diff options
author | Safing | 2022-08-08 13:41:12 +0200 |
---|---|---|
committer | Patrick Pacher | 2022-08-08 13:41:12 +0200 |
commit | bca5e1d0b44f9267a3a151eed13bdc8ccc1aa7d9 (patch) | |
tree | dec063b337ab979a2f67d0f71a7898db8c17a1f9 | |
download | aur-bca5e1d0b44f9267a3a151eed13bdc8ccc1aa7d9.tar.gz |
Initial commit of Portmaster AUR package
-rw-r--r-- | .SRCINFO | 27 | ||||
-rw-r--r-- | PKGBUILD | 55 | ||||
-rw-r--r-- | arch.install | 185 | ||||
-rw-r--r-- | portmaster.desktop | 8 | ||||
-rw-r--r-- | portmaster.service | 44 | ||||
-rw-r--r-- | portmaster_logo.png | bin | 0 -> 31361 bytes | |||
-rw-r--r-- | portmaster_notifier.desktop | 9 |
7 files changed, 328 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..2610c979813d --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,27 @@ +pkgbase = portmaster-stub-bin + pkgdesc = Application Firewall: Block Mass Surveillance - Love Freedom + pkgver = 0.8.8 + pkgrel = 2 + url = https://safing.io/portmaster + install = arch.install + arch = x86_64 + license = AGPL3 + makedepends = imagemagick + depends = libnetfilter_queue + optdepends = libappindicator-gtk3: for systray indicator + provides = portmaster + conflicts = portmaster + noextract = portmaster-start + options = !strip + source = portmaster-start::https://updates.safing.io/linux_amd64/start/portmaster-start_v0-8-8 + source = portmaster.desktop + source = portmaster_notifier.desktop + source = portmaster_logo.png + source = portmaster.service + sha256sums = 36fd91e85d69618cea4a8f4590ceb52893edad601f0231bfdf53ce3f5dddb37e + sha256sums = 7b0c03e4552dd86caeff2d628b13346cfe70a646af11abac6555e348e46c28da + sha256sums = 490b586f185218fdd947e8f12aa2dc412d78d89c8ce9b8ef5a75cb2e5ffb94ae + sha256sums = ecb02625952594af86d3b53762363c1e227c2b9604fc9c9423682fc87a92a957 + sha256sums = bc26dd37e6953af018ad3676ee77570070e075f2b9f5df6fa59d65651a481468 + +pkgname = portmaster-stub-bin diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..4546efa5b86b --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,55 @@ +# Maintainer: Safing ICS Technologies <noc@safing.io> +# +# Application Firewall: Block Mass Surveillance - Love Freedom +# The Portmaster enables you to protect your data on your device. You +# are back in charge of your outgoing connections: you choose what data +# you share and what data stays private. Read more on docs.safing.io. +# +pkgname=portmaster-stub-bin +pkgver=0.8.8 +pkgrel=2 +pkgdesc='Application Firewall: Block Mass Surveillance - Love Freedom' +arch=('x86_64') +url='https://safing.io/portmaster' +license=('AGPL3') +depends=('libnetfilter_queue') +makedepends=('imagemagick') # for convert +optdepends=('libappindicator-gtk3: for systray indicator') +options=('!strip') +provides=('portmaster') +conflicts=('portmaster') +install=arch.install +source=("portmaster-start::https://updates.safing.io/linux_amd64/start/portmaster-start_v${pkgver//./-}" + 'portmaster.desktop' + 'portmaster_notifier.desktop' + 'portmaster_logo.png' + "portmaster.service") +noextract=('portmaster-start') +sha256sums=('36fd91e85d69618cea4a8f4590ceb52893edad601f0231bfdf53ce3f5dddb37e' + '7b0c03e4552dd86caeff2d628b13346cfe70a646af11abac6555e348e46c28da' + '490b586f185218fdd947e8f12aa2dc412d78d89c8ce9b8ef5a75cb2e5ffb94ae' + 'ecb02625952594af86d3b53762363c1e227c2b9604fc9c9423682fc87a92a957' + 'bc26dd37e6953af018ad3676ee77570070e075f2b9f5df6fa59d65651a481468') + +prepare() { + for res in 16 32 48 96 128 ; do + local iconpath="${srcdir}/icons/${res}x${res}/" + mkdir -p "${iconpath}" ; + convert ./portmaster_logo.png -resize "${res}x${res}" "${iconpath}/portmaster.png" ; + done +} + +package() { + install -Dm 0755 "${srcdir}/portmaster-start" "${pkgdir}/opt/safing/portmaster/portmaster-start" + install -Dm 0644 "${srcdir}/portmaster.desktop" "${pkgdir}/opt/safing/portmaster/portmaster.desktop" + install -Dm 0644 "${srcdir}/portmaster_notifier.desktop" "${pkgdir}/opt/safing/portmaster/portmaster_notifier.desktop" + install -dm 0755 "${pkgdir}/etc/xdg/autostart" + ln -s "/opt/safing/portmaster/portmaster_notifier.desktop" "${pkgdir}/etc/xdg/autostart/portmaster_notifier.desktop" + install -Dm 0644 "${srcdir}/portmaster.service" "${pkgdir}/opt/safing/portmaster/portmaster.service" + install -Dm 0644 "${srcdir}/icons/32x32/portmaster.png" "${pkgdir}/usr/share/pixmaps/portmaster.png" + install -Dm 0644 "${srcdir}/icons/16x16/portmaster.png" "${pkgdir}/usr/share/icons/hicolor/16x16/apps/portmaster.png" + install -Dm 0644 "${srcdir}/icons/32x32/portmaster.png" "${pkgdir}/usr/share/icons/hicolor/32x32/apps/portmaster.png" + install -Dm 0644 "${srcdir}/icons/48x48/portmaster.png" "${pkgdir}/usr/share/icons/hicolor/48x48/apps/portmaster.png" + install -Dm 0644 "${srcdir}/icons/96x96/portmaster.png" "${pkgdir}/usr/share/icons/hicolor/96x96/apps/portmaster.png" + install -Dm 0644 "${srcdir}/icons/128x128/portmaster.png" "${pkgdir}/usr/share/icons/hicolor/128x128/apps/portmaster.png" +} diff --git a/arch.install b/arch.install new file mode 100644 index 000000000000..0bf7ccf96961 --- /dev/null +++ b/arch.install @@ -0,0 +1,185 @@ + + +post_install() { + log() { + echo "$@" + } + # + # Prepares systemd support by creating a symlink for the .service file + # and enabling/disabling certain features of our .service unit based on + # the available systemd version. + # + installSystemdSupport() { + local changed="False" + if command -V systemctl >/dev/null 2>&1; then + local systemd_version="$(systemctl --version | head -1 | sed -n 's/systemd \([0-9]*\).*/\1/p')" + # not all distros have migrated /lib to /usr/lib yet but all that + # have provide a symlink from /lib -> /usr/lib so we just prefix with + # /lib here. + ln -s /opt/safing/portmaster/portmaster.service /lib/systemd/system/portmaster.service 2>/dev/null >&2 || + log error "Failed to install systemd unit file. Please copy /opt/safing/portmaster/portmaster.service to /etc/systemd/system manually" + + # rhel/centos8 does not yet have ProtectKernelLogs available + if [ "${systemd_version}" -lt 244 ]; then + sed -i "s/^ProtectKernelLogs/#ProtectKernelLogs/g" /opt/safing/portmaster/portmaster.service ||: + changed="True" + fi + + if [ "${changed}" = "True" ] && [ "$1" = "upgrade" ]; then + systemctl daemon-reload ||: + fi + + log "info" "Configuring portmaster.service to launch at boot" + systemctl enable portmaster.service ||: + fi + } + # + # install .desktop files, either using desktop-file-install when available + # or by just copying the files into /usr/share/applications. + # + if command -V desktop-file-install >/dev/null 2>&1; then + desktop-file-install /opt/safing/portmaster/portmaster.desktop 2>/dev/null ||: + desktop-file-install /opt/safing/portmaster/portmaster_notifier.desktop 2>/dev/null || + log error "Failed to install .desktop files. Please copy /opt/safing/portmaster/*.desktop manually" + elif [ -d /usr/share/applications ]; then + cp /opt/safing/portmaster/portmaster.desktop /opt/safing/portmaster/portmaster_notifier.desktop /usr/share/applications 2>/dev/null || + log error "Failed to install .desktop files. Please copy /opt/safing/portmaster/*.desktop manually" + fi + + installSystemdSupport + + # + # Fix selinux permissions for portmaster-start if we have semanage + # available. + # + if command -V semanage >/dev/null 2>&1; then + semanage fcontext -a -t bin_t -s system_u $(realpath /opt)'/safing/portmaster/portmaster-start' || : + semanage fcontext -a -t bin_t -s system_u $(realpath /opt)'/safing/portmaster/updates/linux_(.*)' || : + restorecon -R /opt/safing/portmaster 2>/dev/null >&2 || : + fi + + # + # Prepare the installation directory tree + # + /opt/safing/portmaster/portmaster-start --data /opt/safing/portmaster clean-structure + + # + # Finally, trigger downloading modules. As this requires internet access + # it is more likely to fail and is thus the last thing we do. + # + if [ "${skip_downloads}" = "True" ]; then + log "info" "Downloading of Portmaster modules skipped!" + log "info" "Please run '/opt/safing/portmaster/portmaster-start --data /opt/safing/portmaster update' manually.\n" + return + fi + log "Downloading portmaster modules. This may take a while ..." + /opt/safing/portmaster/portmaster-start --data /opt/safing/portmaster update --update-agent "${download_agent}" 2>/dev/null >/dev/null || ( + log "error" "Failed to download modules" + log "error" "Please run '/opt/safing/portmaster/portmaster-start --data /opt/safing/portmaster update' manually.\n" + ) + + # finally, once we donwloaded the modules restore the SE-linux context + # for all downloaded files + if command -V semanage >/dev/null 2>&1; then + restorecon -R /opt/safing/portmaster 2>/dev/null >&2 || : + fi +} + +post_upgrade() { + log() { + echo "$@" + } + # + # Prepares systemd support by creating a symlink for the .service file + # and enabling/disabling certain features of our .service unit based on + # the available systemd version. + # + installSystemdSupport() { + local changed="False" + if command -V systemctl >/dev/null 2>&1; then + local systemd_version="$(systemctl --version | head -1 | sed -n 's/systemd \([0-9]*\).*/\1/p')" + # not all distros have migrated /lib to /usr/lib yet but all that + # have provide a symlink from /lib -> /usr/lib so we just prefix with + # /lib here. + ln -s /opt/safing/portmaster/portmaster.service /lib/systemd/system/portmaster.service 2>/dev/null >&2 || + log error "Failed to install systemd unit file. Please copy /opt/safing/portmaster/portmaster.service to /etc/systemd/system manually" + + # rhel/centos8 does not yet have ProtectKernelLogs available + if [ "${systemd_version}" -lt 244 ]; then + sed -i "s/^ProtectKernelLogs/#ProtectKernelLogs/g" /opt/safing/portmaster/portmaster.service ||: + changed="True" + fi + + if [ "${changed}" = "True" ] && [ "$1" = "upgrade" ]; then + systemctl daemon-reload ||: + fi + + log "info" "Configuring portmaster.service to launch at boot" + systemctl enable portmaster.service ||: + fi + } + # + # As of 0.4.0 portmaster-control has been renamed to portmaster-start + # and is not placed in /usr/bin anymore. Unfortunately, the postrm script + # of the old installer does not get rid of portmaster-control so we should + # take care during an upgrade. + # + rm /usr/bin/portmaster-control 2>/dev/null >&2 ||: + + # + # If there's already a /var/lib/portmaster installation we're going to move + # configs and databases and remove the complete directory + # The preinstall.sh already checked that /var/lib/portmaster/updates MUST NOT + # exist so we should be safe to touch the databases here. + # + if [ -d /var/lib/portmaster ]; then + if [ ! -d /opt/safing/portmaster/config.json ]; then + log "info" "Migrating from previous installation at /var/lib/portmaster to /opt/safing/portmaster ..." + mv /var/lib/portmaster/databases /opt/safing/portmaster/databases ||: + mv /var/lib/portmaster/config.json /opt/safing/portmaster/config.json ||: + fi + log "info" "Removing previous installation directory at /var/lib/portmaster" + rm -r /var/lib/portmaster 2>/dev/null >&2 ||: + fi + +} + +pre_remove() { + log() { + echo "$@" + } + # stop the portmaster service and disable it if it's enabled. + if command -V systemctl >/dev/null 2>&1; then + if (systemctl -q is-active portmaster.service); then + log "info" "Stopping portmaster.service" + systemctl stop portmaster.service ||: + fi + if (systemctl -q is-enabled portmaster.service); then + log "info" "Disabling portmaster.service to launch at boot" + systemctl disable portmaster.service ||: + fi + fi +} + +post_remove() { + log() { + echo "$@" + } + rm -rf /opt/safing/portmaster/updates ||: + + # file is marked as a ghost on RPM system so it might have + # been automatically deleted by the package manager. + rm /lib/systemd/system/portmaster.service 2>/dev/null >&2 ||: + rm /usr/share/applications/portmaster.desktop 2>/dev/null >&2 ||: + rm /usr/share/applications/portmaster_notifier.desktop 2>/dev/null >&2 ||: + + if command -V semanage >/dev/null 2>&1; then + semanage fcontext --delete $(realpath /opt)'/safing/portmaster/portmaster-start' || : + semanage fcontext --delete $(realpath /opt)'/safing/portmaster/updates/linux_(.*)' || : + restorecon -R /opt/safing/portmaster 2>/dev/null >&2 || : + fi + + if [ "$1" = "purge" ]; then + rm -rf /opt/safing/portmaster ||: + fi +} diff --git a/portmaster.desktop b/portmaster.desktop new file mode 100644 index 000000000000..de4b5b4f3b18 --- /dev/null +++ b/portmaster.desktop @@ -0,0 +1,8 @@ +[Desktop Entry] +Name=Portmaster +GenericName=Application Firewall +Exec=/opt/safing/portmaster/portmaster-start app --data=/opt/safing/portmaster +Icon=portmaster +Terminal=false +Type=Application +Categories=System diff --git a/portmaster.service b/portmaster.service new file mode 100644 index 000000000000..af25a314e725 --- /dev/null +++ b/portmaster.service @@ -0,0 +1,44 @@ +[Unit] +Description=Portmaster by Safing +Documentation=https://safing.io +Documentation=https://docs.safing.io +Before=nss-lookup.target network.target shutdown.target +After=systemd-networkd.service +Conflicts=shutdown.target +Conflicts=firewalld.service +Wants=nss-lookup.target + +[Service] +Type=simple +Restart=on-failure +RestartSec=10 +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateTmp=yes +PIDFile=/opt/safing/portmaster/core-lock.pid +Environment=LOGLEVEL=info +Environment=PORTMASTER_ARGS= +EnvironmentFile=-/etc/default/portmaster +ProtectSystem=true +#ReadWritePaths=/var/lib/portmaster +#ReadWritePaths=/run/xtables.lock +RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 +RestrictNamespaces=yes +# In future version portmaster will require access to user home +# directories to verify application permissions. +ProtectHome=read-only +ProtectKernelTunables=yes +ProtectKernelLogs=yes +ProtectControlGroups=yes +PrivateDevices=yes +AmbientCapabilities=cap_chown cap_kill cap_net_admin cap_net_bind_service cap_net_broadcast cap_net_raw cap_sys_module cap_sys_ptrace cap_dac_override cap_fowner cap_fsetid +CapabilityBoundingSet=cap_chown cap_kill cap_net_admin cap_net_bind_service cap_net_broadcast cap_net_raw cap_sys_module cap_sys_ptrace cap_dac_override cap_fowner cap_fsetid +# SystemCallArchitectures=native +# SystemCallFilter=@system-service @module +# SystemCallErrorNumber=EPERM +ExecStart=/opt/safing/portmaster/portmaster-start --data /opt/safing/portmaster core -- $PORTMASTER_ARGS +ExecStopPost=-/opt/safing/portmaster/portmaster-start recover-iptables + +[Install] +WantedBy=multi-user.target diff --git a/portmaster_logo.png b/portmaster_logo.png Binary files differnew file mode 100644 index 000000000000..357066732a52 --- /dev/null +++ b/portmaster_logo.png diff --git a/portmaster_notifier.desktop b/portmaster_notifier.desktop new file mode 100644 index 000000000000..e34a1c4a7b72 --- /dev/null +++ b/portmaster_notifier.desktop @@ -0,0 +1,9 @@ +[Desktop Entry] +Name=Portmaster Notifier +GenericName=Application Firewall Notifier +Exec=/opt/safing/portmaster/portmaster-start notifier --data=/opt/safing/portmaster +Icon=portmaster +Terminal=false +Type=Application +Categories=System +NoDisplay=true |