diff --git a/linux/Makefile b/linux/Makefile index 4434cb2..86f3e6b 100644 --- a/linux/Makefile +++ b/linux/Makefile @@ -9,7 +9,7 @@ all: deb rpm nfpm.yaml: portmaster-start sed -e "s/^version:.*$$/version: v$(shell ./portmaster-start version --short)-$(shell cat ./pkgrev)/g" ./nfpm.yaml.template > ./nfpm.yaml -build: icons nfpm.yaml gen-scripts gen-pkgbuild +build: icons nfpm.yaml gen-scripts icons: for res in 16 32 48 96 128 ; do \ @@ -51,9 +51,5 @@ gen-scripts: gomplate -f "templates/$${file}" > "./scripts/$${file}" ; \ done; -gen-pkgbuild: nfpm.yaml - gomplate -d "nfpm=./nfpm.yaml" -f templates/arch.install > arch.install - gomplate -d "nfpm=./nfpm.yaml" -f templates/PKGBUILD > PKGBUILD - lint: shellcheck ./scripts/* ./arch.install \ No newline at end of file diff --git a/linux/PKGBUILD b/linux/PKGBUILD deleted file mode 100644 index 4fcc5a6..0000000 --- a/linux/PKGBUILD +++ /dev/null @@ -1,55 +0,0 @@ -# Maintainer: Safing ICS Technologies -# -# Application Firewall: Block Mass Surveillance - Love Freedom -# The Portmaster enables you to protect your data on your device. You -# are back in charge of your outgoing connections: you choose what data -# you share and what data stays private. Read more on docs.safing.io. -# -pkgname=portmaster-bin -pkgver=0.7.0 -pkgrel=2 -pkgdesc='Application Firewall: Block Mass Surveillance - Love Freedom' -arch=('x86_64') -url='https://safing.io/portmaster' -license=('AGPL3') -depends=('libnetfilter_queue') -makedepends=('imagemagick') # for convert -optdepends=('libappindicator-gtk3: for systray indicator') -options=('!strip') -provides=('portmaster') -conflicts=('portmaster') -install=arch.install -source=("portmaster-start::https://updates.safing.io/linux_amd64/start/portmaster-start_v${pkgver//./-}" - 'portmaster.desktop' - 'portmaster_notifier.desktop' - 'portmaster_logo.png' - "portmaster.service") -noextract=('portmaster-start') -sha256sums=('6ade636aaf2b608f251972fd98b25a8020b301023a6377e5275de5195a132e7f' - '7b0c03e4552dd86caeff2d628b13346cfe70a646af11abac6555e348e46c28da' - '490b586f185218fdd947e8f12aa2dc412d78d89c8ce9b8ef5a75cb2e5ffb94ae' - 'ecb02625952594af86d3b53762363c1e227c2b9604fc9c9423682fc87a92a957' - 'bc26dd37e6953af018ad3676ee77570070e075f2b9f5df6fa59d65651a481468') - -prepare() { - for res in 16 32 48 96 128 ; do - local iconpath="${srcdir}/icons/${res}x${res}/" - mkdir -p "${iconpath}" ; - convert ./portmaster_logo.png -resize "${res}x${res}" "${iconpath}/portmaster.png" ; - done -} - -package() { - install -Dm 0755 "${srcdir}/portmaster-start" "${pkgdir}/opt/safing/portmaster/portmaster-start" - install -Dm 0644 "${srcdir}/portmaster.desktop" "${pkgdir}/opt/safing/portmaster/portmaster.desktop" - install -Dm 0644 "${srcdir}/portmaster_notifier.desktop" "${pkgdir}/opt/safing/portmaster/portmaster_notifier.desktop" - install -dm 0755 "${pkgdir}/etc/xdg/autostart" - ln -s "/opt/safing/portmaster/portmaster_notifier.desktop" "${pkgdir}/etc/xdg/autostart/portmaster_notifier.desktop" - install -Dm 0644 "${srcdir}/portmaster.service" "${pkgdir}/opt/safing/portmaster/portmaster.service" - install -Dm 0644 "${srcdir}/icons/32x32/portmaster.png" "${pkgdir}/usr/share/pixmaps/portmaster.png" - install -Dm 0644 "${srcdir}/icons/16x16/portmaster.png" "${pkgdir}/usr/share/icons/hicolor/16x16/apps/portmaster.png" - install -Dm 0644 "${srcdir}/icons/32x32/portmaster.png" "${pkgdir}/usr/share/icons/hicolor/32x32/apps/portmaster.png" - install -Dm 0644 "${srcdir}/icons/48x48/portmaster.png" "${pkgdir}/usr/share/icons/hicolor/48x48/apps/portmaster.png" - install -Dm 0644 "${srcdir}/icons/96x96/portmaster.png" "${pkgdir}/usr/share/icons/hicolor/96x96/apps/portmaster.png" - install -Dm 0644 "${srcdir}/icons/128x128/portmaster.png" "${pkgdir}/usr/share/icons/hicolor/128x128/apps/portmaster.png" -} diff --git a/linux/arch.install b/linux/arch.install deleted file mode 100644 index d5e759d..0000000 --- a/linux/arch.install +++ /dev/null @@ -1,166 +0,0 @@ -post_install() { - log() { - echo "$@" - } - # - # Prepares systemd support by creating a symlink for the .service file - # and enabling/disabling certain features of our .service unit based on - # the available systemd version. - # - installSystemdSupport() { - local changed="False" - if command -V systemctl >/dev/null 2>&1; then - local systemd_version="$(systemctl --version | head -1 | sed -n 's/systemd \([0-9]*\).*/\1/p')" - # not all distros have migrated /lib to /usr/lib yet but all that - # have provide a symlink from /lib -> /usr/lib so we just prefix with - # /lib here. - ln -s /opt/safing/portmaster/portmaster.service /lib/systemd/system/portmaster.service 2>/dev/null >&2 ||: - - # rhel/centos8 does not yet have ProtectKernelLogs available - if [ "${systemd_version}" -lt 244 ]; then - sed -i "s/^ProtectKernelLogs/#ProtectKernelLogs/g" /opt/safing/portmaster/portmaster.service ||: - changed="True" - fi - - if [ "${changed}" = "True" ] && [ "$1" = "upgrade" ]; then - systemctl daemon-reload ||: - fi - - log "Configuring portmaster.service to launch at boot" - systemctl enable portmaster.service ||: - fi - } - # - # install .desktop files, either using desktop-file-install when available - # or by just copying the files into /usr/share/applications. - # - if command -V desktop-file-install >/dev/null 2>&1; then - desktop-file-install /opt/safing/portmaster/portmaster.desktop ||: - desktop-file-install /opt/safing/portmaster/portmaster_notifier.desktop ||: - elif [ -d /usr/share/applications ]; then - cp /opt/safing/portmaster/portmaster.desktop /usr/share/applications 2>/dev/null ||: - cp /opt/safing/portmaster/portmaster_notifier.desktop /usr/share/applications 2>/dev/null ||: - fi - - installSystemdSupport - - # - # Fix selinux permissions for portmaster-start - # - if command -V getenforce >/dev/null 2>&1; then - chcon -t bin_t /opt/safing/portmaster/portmaster-start - fi - - # - # Prepare the installation directory tree - # - /opt/safing/portmaster/portmaster-start --data /opt/safing/portmaster clean-structure - - # - # Finally, trigger downloading modules. As this requires internet access - # it is more likely to fail and is thus the last thing we do. - # - if [ "${skip_downloads}" = "True" ]; then - log "Downloading of Portmaster modules skipped!" - log "Please run '/opt/safing/portmaster/portmaster-start --data /opt/safing/portmaster update' manually.\n" - return - fi - log "Downloading portmaster modules. This may take a while ..." - /opt/safing/portmaster/portmaster-start --data /opt/safing/portmaster update --update-agent "${download_agent}" 2>/dev/null >/dev/null || ( - log "Failed to download modules" - log "Please run '/opt/safing/portmaster/portmaster-start --data /opt/safing/portmaster update' manually.\n" - ) -} - -post_upgrade() { - log() { - echo "$@" - } - # - # Prepares systemd support by creating a symlink for the .service file - # and enabling/disabling certain features of our .service unit based on - # the available systemd version. - # - installSystemdSupport() { - local changed="False" - if command -V systemctl >/dev/null 2>&1; then - local systemd_version="$(systemctl --version | head -1 | sed -n 's/systemd \([0-9]*\).*/\1/p')" - # not all distros have migrated /lib to /usr/lib yet but all that - # have provide a symlink from /lib -> /usr/lib so we just prefix with - # /lib here. - ln -s /opt/safing/portmaster/portmaster.service /lib/systemd/system/portmaster.service 2>/dev/null >&2 ||: - - # rhel/centos8 does not yet have ProtectKernelLogs available - if [ "${systemd_version}" -lt 244 ]; then - sed -i "s/^ProtectKernelLogs/#ProtectKernelLogs/g" /opt/safing/portmaster/portmaster.service ||: - changed="True" - fi - - if [ "${changed}" = "True" ] && [ "$1" = "upgrade" ]; then - systemctl daemon-reload ||: - fi - - log "Configuring portmaster.service to launch at boot" - systemctl enable portmaster.service ||: - fi - } - # - # As of 0.4.0 portmaster-control has been renamed to portmaster-start - # and is not placed in /usr/bin anymore. Unfortunately, the postrm script - # of the old installer does not get rid of portmaster-control so we should - # take care during an upgrade. - # - rm /usr/bin/portmaster-control 2>/dev/null >&2 ||: - - # - # If there's already a /var/lib/portmaster installation we're going to move - # configs and databases and remove the complete directory - # The preinstall.sh already checked that /var/lib/portmaster/updates MUST NOT - # exist so we should be safe to touch the databases here. - # - if [ -d /var/lib/portmaster ]; then - if [ ! -d /opt/safing/portmaster/config.json ]; then - log "Migrating from previous installation at /var/lib/portmaster to /opt/safing/portmaster ..." - mv /var/lib/portmaster/databases /opt/safing/portmaster/databases ||: - mv /var/lib/portmaster/config.json /opt/safing/portmaster/config.json ||: - fi - log "Removing previous installation directory at /var/lib/portmaster" - rm -r /var/lib/portmaster 2>/dev/null >&2 ||: - fi - -} - -pre_remove() { - log() { - echo "$@" - } - # stop the portmaster service and disable it if it's enabled. - if command -V systemctl >/dev/null 2>&1; then - if (systemctl -q is-active portmaster.service); then - log "Stopping portmaster.service" - systemctl stop portmaster.service ||: - fi - if (systemctl -q is-enabled portmaster.service); then - log "Disabling portmaster.service to launch at boot" - systemctl disable portmaster.service ||: - fi - fi -} - -post_remove() { - log() { - echo "$@" - } - rm -rf /opt/safing/portmaster/updates ||: - - # file is marked as a ghost on RPM system so it might have - # been automatically deleted by the package manager. - rm /lib/systemd/system/portmaster.service 2>/dev/null >&2 ||: - rm /usr/share/applications/portmaster.desktop 2>/dev/null >&2 ||: - rm /usr/share/applications/portmaster_notifier.desktop 2>/dev/null >&2 ||: - - if [ "$1" = "purge" ]; then - rm -rf /opt/safing/portmaster ||: - fi - -} diff --git a/linux/arch/PKGBUILD b/linux/arch/PKGBUILD new file mode 100644 index 0000000..44035f0 --- /dev/null +++ b/linux/arch/PKGBUILD @@ -0,0 +1,89 @@ +# Maintainer: Safing ICS Technologies +# Contributor: James Callahan +# +# Application Firewall: Block Mass Surveillance - Love Freedom +# The Portmaster enables you to protect your data on your device. You +# are back in charge of your outgoing connections: you choose what data +# you share and what data stays private. Read more on docs.safing.io. +# +pkgname=portmaster +pkgver=0.8.5 +pkgrel=1 +pkgdesc='Application Firewall: Block Mass Surveillance - Love Freedom' +arch=('x86_64') +url='https://safing.io/portmaster' +license=('AGPL3') +depends=('libnetfilter_queue') +makedepends=('imagemagick') # for convert +optdepends=('libappindicator-gtk3: for systray indicator') +options=('!lto') +install=arch.install +source=("https://github.com/safing/portmaster/archive/refs/tags/v${pkgver}.tar.gz" + 'portmaster.desktop' + 'portmaster_notifier.desktop' + 'portmaster_logo.png' + "portmaster.service") +noextract=('portmaster-start') +sha256sums=('3a504033aacd63f65fda1a15d1b2d354f7083b1025b991c228e66d31089ce7c1' + 'a226e5b69e1086affb1aa205d54d7853eb3dbfd4336dc0f494873746f11ae5f0' + 'fcd9adf46b3f258456b414e7013ead77290d2a49b82bc5ff25ef1fd1cf40286a' + 'ecb02625952594af86d3b53762363c1e227c2b9604fc9c9423682fc87a92a957' + '8b9c98ce48a899ab1709359f11700095eb2a8d38513733329cd78644cf22a12b') + +prepare() { + cd "portmaster-$pkgver" + + go mod download +} + +build() { + for res in 16 32 48 96 128 ; do + local iconpath="icons/${res}x${res}/" + mkdir -p "${iconpath}" + convert ./portmaster_logo.png -resize "${res}x${res}" "${iconpath}/portmaster.png" + done + + cd "portmaster-$pkgver" + + export CGO_CPPFLAGS="${CPPFLAGS}" + export CGO_CFLAGS="${CFLAGS}" + export CGO_CXXFLAGS="${CXXFLAGS}" + export CGO_LDFLAGS="${LDFLAGS}" + export GOPROXY=off + go build -o portmaster-start \ + -trimpath \ + -buildmode=pie \ + -mod=readonly \ + -modcacherw \ + -ldflags "-X github.com/safing/portbase/info.commit= \ + -X github.com/safing/portbase/info.buildOptions= \ + -X github.com/safing/portbase/info.buildUser= \ + -X github.com/safing/portbase/info.buildHost= \ + -X github.com/safing/portbase/info.buildDate=$(date -u +'%Y-%m-%dT%H:%M:%SZ' --date=@${SOURCE_DATE_EPOCH}) \ + -X github.com/safing/portbase/info.buildSource=https://github.com/safing/portmaster \ + -linkmode=external \ + -extldflags \"${LDFLAGS}\"" \ + ./cmds/portmaster-start + # https://github.com/safing/portmaster/issues/630 + #./portmaster-start completion bash > portmaster-start.bash + #./portmaster-start completion fish > portmaster-start.fish + #./portmaster-start completion zsh > portmaster-start.zsh +} + +package() { + install -Dm644 "portmaster.desktop" "${pkgdir}/usr/share/applications/portmaster.desktop" + install -Dm644 "portmaster_notifier.desktop" "${pkgdir}/usr/share/applications/portmaster_notifier.desktop" + install -Dm644 "portmaster.service" "${pkgdir}/usr/lib/systemd/system/portmaster.service" + install -Dm644 "icons/32x32/portmaster.png" "${pkgdir}/usr/share/pixmaps/portmaster.png" + install -Dm644 "icons/16x16/portmaster.png" "${pkgdir}/usr/share/icons/hicolor/16x16/apps/portmaster.png" + install -Dm644 "icons/32x32/portmaster.png" "${pkgdir}/usr/share/icons/hicolor/32x32/apps/portmaster.png" + install -Dm644 "icons/48x48/portmaster.png" "${pkgdir}/usr/share/icons/hicolor/48x48/apps/portmaster.png" + install -Dm644 "icons/96x96/portmaster.png" "${pkgdir}/usr/share/icons/hicolor/96x96/apps/portmaster.png" + install -Dm644 "icons/128x128/portmaster.png" "${pkgdir}/usr/share/icons/hicolor/128x128/apps/portmaster.png" + cd "portmaster-$pkgver" + install -Dm644 LICENSE "$pkgdir/usr/share/licenses/$pkgname/LICENSE" + install -Dm755 portmaster-start "${pkgdir}/usr/bin/portmaster-start" + #install -Dm644 portmaster-start.bash "$pkgdir/usr/share/bash-completion/completions/portmaster-start" + #install -Dm644 portmaster-start.fish "$pkgdir/usr/share/fish/vendor_completions.d/portmaster-start.fish" + #install -Dm644 portmaster-start.zsh "$pkgdir/usr/share/zsh/site-functions/_portmaster-start" +} diff --git a/linux/arch/arch.install b/linux/arch/arch.install new file mode 100644 index 0000000..401531c --- /dev/null +++ b/linux/arch/arch.install @@ -0,0 +1,6 @@ +post_install() { + # + # Prepare the installation directory tree + # + portmaster-start --data /var/lib/portmaster clean-structure +} diff --git a/linux/arch/portmaster.desktop b/linux/arch/portmaster.desktop new file mode 100644 index 0000000..79b425b --- /dev/null +++ b/linux/arch/portmaster.desktop @@ -0,0 +1,8 @@ +[Desktop Entry] +Name=Portmaster +GenericName=Application Firewall +Exec=/usr/bin/portmaster-start app --data=/var/lib/portmaster +Icon=portmaster +Terminal=false +Type=Application +Categories=System diff --git a/linux/arch/portmaster.service b/linux/arch/portmaster.service new file mode 100644 index 0000000..04e0e77 --- /dev/null +++ b/linux/arch/portmaster.service @@ -0,0 +1,44 @@ +[Unit] +Description=Portmaster by Safing +Documentation=https://safing.io +Documentation=https://docs.safing.io +Before=nss-lookup.target network.target shutdown.target +After=systemd-networkd.service +Conflicts=shutdown.target +Conflicts=firewalld.service +Wants=nss-lookup.target + +[Service] +Type=simple +Restart=on-failure +RestartSec=10 +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateTmp=yes +PIDFile=/var/lib/portmaster/core-lock.pid +Environment=LOGLEVEL=info +Environment=PORTMASTER_ARGS= +EnvironmentFile=-/etc/default/portmaster +ProtectSystem=true +#ReadWritePaths=/var/lib/portmaster +#ReadWritePaths=/run/xtables.lock +RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 +RestrictNamespaces=yes +# In future version portmaster will require access to user home +# directories to verify application permissions. +ProtectHome=read-only +ProtectKernelTunables=yes +ProtectKernelLogs=yes +ProtectControlGroups=yes +PrivateDevices=yes +AmbientCapabilities=cap_chown cap_kill cap_net_admin cap_net_bind_service cap_net_broadcast cap_net_raw cap_sys_module cap_sys_ptrace cap_dac_override cap_fowner cap_fsetid +CapabilityBoundingSet=cap_chown cap_kill cap_net_admin cap_net_bind_service cap_net_broadcast cap_net_raw cap_sys_module cap_sys_ptrace cap_dac_override cap_fowner cap_fsetid +# SystemCallArchitectures=native +# SystemCallFilter=@system-service @module +# SystemCallErrorNumber=EPERM +ExecStart=/usr/bin/portmaster-start --data /var/lib/portmaster core -- $PORTMASTER_ARGS +ExecStopPost=-/usr/bin/portmaster-start recover-iptables + +[Install] +WantedBy=multi-user.target diff --git a/linux/arch/portmaster_logo.png b/linux/arch/portmaster_logo.png new file mode 100644 index 0000000..3570667 Binary files /dev/null and b/linux/arch/portmaster_logo.png differ diff --git a/linux/arch/portmaster_notifier.desktop b/linux/arch/portmaster_notifier.desktop new file mode 100644 index 0000000..3776474 --- /dev/null +++ b/linux/arch/portmaster_notifier.desktop @@ -0,0 +1,9 @@ +[Desktop Entry] +Name=Portmaster Notifier +GenericName=Application Firewall Notifier +Exec=/usr/bin/portmaster-start notifier --data=/var/lib/portmaster +Icon=portmaster +Terminal=false +Type=Application +Categories=System +NoDisplay=true diff --git a/linux/templates/PKGBUILD b/linux/templates/PKGBUILD deleted file mode 100644 index 3ea6eb1..0000000 --- a/linux/templates/PKGBUILD +++ /dev/null @@ -1,55 +0,0 @@ -{{/* Template file expects repo root as working directory */}} -{{- $nfpm := (datasource "nfpm") -}} -# Maintainer: {{ $nfpm.maintainer }} -# -{{ strings.Indent 1 "# " $nfpm.description -}} -# -pkgname=portmaster-bin -pkgver={{ index ($nfpm.version | strings.TrimPrefix "v" | strings.SplitN "-" 2) 0 }} -pkgrel={{ index ($nfpm.version | strings.SplitN "-" 2) 1 }} -pkgdesc='Application Firewall: Block Mass Surveillance - Love Freedom' -arch=('x86_64') -url='https://safing.io/portmaster' -license=('AGPL3') -depends=('libnetfilter_queue') -makedepends=('imagemagick') # for convert -optdepends=('libappindicator-gtk3: for systray indicator') -options=('!strip') -provides=('portmaster') -conflicts=('portmaster') -install=arch.install -source=("portmaster-start::https://updates.safing.io/linux_amd64/start/portmaster-start_v${pkgver//./-}" - 'portmaster.desktop' - 'portmaster_notifier.desktop' - 'portmaster_logo.png' - "portmaster.service") -noextract=('portmaster-start') -sha256sums=('{{ file.Read "portmaster-start" | crypto.SHA256 }}' - '{{ file.Read "portmaster.desktop" | crypto.SHA256 }}' - '{{ file.Read "portmaster_notifier.desktop" | crypto.SHA256 }}' - '{{ file.Read "portmaster_logo.png" | crypto.SHA256 }}' - '{{ file.Read "portmaster.service" | crypto.SHA256 }}') - -prepare() { - for res in 16 32 48 96 128 ; do - local iconpath="${srcdir}/icons/${res}x${res}/" - mkdir -p "${iconpath}" ; - convert ./portmaster_logo.png -resize "${res}x${res}" "${iconpath}/portmaster.png" ; - done -} - -package() { - {{- range $nfpm.contents }} - {{- if not (index . "type") }} - {{- $mode := 0644 }} - {{- with (index . "file_info") }} - {{- $mode = (or (index . "mode") 0644 ) }} - {{- else }} - {{- end }} - install -Dm {{ printf "%#o" $mode }} "${srcdir}/{{.src}}" "${pkgdir}{{.dst}}" - {{- else if eq (index . "type") "symlink" }} - install -dm 0755 "${pkgdir}{{ path.Dir .dst }}" - ln -s "{{.src}}" "${pkgdir}{{.dst}}" - {{- end }} - {{- end }} -} diff --git a/linux/templates/arch.install b/linux/templates/arch.install deleted file mode 100644 index 5e34bc6..0000000 --- a/linux/templates/arch.install +++ /dev/null @@ -1,28 +0,0 @@ -{{/* Template file expects repo root as working directory */}} -{{- define "log" -}} - log() { - echo "$@" - } -{{- end -}} - -post_install() { - {{ template "log" }} -{{ file.Read "templates/snippets/install-systemd-utils.sh" | strings.Indent 4 " " }} -{{ file.Read "templates/snippets/post-install.sh" | strings.Indent 4 " " }} -} - -post_upgrade() { - {{ template "log" }} -{{ file.Read "templates/snippets/install-systemd-utils.sh" | strings.Indent 4 " " }} -{{ file.Read "templates/snippets/post-upgrade.sh" | strings.Indent 4 " " }} -} - -pre_remove() { - {{ template "log" }} -{{ file.Read "templates/snippets/pre-remove.sh" | strings.Indent 4 " " }} -} - -post_remove() { - {{ template "log" }} -{{ file.Read "templates/snippets/post-remove.sh" | strings.Indent 4 " " }} -}