1,7 @@ pkgbase = naiveproxy pkgdesc = A Proxy using Chrome's network stack to camouflage traffic with strong censorship resistence and low detectablility. pkgver = 95.0.4638.54 - pkgrel = 1 + pkgrel = 3 url = https://github.com/klzgrad/naiveproxy arch = x86_64 license = BSD @@ -22,15 +22,17 @@ pkgbase = naiveproxy noextract = chrome-linux-4638-1634308623-72bf2d0e0b11b9cb785718016169434ba1d25ee3.profdata noextract = gn-39a87c0b36310bdf06b692c098f199a0d97fc810.zip backup = etc/naiveproxy/config.json - source = naiveproxy-95.0.4638.54-1.tar.gz::https://github.com/klzgrad/naiveproxy/archive/refs/tags/v95.0.4638.54-1.tar.gz + source = naiveproxy-95.0.4638.54-3.tar.gz::https://github.com/klzgrad/naiveproxy/archive/refs/tags/v95.0.4638.54-3.tar.gz source = naiveproxy.service source = naiveproxy@.service + source = naiveproxy.sysusers source = clang-llvmorg-14-init-3191-g0e03450a-1.tgz::https://commondatastorage.googleapis.com/chromium-browser-clang/Linux_x64/clang-llvmorg-14-init-3191-g0e03450a-1.tgz source = chrome-linux-4638-1634308623-72bf2d0e0b11b9cb785718016169434ba1d25ee3.profdata::https://storage.googleapis.com/chromium-optimization-profiles/pgo_profiles/chrome-linux-4638-1634308623-72bf2d0e0b11b9cb785718016169434ba1d25ee3.profdata source = gn-39a87c0b36310bdf06b692c098f199a0d97fc810.zip::https://chrome-infra-packages.appspot.com/dl/gn/gn/linux-amd64/+/git_revision:69ec4fca1fa69ddadae13f9e6b7507efa0675263 - sha256sums = ccfb2462d91d9c0a77be23aef33962a0ce761a63e8e77c9a34e815c504dceac0 - sha256sums = ec7e686edd39068acd3122bbae4f4e83ba8540ffdb9fe30790679e72c7318d33 - sha256sums = 723979ea8245a297fac101ff71e1e9f97f138e0bfb0e84176ef5ca70cc96bf8e + sha256sums = 2489bffda3e0a993cf7e4e8dd6bb5d99e5793c49251ee7dad8612214a3badd03 + sha256sums = fd6809e4b129f12474c81e5aed01fa1d2b4b706ba8975a27305cfdf822b8d038 + sha256sums = c8fdde2a7f6663216770fcc0561551718dd0216d36d8494f6a2aed1c88925769 + sha256sums = 5bc9ef361e6303e151b6e63deb31b47e24a4f34ade4d8f092a04bc98e89a2edb sha256sums = dd7479d43ce61401e057a5dee8b7e32bc2bd0d0e15d4f46c6858daf9170c9978 sha256sums = 252703067ad0897cc0f39f618eb792b0899769bb0e1b715b64bee15bcfba6f0b sha256sums = 8bedd600ac58311f384e5113ab6a544bc72edb587ccb8f9e784c4dff208872c4 @@ -4,7 +4,7 @@ pkgname=naiveproxy pkgdesc="A Proxy using Chrome's network stack to camouflage traffic with strong censorship resistence and low detectablility." pkgver=95.0.4638.54 -pkgrel=1 +pkgrel=3 arch=('x86_64') url='https://github.com/klzgrad/naiveproxy' license=('BSD') @@ -15,58 +15,26 @@ _WITH_CLANG='Linux_x64' _WITH_PGO='linux' _WITH_GN='linux' -_update_helper() { - wget "https://github.com/klzgrad/naiveproxy/archive/refs/tags/v${pkgver}-${pkgrel}.tar.gz" -O "${pkgname}-${pkgver}-${pkgrel}.tar.gz" - tar xf "${pkgname}-${pkgver}-${pkgrel}.tar.gz" - - cd "${pkgname}-${pkgver}-${pkgrel}/src" - _WITH_CLANG='Linux_x64' - _WITH_PGO='linux' - _WITH_GN='linux' - _PYTHON=$(which python2 2>/dev/null || which python 2>/dev/null) - _CLANG_REVISION=$(${_PYTHON} tools/clang/scripts/update.py --print-revision) - _clang_path="clang-${_CLANG_REVISION}.tgz" - _PGO_PATH=$(cat chrome/build/${_WITH_PGO}.pgo.txt) - _gn_version=$(grep "'gn_version':" DEPS | cut -d"'" -f4) - - cd ../../ - wget "https://commondatastorage.googleapis.com/chromium-browser-clang/${_WITH_CLANG}/${_clang_path}" -O "${_clang_path}" - wget "https://storage.googleapis.com/chromium-optimization-profiles/pgo_profiles/${_PGO_PATH}" -O "${_PGO_PATH}" - wget "https://chrome-infra-packages.appspot.com/dl/gn/gn/${_WITH_GN}-amd64/+/${_gn_version}" -O "gn-${_gn_revision}.zip" - - echo - echo - echo "_clang_path='${_clang_path}'" - echo "_PGO_PATH='${_PGO_PATH}'" - echo "_gn_version='${_gn_version}'" - echo "_gn_revision='${_gn_revision}'" - echo - sha256sum "${pkgname}-${pkgver}-${pkgrel}.tar.gz" "naiveproxy.service" "naiveproxy@.service" "${_clang_path}" "${_PGO_PATH}" "gn-${_gn_revision}.zip" | \ - awk 'BEGIN {print "sha256sums=(" } { print " \x22"$1"\x22" } END { print ")" }' - - rm -r "${pkgname}-${pkgver}-${pkgrel}" -} - - _clang_path='clang-llvmorg-14-init-3191-g0e03450a-1.tgz' _PGO_PATH='chrome-linux-4638-1634308623-72bf2d0e0b11b9cb785718016169434ba1d25ee3.profdata' _gn_version='git_revision:69ec4fca1fa69ddadae13f9e6b7507efa0675263' _gn_revision='39a87c0b36310bdf06b692c098f199a0d97fc810' sha256sums=( - "ccfb2462d91d9c0a77be23aef33962a0ce761a63e8e77c9a34e815c504dceac0" - "ec7e686edd39068acd3122bbae4f4e83ba8540ffdb9fe30790679e72c7318d33" - "723979ea8245a297fac101ff71e1e9f97f138e0bfb0e84176ef5ca70cc96bf8e" + "2489bffda3e0a993cf7e4e8dd6bb5d99e5793c49251ee7dad8612214a3badd03" + "fd6809e4b129f12474c81e5aed01fa1d2b4b706ba8975a27305cfdf822b8d038" + "c8fdde2a7f6663216770fcc0561551718dd0216d36d8494f6a2aed1c88925769" + "5bc9ef361e6303e151b6e63deb31b47e24a4f34ade4d8f092a04bc98e89a2edb" "dd7479d43ce61401e057a5dee8b7e32bc2bd0d0e15d4f46c6858daf9170c9978" "252703067ad0897cc0f39f618eb792b0899769bb0e1b715b64bee15bcfba6f0b" "8bedd600ac58311f384e5113ab6a544bc72edb587ccb8f9e784c4dff208872c4" ) - source=( "${pkgname}-${pkgver}-${pkgrel}.tar.gz::https://github.com/klzgrad/naiveproxy/archive/refs/tags/v${pkgver}-${pkgrel}.tar.gz" "naiveproxy.service" "naiveproxy@.service" + "naiveproxy.sysusers" "${_clang_path}::https://commondatastorage.googleapis.com/chromium-browser-clang/${_WITH_CLANG}/${_clang_path}" "${_PGO_PATH}::https://storage.googleapis.com/chromium-optimization-profiles/pgo_profiles/${_PGO_PATH}" "gn-${_gn_revision}.zip::https://chrome-infra-packages.appspot.com/dl/gn/gn/${_WITH_GN}-amd64/+/${_gn_version}" @@ -104,11 +72,13 @@ package(){ pushd ${srcdir} install -Dm644 naiveproxy.service ${pkgdir}/usr/lib/systemd/system/naiveproxy.service install -Dm644 naiveproxy@.service ${pkgdir}/usr/lib/systemd/system/naiveproxy@.service + install -Dm644 naiveproxy.sysusers ${pkgdir}/usr/lib/sysusers.d/naiveproxy.conf popd pushd ${srcdir}/${pkgname}-${pkgver}-${pkgrel} - install -Dm755 src/out/Release/naive ${pkgdir}/usr/bin/naiveproxy + install -d -m750 -o 0 -g 287 ${pkgdir}/etc/naiveproxy install -Dm644 src/config.json ${pkgdir}/etc/naiveproxy/config.json + install -Dm755 src/out/Release/naive ${pkgdir}/usr/bin/naiveproxy install -Dm644 README.md ${pkgdir}/usr/share/doc/naiveproxy/README.md install -Dm644 USAGE.txt ${pkgdir}/usr/share/doc/naiveproxy/USAGE.txt install -Dm644 LICENSE ${pkgdir}/usr/share/licenses/naiveproxy/LICENSE diff --git a/naiveproxy.service b/naiveproxy.service index 3766a5419efc..ed7146047728 100644 --- a/naiveproxy.service +++ b/naiveproxy.service @@ -4,10 +4,45 @@ After=network-online.target [Service] Type=simple -User=nobody +User=naiveproxy Restart=on-failure RestartSec=5s ExecStart=/usr/bin/naiveproxy /etc/naiveproxy/config.json +# Proc filesystem +ProcSubset=pid +ProtectProc=invisible +# Capabilities +CapabilityBoundingSet= +# Security +NoNewPrivileges=true +# Sandboxing +ProtectSystem=strict +PrivateTmp=true +PrivateDevices=true +PrivateUsers=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +ProtectHome=true +RestrictAddressFamilies=AF_INET +RestrictAddressFamilies=AF_INET6 +RestrictAddressFamilies=AF_NETLINK +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=true +LockPersonality=true +RestrictRealtime=true +RestrictSUIDSGID=true +RemoveIPC=true +PrivateMounts=true +ProtectClock=true +# System Call Filtering +SystemCallArchitectures=native +SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid +SystemCallFilter=@chown +SystemCallFilter=pipe +SystemCallFilter=pipe2 [Install] WantedBy=default.target diff --git a/naiveproxy.sysusers b/naiveproxy.sysusers new file mode 100644 index 000000000000..ede3bd4e533d --- /dev/null +++ b/naiveproxy.sysusers @@ -0,0 +1 @@ +u naiveproxy 287 "naiveproxy daemon" / diff --git a/naiveproxy@.service b/naiveproxy@.service index 963b0cd42582..2ad948516226 100644 --- a/naiveproxy@.service +++ b/naiveproxy@.service @@ -4,10 +4,45 @@ After=network-online.target [Service] Type=simple -User=nobody +User=naiveproxy Restart=on-failure RestartSec=5s ExecStart=/usr/bin/naiveproxy /etc/naiveproxy/%i.json +# Proc filesystem +ProcSubset=pid +ProtectProc=invisible +# Capabilities +CapabilityBoundingSet= +# Security +NoNewPrivileges=true +# Sandboxing +ProtectSystem=strict +PrivateTmp=true +PrivateDevices=true +PrivateUsers=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +ProtectHome=true +RestrictAddressFamilies=AF_INET +RestrictAddressFamilies=AF_INET6 +RestrictAddressFamilies=AF_NETLINK +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=true +LockPersonality=true +RestrictRealtime=true +RestrictSUIDSGID=true +RemoveIPC=true +PrivateMounts=true +ProtectClock=true +# System Call Filtering +SystemCallArchitectures=native +SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid +SystemCallFilter=@chown +SystemCallFilter=pipe +SystemCallFilter=pipe2 [Install] WantedBy=default.target |