Initial commit of Portmaster AUR package

author: Safing 2022-08-08 13:41:12 +0200
committer: Patrick Pacher 2022-08-08 13:41:12 +0200
commit: bca5e1d0b44f9267a3a151eed13bdc8ccc1aa7d9 (patch)
tree: dec063b337ab979a2f67d0f71a7898db8c17a1f9
download: aur-bca5e1d0b44f9267a3a151eed13bdc8ccc1aa7d9.tar.gz
7 files changed, 328 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO
new file mode 100644
index 000000000000..2610c979813d
--- /dev/null
+++ b/.SRCINFO
@@ -0,0 +1,27 @@
+pkgbase = portmaster-stub-bin
+	pkgdesc = Application Firewall: Block Mass Surveillance - Love Freedom
+	pkgver = 0.8.8
+	pkgrel = 2
+	url = https://safing.io/portmaster
+	install = arch.install
+	arch = x86_64
+	license = AGPL3
+	makedepends = imagemagick
+	depends = libnetfilter_queue
+	optdepends = libappindicator-gtk3: for systray indicator
+	provides = portmaster
+	conflicts = portmaster
+	noextract = portmaster-start
+	options = !strip
+	source = portmaster-start::https://updates.safing.io/linux_amd64/start/portmaster-start_v0-8-8
+	source = portmaster.desktop
+	source = portmaster_notifier.desktop
+	source = portmaster_logo.png
+	source = portmaster.service
+	sha256sums = 36fd91e85d69618cea4a8f4590ceb52893edad601f0231bfdf53ce3f5dddb37e
+	sha256sums = 7b0c03e4552dd86caeff2d628b13346cfe70a646af11abac6555e348e46c28da
+	sha256sums = 490b586f185218fdd947e8f12aa2dc412d78d89c8ce9b8ef5a75cb2e5ffb94ae
+	sha256sums = ecb02625952594af86d3b53762363c1e227c2b9604fc9c9423682fc87a92a957
+	sha256sums = bc26dd37e6953af018ad3676ee77570070e075f2b9f5df6fa59d65651a481468
+
+pkgname = portmaster-stub-bin
diff --git a/PKGBUILD b/PKGBUILD
new file mode 100644
index 000000000000..4546efa5b86b
--- /dev/null
+++ b/PKGBUILD
@@ -0,0 +1,55 @@
+# Maintainer: Safing ICS Technologies <noc@safing.io>
+#
+# Application Firewall: Block Mass Surveillance - Love Freedom
+# The Portmaster enables you to protect your data on your device. You
+# are back in charge of your outgoing connections: you choose what data
+# you share and what data stays private. Read more on docs.safing.io.
+#
+pkgname=portmaster-stub-bin
+pkgver=0.8.8
+pkgrel=2
+pkgdesc='Application Firewall: Block Mass Surveillance - Love Freedom'
+arch=('x86_64')
+url='https://safing.io/portmaster'
+license=('AGPL3')
+depends=('libnetfilter_queue')
+makedepends=('imagemagick') # for convert
+optdepends=('libappindicator-gtk3: for systray indicator')
+options=('!strip')
+provides=('portmaster')
+conflicts=('portmaster')
+install=arch.install
+source=("portmaster-start::https://updates.safing.io/linux_amd64/start/portmaster-start_v${pkgver//./-}"
+		'portmaster.desktop'
+		'portmaster_notifier.desktop'
+		'portmaster_logo.png'
+		"portmaster.service")
+noextract=('portmaster-start')
+sha256sums=('36fd91e85d69618cea4a8f4590ceb52893edad601f0231bfdf53ce3f5dddb37e'
+         '7b0c03e4552dd86caeff2d628b13346cfe70a646af11abac6555e348e46c28da'
+         '490b586f185218fdd947e8f12aa2dc412d78d89c8ce9b8ef5a75cb2e5ffb94ae'
+         'ecb02625952594af86d3b53762363c1e227c2b9604fc9c9423682fc87a92a957'
+         'bc26dd37e6953af018ad3676ee77570070e075f2b9f5df6fa59d65651a481468')
+
+prepare() {
+	for res in 16 32 48 96 128 ; do
+		local iconpath="${srcdir}/icons/${res}x${res}/"
+		mkdir -p "${iconpath}" ; 
+		convert ./portmaster_logo.png -resize "${res}x${res}" "${iconpath}/portmaster.png" ; 
+	done
+}
+
+package() {
+    install -Dm 0755 "${srcdir}/portmaster-start" "${pkgdir}/opt/safing/portmaster/portmaster-start"
+    install -Dm 0644 "${srcdir}/portmaster.desktop" "${pkgdir}/opt/safing/portmaster/portmaster.desktop"
+    install -Dm 0644 "${srcdir}/portmaster_notifier.desktop" "${pkgdir}/opt/safing/portmaster/portmaster_notifier.desktop"
+    install -dm 0755 "${pkgdir}/etc/xdg/autostart"
+    ln -s "/opt/safing/portmaster/portmaster_notifier.desktop" "${pkgdir}/etc/xdg/autostart/portmaster_notifier.desktop"
+    install -Dm 0644 "${srcdir}/portmaster.service" "${pkgdir}/opt/safing/portmaster/portmaster.service"
+    install -Dm 0644 "${srcdir}/icons/32x32/portmaster.png" "${pkgdir}/usr/share/pixmaps/portmaster.png"
+    install -Dm 0644 "${srcdir}/icons/16x16/portmaster.png" "${pkgdir}/usr/share/icons/hicolor/16x16/apps/portmaster.png"
+    install -Dm 0644 "${srcdir}/icons/32x32/portmaster.png" "${pkgdir}/usr/share/icons/hicolor/32x32/apps/portmaster.png"
+    install -Dm 0644 "${srcdir}/icons/48x48/portmaster.png" "${pkgdir}/usr/share/icons/hicolor/48x48/apps/portmaster.png"
+    install -Dm 0644 "${srcdir}/icons/96x96/portmaster.png" "${pkgdir}/usr/share/icons/hicolor/96x96/apps/portmaster.png"
+    install -Dm 0644 "${srcdir}/icons/128x128/portmaster.png" "${pkgdir}/usr/share/icons/hicolor/128x128/apps/portmaster.png"
+}
diff --git a/arch.install b/arch.install
new file mode 100644
index 000000000000..0bf7ccf96961
--- /dev/null
+++ b/arch.install
@@ -0,0 +1,185 @@
+
+
+post_install() {
+    log() {
+        echo "$@" 
+    }
+    #
+    # Prepares systemd support by creating a symlink for the .service file
+    # and enabling/disabling certain features of our .service unit based on
+    # the available systemd version. 
+    #
+    installSystemdSupport() {
+        local changed="False"
+        if command -V systemctl >/dev/null 2>&1; then
+            local systemd_version="$(systemctl --version | head -1 | sed -n 's/systemd \([0-9]*\).*/\1/p')"
+            # not all distros have migrated /lib to /usr/lib yet but all that
+            # have provide a symlink from /lib -> /usr/lib so we just prefix with
+            # /lib here.
+            ln -s /opt/safing/portmaster/portmaster.service /lib/systemd/system/portmaster.service 2>/dev/null >&2 || 
+                log error "Failed to install systemd unit file. Please copy /opt/safing/portmaster/portmaster.service to /etc/systemd/system manually"
+
+            # rhel/centos8 does not yet have ProtectKernelLogs available
+            if [ "${systemd_version}" -lt 244 ]; then
+                sed -i "s/^ProtectKernelLogs/#ProtectKernelLogs/g" /opt/safing/portmaster/portmaster.service ||:
+                changed="True"
+            fi
+
+            if [ "${changed}" = "True" ] && [ "$1" = "upgrade" ]; then
+                systemctl daemon-reload ||:
+            fi
+
+            log "info" "Configuring portmaster.service to launch at boot"
+            systemctl enable portmaster.service ||:
+        fi
+    }
+    #
+    # install .desktop files, either using desktop-file-install when available
+    # or by just copying the files into /usr/share/applications.
+    #
+    if command -V desktop-file-install >/dev/null 2>&1; then
+        desktop-file-install /opt/safing/portmaster/portmaster.desktop 2>/dev/null ||:
+        desktop-file-install /opt/safing/portmaster/portmaster_notifier.desktop 2>/dev/null ||
+            log error "Failed to install .desktop files. Please copy /opt/safing/portmaster/*.desktop manually"
+    elif [ -d /usr/share/applications ]; then
+        cp /opt/safing/portmaster/portmaster.desktop /opt/safing/portmaster/portmaster_notifier.desktop /usr/share/applications 2>/dev/null ||
+            log error "Failed to install .desktop files. Please copy /opt/safing/portmaster/*.desktop manually"
+    fi
+
+    installSystemdSupport
+
+    #
+    # Fix selinux permissions for portmaster-start if we have semanage
+    # available.
+    #
+    if command -V semanage >/dev/null 2>&1; then
+        semanage fcontext -a -t bin_t -s system_u $(realpath /opt)'/safing/portmaster/portmaster-start' || :
+        semanage fcontext -a -t bin_t -s system_u $(realpath /opt)'/safing/portmaster/updates/linux_(.*)' || :
+        restorecon -R /opt/safing/portmaster 2>/dev/null >&2 || :
+    fi
+
+    #
+    # Prepare the installation directory tree
+    #
+    /opt/safing/portmaster/portmaster-start --data /opt/safing/portmaster clean-structure
+
+    #
+    # Finally, trigger downloading modules. As this requires internet access
+    # it is more likely to fail and is thus the last thing we do.
+    #
+    if [ "${skip_downloads}" = "True" ]; then
+        log "info" "Downloading of Portmaster modules skipped!"
+        log "info" "Please run '/opt/safing/portmaster/portmaster-start --data /opt/safing/portmaster update' manually.\n"
+        return
+    fi
+    log "Downloading portmaster modules. This may take a while ..."
+    /opt/safing/portmaster/portmaster-start --data /opt/safing/portmaster update --update-agent "${download_agent}" 2>/dev/null >/dev/null || (
+        log "error" "Failed to download modules"
+        log "error" "Please run '/opt/safing/portmaster/portmaster-start --data /opt/safing/portmaster update' manually.\n"
+    )
+
+    # finally, once we donwloaded the modules restore the SE-linux context
+    # for all downloaded files
+    if command -V semanage >/dev/null 2>&1; then
+        restorecon -R /opt/safing/portmaster 2>/dev/null >&2 || :
+    fi
+}
+
+post_upgrade() {
+    log() {
+        echo "$@" 
+    }
+    #
+    # Prepares systemd support by creating a symlink for the .service file
+    # and enabling/disabling certain features of our .service unit based on
+    # the available systemd version. 
+    #
+    installSystemdSupport() {
+        local changed="False"
+        if command -V systemctl >/dev/null 2>&1; then
+            local systemd_version="$(systemctl --version | head -1 | sed -n 's/systemd \([0-9]*\).*/\1/p')"
+            # not all distros have migrated /lib to /usr/lib yet but all that
+            # have provide a symlink from /lib -> /usr/lib so we just prefix with
+            # /lib here.
+            ln -s /opt/safing/portmaster/portmaster.service /lib/systemd/system/portmaster.service 2>/dev/null >&2 || 
+                log error "Failed to install systemd unit file. Please copy /opt/safing/portmaster/portmaster.service to /etc/systemd/system manually"
+
+            # rhel/centos8 does not yet have ProtectKernelLogs available
+            if [ "${systemd_version}" -lt 244 ]; then
+                sed -i "s/^ProtectKernelLogs/#ProtectKernelLogs/g" /opt/safing/portmaster/portmaster.service ||:
+                changed="True"
+            fi
+
+            if [ "${changed}" = "True" ] && [ "$1" = "upgrade" ]; then
+                systemctl daemon-reload ||:
+            fi
+
+            log "info" "Configuring portmaster.service to launch at boot"
+            systemctl enable portmaster.service ||:
+        fi
+    }
+    #
+    # As of 0.4.0 portmaster-control has been renamed to portmaster-start
+    # and is not placed in /usr/bin anymore. Unfortunately, the postrm script
+    # of the old installer does not get rid of portmaster-control so we should
+    # take care during an upgrade.
+    #
+    rm /usr/bin/portmaster-control 2>/dev/null >&2 ||:
+
+    #
+    # If there's already a /var/lib/portmaster installation we're going to move
+    # configs and databases and remove the complete directory
+    # The preinstall.sh already checked that /var/lib/portmaster/updates MUST NOT
+    # exist so we should be safe to touch the databases here.
+    #
+    if [ -d /var/lib/portmaster ]; then
+        if [ ! -d /opt/safing/portmaster/config.json ]; then
+            log "info" "Migrating from previous installation at /var/lib/portmaster to /opt/safing/portmaster ..."
+            mv /var/lib/portmaster/databases /opt/safing/portmaster/databases ||:
+            mv /var/lib/portmaster/config.json /opt/safing/portmaster/config.json ||:
+        fi
+        log "info" "Removing previous installation directory at /var/lib/portmaster"
+        rm -r /var/lib/portmaster 2>/dev/null >&2 ||:
+    fi
+
+}
+
+pre_remove() {
+    log() {
+        echo "$@" 
+    }
+    # stop the portmaster service and disable it if it's enabled.
+    if command -V systemctl >/dev/null 2>&1; then
+        if (systemctl -q is-active portmaster.service); then
+            log "info" "Stopping portmaster.service"
+            systemctl stop portmaster.service ||:
+        fi
+        if (systemctl -q is-enabled portmaster.service); then
+            log "info" "Disabling portmaster.service to launch at boot"
+            systemctl disable portmaster.service ||:
+        fi
+    fi
+}
+
+post_remove() {
+    log() {
+        echo "$@" 
+    }
+    rm -rf /opt/safing/portmaster/updates ||:
+
+    # file is marked as a ghost on RPM system so it might have
+    # been automatically deleted by the package manager.
+    rm /lib/systemd/system/portmaster.service 2>/dev/null >&2 ||:
+    rm /usr/share/applications/portmaster.desktop 2>/dev/null >&2 ||:
+    rm /usr/share/applications/portmaster_notifier.desktop 2>/dev/null >&2 ||:
+
+    if command -V semanage >/dev/null 2>&1; then
+        semanage fcontext --delete $(realpath /opt)'/safing/portmaster/portmaster-start' || :
+        semanage fcontext --delete $(realpath /opt)'/safing/portmaster/updates/linux_(.*)' || :
+        restorecon -R /opt/safing/portmaster 2>/dev/null >&2 || :
+    fi
+
+    if [ "$1" = "purge" ]; then
+        rm -rf /opt/safing/portmaster ||:
+    fi
+}
diff --git a/portmaster.desktop b/portmaster.desktop
new file mode 100644
index 000000000000..de4b5b4f3b18
--- /dev/null
+++ b/portmaster.desktop
@@ -0,0 +1,8 @@
+[Desktop Entry]
+Name=Portmaster
+GenericName=Application Firewall
+Exec=/opt/safing/portmaster/portmaster-start app --data=/opt/safing/portmaster
+Icon=portmaster
+Terminal=false
+Type=Application
+Categories=System
diff --git a/portmaster.service b/portmaster.service
new file mode 100644
index 000000000000..af25a314e725
--- /dev/null
+++ b/portmaster.service
@@ -0,0 +1,44 @@
+[Unit]
+Description=Portmaster by Safing
+Documentation=https://safing.io
+Documentation=https://docs.safing.io
+Before=nss-lookup.target network.target shutdown.target
+After=systemd-networkd.service
+Conflicts=shutdown.target
+Conflicts=firewalld.service
+Wants=nss-lookup.target
+
+[Service]
+Type=simple
+Restart=on-failure
+RestartSec=10
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateTmp=yes
+PIDFile=/opt/safing/portmaster/core-lock.pid
+Environment=LOGLEVEL=info
+Environment=PORTMASTER_ARGS=
+EnvironmentFile=-/etc/default/portmaster
+ProtectSystem=true
+#ReadWritePaths=/var/lib/portmaster
+#ReadWritePaths=/run/xtables.lock
+RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
+RestrictNamespaces=yes
+# In future version portmaster will require access to user home
+# directories to verify application permissions.
+ProtectHome=read-only
+ProtectKernelTunables=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+PrivateDevices=yes
+AmbientCapabilities=cap_chown cap_kill cap_net_admin cap_net_bind_service cap_net_broadcast cap_net_raw cap_sys_module cap_sys_ptrace cap_dac_override cap_fowner cap_fsetid
+CapabilityBoundingSet=cap_chown cap_kill cap_net_admin cap_net_bind_service cap_net_broadcast cap_net_raw cap_sys_module cap_sys_ptrace cap_dac_override cap_fowner cap_fsetid
+# SystemCallArchitectures=native
+# SystemCallFilter=@system-service @module
+# SystemCallErrorNumber=EPERM
+ExecStart=/opt/safing/portmaster/portmaster-start --data /opt/safing/portmaster core -- $PORTMASTER_ARGS
+ExecStopPost=-/opt/safing/portmaster/portmaster-start recover-iptables
+
+[Install]
+WantedBy=multi-user.target
diff --git a/portmaster_logo.png b/portmaster_logo.png
new file mode 100644
index 000000000000..357066732a52
--- /dev/null
+++ b/portmaster_logo.png
diff --git a/portmaster_notifier.desktop b/portmaster_notifier.desktop
new file mode 100644
index 000000000000..e34a1c4a7b72
--- /dev/null
+++ b/portmaster_notifier.desktop
@@ -0,0 +1,9 @@
+[Desktop Entry]
+Name=Portmaster Notifier
+GenericName=Application Firewall Notifier
+Exec=/opt/safing/portmaster/portmaster-start notifier --data=/opt/safing/portmaster
+Icon=portmaster
+Terminal=false
+Type=Application
+Categories=System
+NoDisplay=true
author	Safing	2022-08-08 13:41:12 +0200
committer	Patrick Pacher	2022-08-08 13:41:12 +0200
commit	bca5e1d0b44f9267a3a151eed13bdc8ccc1aa7d9 (patch)
tree	dec063b337ab979a2f67d0f71a7898db8c17a1f9
download	aur-bca5e1d0b44f9267a3a151eed13bdc8ccc1aa7d9.tar.gz