app-admin/opensnitch: add 1.5.8

[kcning]

This patch set fixes the build issue with go >= 1.19, and update opensnitch to version 1.5.8

A new package app-admin/opensnitch-ebpf-module is added, which builds ebpf module locally from source.

A new use flag 'bpf' is added, which pulls in app-admin/opensnitch-epbf-module if enabled.

Kernel config options required for basic operation and for ebpf are separated and checked independently.

Closes issue: #1486.

Signed-off-by: Kai-Chun Ning [email protected]

[fraschm1998]

Upstream added tag for 1.5.8, I would also add dev-python/notify2[${PYTHON_USEDEP}] as a dependency for system notifications.

I also keep getting this error message when trying to use opensnitch, I have the daemon running but it doesn't seem to intercept any applications.

^[[2m[2023-02-26 16:57:14]^[[0m ^[[97m^[[41m ERR ^[[0m rule: [-I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass]
^[[2m[2023-02-26 16:57:14]^[[0m ^[[97m^[[41m ERR ^[[0m Error while running DNS firewall rule: exit status 1 exit status 1
^[[2m[2023-02-26 16:57:44]^[[0m ^[[97m^[[104m IMP ^[[0m firewall rules changed, reloading
^[[2m[2023-02-26 16:57:44]^[[0m ^[[97m^[[41m ERR ^[[0m Error while running firewall rule, ipv4 err: exit status 1
^[[2m[2023-02-26 16:57:44]^[[0m ^[[97m^[[41m ERR ^[[0m rule: [-I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass]
^[[2m[2023-02-26 16:57:44]^[[0m ^[[97m^[[41m ERR ^[[0m Error while running firewall rule, ipv6 err: exit status 1
^[[2m[2023-02-26 16:57:44]^[[0m ^[[97m^[[41m ERR ^[[0m rule: [-I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass]
^[[2m[2023-02-26 16:57:44]^[[0m ^[[97m^[[41m ERR ^[[0m Error while running DNS firewall rule: exit status 1 exit status 1
^[[2m[2023-02-26 16:58:14]^[[0m ^[[97m^[[104m IMP ^[[0m firewall rules changed, reloading
^[[2m[2023-02-26 16:58:14]^[[0m ^[[97m^[[41m ERR ^[[0m Error while running firewall rule, ipv4 err: exit status 1
^[[2m[2023-02-26 16:58:14]^[[0m ^[[97m^[[41m ERR ^[[0m rule: [-I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass]
^[[2m[2023-02-26 16:58:14]^[[0m ^[[97m^[[41m ERR ^[[0m Error while running firewall rule, ipv6 err: exit status 1
^[[2m[2023-02-26 16:58:14]^[[0m ^[[97m^[[41m ERR ^[[0m rule: [-I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass]
^[[2m[2023-02-26 16:58:14]^[[0m ^[[97m^[[41m ERR ^[[0m Error while running DNS firewall rule: exit status 1 exit status 1
^[[2m[2023-02-26 16:58:44]^[[0m ^[[97m^[[104m IMP ^[[0m firewall rules changed, reloading
^[[2m[2023-02-26 16:58:44]^[[0m ^[[97m^[[41m ERR ^[[0m Error while running firewall rule, ipv4 err: exit status 1
^[[2m[2023-02-26 16:58:44]^[[0m ^[[97m^[[41m ERR ^[[0m rule: [-I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass]
^[[2m[2023-02-26 16:58:44]^[[0m ^[[97m^[[41m ERR ^[[0m Error while running firewall rule, ipv6 err: exit status 1
^[[2m[2023-02-26 16:58:44]^[[0m ^[[97m^[[41m ERR ^[[0m rule: [-I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass]
^[[2m[2023-02-26 16:58:44]^[[0m ^[[97m^[[41m ERR ^[[0m Error while running DNS firewall rule: exit status 1 exit status 1

Config:

{
    "Server":
    {
        "Address":"unix:///tmp/osui.sock",
        "LogFile":"/var/log/opensnitchd.log"
    },
    "DefaultAction": "deny",
    "DefaultDuration": "once",
    "InterceptUnknown": true,
    "ProcMonitorMethod": "ebpf",
    "LogLevel": 2,
    "Firewall": "iptables",
    "Stats": {
        "MaxEvents": 150,
        "MaxStats": 25
    }
}

[fraschm1998]

Also I keep on getting this error while trying to use opensnitch using this ebuild:

eBPF Failed to load /etc/opensnitchd/opensnitch.o: error while loading "kprobe/tcp_v4_connect" (permission denied)

More info here: evilsocket/opensnitch#864

[fraschm1998]

This will also require the updated ebpf module from here: https://github.com/evilsocket/opensnitch/suites/11211766286/artifacts/573542265 as mentioned in the thread in my previous comment

[fraschm1998]

Also add NETFILTER_XT_TARGET_NFQUEUE for CONFIG_CHECK otherwise opensnitch doesn't work resulting in iptables error in logs.

[kcning]

Thank you for the suggestion, I have updated the PR accordingly. For the eBPF issue, I tried to build it manually with Linux 6.2 per instructions here: https://github.com/evilsocket/opensnitch/tree/master/ebpf_prog

opensnitch/ebpf_prog/file.path seems outdated. bpf_map_def no longer exists in tools/lib/bpf/bpf_helpers.h. A quick grep shows it has probably been moved to tools/lib/bpf/libbpf.c.

But even after applying the patch to this file, both the master and 1.5.0 branches do not build with Linux 6.2. Error messages are

make -C ../../ M=/tmp/linux-6.2/samples/bpf BPF_SAMPLES_PATH=/tmp/linux-6.2/samples/bpf
/tmp/linux-6.2/samples/bpf/Makefile:68: WARNING: Detected possible issues with include path.
/tmp/linux-6.2/samples/bpf/Makefile:69: WARNING: Please install kernel headers locally (make headers_install).
make -C /tmp/linux-6.2/samples/bpf/../../tools/lib/bpf/ RM='rm -rf' EXTRA_CFLAGS="-Wall -O2 -Wmissing-prototypes -Wstrict-prototypes -I./usr/include -I./tools/testing/selftests/bpf/ -I./tools/lib/ -I./tools/include -I./tools/perf -DHAVE_ATTR_TEST=0" \
	LDFLAGS= srctree=/tmp/linux-6.2/samples/bpf/../../ O=
make[3]: *** No targets specified and no makefile found.  Stop.
make[2]: *** [/tmp/linux-6.2/samples/bpf/Makefile:102: /tmp/linux-6.2/samples/bpf/../../tools/lib/bpf/libbpf.a] Error 2
make[1]: *** [Makefile:2021: /tmp/linux-6.2/samples/bpf] Error 2
make: *** [Makefile:94: all] Error 2

I think there might be other breaking changes that need to be addressed by the upstream. It'd be another story however if one can use opensnitch.o built with Linux 5.8 on kernel 6.2

[fraschm1998]

I'm running kernel 6.2.0 and had no issues installing it with this ebuild: http://sprunge.us/NpUieD

If properly installed, make sure to remove opensnitch.o in /etc/opensnitchd/ and replace it with opensnitch.o from this zip file: https://github.com/evilsocket/opensnitch/suites/11211766286/artifacts/573542265

[fraschm1998]

Do note, you need to have a lot more kernel modules as mentioned here: evilsocket/opensnitch#774

[fraschm1998]

Updated the ebuild to have required kernel checks from the issue above: http://sprunge.us/qQxgWp

[kcning]

Thank you for the input, and confirmation that the ebuild works. I'm not sure why but the link to the zip file doesn't work unless the user is logged in

 $ wget https://github.com/evilsocket/opensnitch/suites/11211766286/artifacts/573542265
--2023-02-27 17:09:20--  https://github.com/evilsocket/opensnitch/suites/11211766286/artifacts/573542265
Resolving github.com... 140.82.121.3
Connecting to github.com|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2023-02-27 17:09:20 ERROR 404: Not Found.

Replacing opensnitch.o currently hosted by Pentoo-overlay with this new one would be an option, but I think it's might be better to add a new USE flag ebpf that pulls a new package, which builds opensnitch.o locally and installs into /etc/opensnitchd/opensnitch.o

What do you think @ZeroChaos- @blshkv ?

[blshkv]

@kcning you can't build opensnitch.o locally because the proper "out-of-tree" way is not supported,
see evilsocket/opensnitch#712

however, the upstream do publish the updated version sometimes, so you can pull it from github if it is available.

[kcning]

Thank you for the quick reply. I agree that a proper "out-of-tree" kernel module would be better. It might take a while however before the upstream supports it. For now, I created a temporary package that builds opensnitch.o per upstream instructions.

I tested the patch set on amd64, but in theory it should also work on arm. Please let me know if anything should change. And if it's good, please merge the PR.