opensnitch: Add at v1.6.7

[uni-dos]

Summary

• adds the package.yml to include opensnitch.

Test Plan

• Once installed, open the gui and see outgoing traffic.
• There is a conflict with wireguard and opensnitch. Need ebf module.

Checklist

• Package was built and tested against unstable
• This change could gainfully be listed in the weekly sync notes once merged

Resolves #289

[uni-dos]

I did a quick ripgrep for /etc/opensnitchd and updated the locations. Hopefully that was all of them.

[EbonJaeger]

Almost there. Just changing the locations isn't enough; we want users to be able to copy the default configs to /etc, modify them, and have them be loaded. So, we need to check if a file exists in the /etc tree, and use that if there is, otherwise use the /usr/share/defaults/etc path. Does that make sense?

[uni-dos]

Ah got it. I am not familiar with go but Ill give it a shot

[uni-dos]

Not my best work but I think it's done. /etc/rules is created when running opensnitch since these are user preferences. Not sure if the directory will be created each time though.

[EbonJaeger]

Hm I should have clicked Comment instead of Request Changes. Oops.

[uni-dos]

About the /etc/rules. I did not make sense to me that the rules directory should be in /usr/ because these will be created by the user and not Solus itself.

[uni-dos]

An issue I just experienced is that the /etc/opensnitchd/rules is not being created

[EbonJaeger]

I think I might see why.

[silkeh]

Great work! I had a few (admittedly minor) comments on the systemd and Go patches.

[silkeh]

I think (haven't checked) this should use $XDG_RUNTIME_DIR instead of hardcoding the UID.

[silkeh]

It's not resolved correctly with the updated version (using os.environ.get would be required), but (after playing with the PR result) I think it shouldn't be user-bound at all as this socket is something that the daemon (running as root) and the user use to communicate.

Instead, I think this should be the following:

args.socket = "unix:///run/opensnitch/osui.sock"

However, there are some other components needed to make this work:

• A systemd sysusers.d definition to create an opensnitch group (if you don't want to use an existing group like adm).
• A systemd tmpfiles.d definition to create /run/opensnitch with mode 0775 and group opensnitch (or an existing group).

The libvirt package has both of these if you are looking for an example.

Lastly, users would need to add themselves to the group to use opensnitch (eg: sudo usermod -a -G opensnitch $USER).

[uni-dos]

Hm, opensnitch isn' giving me a pop up to allow ssh. Let me test a bit further.

[silkeh]

Hm, opensnitch isn' giving me a pop up to allow ssh. Let me test a bit further.

Yeah, I think my XDG_RUNTIME_DIR suggestion wasn't correct. See the other thread for a suggestion on how to improve this.

[uni-dos]

So I added the changes and now the socket is not being created. I also am getting a weird issue where the ui is parsing the config file incorrectly. It is interpreting the quotes from default-config.json

[uni-dos]

I also am getting a weird issue where the ui is parsing the config file incorrectly. It is interpreting the quotes from default-config.json

I see an extra quote but it is not creating the socket.

[uni-dos]

Maybe the issue is create_socket_dirs?

[uni-dos]

I was able to get opensnitch to connect to the /run/opensnitch socket but I was not able to get a prompt for eopkg and ssh. I was able to get these without changing the socket