system/OpenSnitch: Added (GNU/Linux interactive application firewall).

Signed-off-by: Willy Sudiarto Raharjo <willysr@slackbuilds.org>

12 files changed, 609 insertions, 0 deletions

diff --git a/system/OpenSnitch/OpenSnitch.SlackBuild b/system/OpenSnitch/OpenSnitch.SlackBuild
new file mode 100644
index 0000000000000..28a89d6bda029
--- /dev/null
+++ b/system/OpenSnitch/OpenSnitch.SlackBuild
@@ -0,0 +1,224 @@
+#!/bin/bash
+
+# Slackware build script for OpenSnitch
+
+# Copyright 2024 Isaac Yu <isaacyu@protonmail.com>
+# All rights reserved.
+#
+# Redistribution and use of this script, with or without modification, is
+# permitted provided that the following conditions are met:
+#
+# 1. Redistributions of this script must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+#  THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED
+#  WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+#  MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO
+#  EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+#  PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+#  OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+#  OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+#  ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+cd $(dirname $0) ; CWD=$(pwd)
+
+PRGNAM=OpenSnitch
+VERSION=${VERSION:-1.6.4}
+BUILD=${BUILD:-1}
+TAG=${TAG:-_SBo}
+PKGTYPE=${PKGTYPE:-tgz}
+
+SRCNAM=opensnitch
+
+if [ -z "$ARCH" ]; then
+  case "$( uname -m )" in
+    i?86) ARCH=i586 ;;
+    arm*) ARCH=arm ;;
+       *) ARCH=$( uname -m ) ;;
+  esac
+fi
+
+if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then
+  echo "$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.$PKGTYPE"
+  exit 0
+fi
+
+TMP=${TMP:-/tmp/SBo}
+PKG=$TMP/package-$PRGNAM
+OUTPUT=${OUTPUT:-/tmp}
+
+if [ "$ARCH" = "i586" ]; then
+  SLKCFLAGS="-O2 -march=i586 -mtune=i686"
+  LIBDIRSUFFIX=""
+elif [ "$ARCH" = "i686" ]; then
+  SLKCFLAGS="-O2 -march=i686 -mtune=i686"
+  LIBDIRSUFFIX=""
+elif [ "$ARCH" = "x86_64" ]; then
+  SLKCFLAGS="-O2 -fPIC"
+  LIBDIRSUFFIX="64"
+else
+  SLKCFLAGS="-O2"
+  LIBDIRSUFFIX=""
+fi
+
+set -e
+
+rm -rf $PKG
+mkdir -p $TMP $PKG $OUTPUT
+cd $TMP
+rm -rf $SRCNAM-$VERSION
+tar xvf $CWD/$SRCNAM-$VERSION.tar.gz
+cd $SRCNAM-$VERSION
+chown -R root:root .
+find -L . \
+ \( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \
+  -o -perm 511 \) -exec chmod 755 {} \; -o \
+ \( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \
+  -o -perm 440 -o -perm 400 \) -exec chmod 644 {} \;
+
+# Install eBPF modules if eBPF=yes is passed
+if [ ${eBPF:-no} = yes ]; then
+  cd ebpf_prog
+  KDIR="/usr/src/linux"
+
+  # set -fno-stack-protector to work around a clang regression
+  # this is fine - bpf programs do not use stack protectors
+  # Reference: https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=opensnitch-ebpf-module
+  CLANG="clang -fno-stack-protector" ARCH="$ARCH" KERNEL_DIR="$KDIR" KERNEL_HEADERS="$KDIR" make
+
+  # Remove debug info
+  llvm-strip -g opensnitch*.o
+
+  # Finalize eBPF module installation
+  install -Dm644 opensnitch*.o -t $PKG/usr/lib/opensnitchd/ebpf
+
+  cd ../
+fi
+
+# site-packages directory
+SITE_PACKAGES=$(python3 -c "import site; print(site.getsitepackages()[0])")
+
+# Prevent creation of cache files in /root/.cache/go-build
+export GOCACHE="${GOCACHE:-"$TMP/$SRCNAM-$VERSION/go-cache"}"
+export GOMODCACHE="${GOMODCACHE:-"$TMP/$SRCNAM-$VERSION/go"}"
+
+# Generate protobuf files
+cd proto
+make
+cd ../
+
+# Fix version number
+sed -i "s/1.6.2/$VERSION/g" daemon/core/version.go
+
+# Workaround for namespace conflict
+# Taken from https://github.com/pentoo/pentoo-overlay/blob/master/app-admin/opensnitch/opensnitch-1.6.4.ebuild
+# For more details, refer to https://github.com/evilsocket/opensnitch/issues/496
+# and https://github.com/evilsocket/opensnitch/pull/442
+sed -i 's/^import ui_pb2/from . import ui_pb2/' ui/opensnitch/ui_pb2_grpc.py
+
+# Fix an issue with setup.py installing to python's site-packages instead of /usr
+# prefer scaled SVG instead of pixellated 48x48 PNG
+patch -p1 < $CWD/patches/fix-setup.py.patch
+
+# Modify the go.mod file for the offline build
+patch -p1 < $CWD/patches/modify-go.mod-file.patch
+
+# Remove debian patch
+patch -p1 < $CWD/patches/remove-debian-path.patch
+
+# Use system python packages
+patch -p1 < $CWD/patches/use-system-python-packages.patch
+
+# Generate resource files
+pyrcc5 -o ui/opensnitch/{resources_rc.py,/res/resources.qrc}
+
+# Set up vendored modules
+cd daemon
+mkdir -p vendor
+cat $CWD/modules.txt > vendor/modules.txt
+for DIR in $(grep -o "^# .* " vendor/modules.txt | cut -d' ' -f2)
+do
+  NAME=$(echo $DIR | sed 's/[./]v[0-9]\+$//' | xargs basename)
+  DIR=vendor/$DIR
+  echo $DIR
+  if [ $DIR = "vendor/github.com/golang/protobuf" ]; then
+    tar xvf $CWD/$NAME-[0-9]*.tar.gz
+  elif [ $DIR = "vendor/github.com/mdlayher/netlink" ]; then
+    tar xvf $CWD/$NAME-[0-9].[0-9].[0-9].tar.gz
+  elif [ $DIR = "vendor/github.com/varlink/go" ]; then
+    tar xvf $CWD/$NAME-[0-9].[0-9].[0-9].tar.gz
+  elif [ $DIR = "vendor/github.com/vishvananda/netlink" ]; then
+    tar xvf $CWD/$NAME-[a-z]*.tar.gz
+  elif [ $DIR = "vendor/google.golang.org/genproto" ]; then
+    tar xvf $CWD/go-$NAME-*.tar.gz
+  elif [ $DIR = "vendor/google.golang.org/protobuf" ]; then
+    tar xvf $CWD/$NAME-go-*.tar.gz
+  else
+    tar xvf $CWD/$NAME-*.tar.gz
+  fi
+  mkdir -p $(dirname $DIR)
+  [ $DIR != "vendor/google.golang.org/genproto" ] && mv $NAME-* $DIR || mv go-$NAME-* $DIR
+done
+
+# Build the opensnitch daemon
+CGO_CFLAGS="$SLKCFLAGS" \
+CGO_CXXFLAGS="$SLKCFLAGS" \
+go build -mod vendor -o opensnitchd
+
+# Install the opensnitch daemon
+install -Dm755 opensnitchd $PKG/usr/bin/opensnitchd
+
+# Now that the opensnitch daemon is installed, install the ui:
+cd ../ui
+python3 setup.py install --root=$PKG
+cd ../
+
+# configuration files
+mkdir -p $PKG/etc/opensnitchd
+cp daemon/default-config.json $PKG/etc/opensnitchd/default-config.json.new
+cp daemon/system-fw.json $PKG/etc/opensnitchd/system-fw.json.new
+
+# logrotate
+mkdir -p $PKG/etc/logrotate.d
+cp utils/packaging/daemon/deb/debian/opensnitch.logrotate $PKG/etc/logrotate.d/opensnitch.new
+
+# Create log files in such a way that they won't clobber existing ones
+# This was taken from ponce's clamav SlackBuild
+mkdir -p $PKG/var/log
+touch $PKG/var/log/opensnitchd.log.new
+chmod 0660 $PKG/var/log/opensnitchd.log.new
+
+# Generate translations
+LANGS=( de_DE es_ES eu_ES fi_FI fr_FR hu_HU ja_JP lt_LT nb_NO nl_NL pt_BR ro_RO ru_RU tr_TR zh_TW )
+cd ui/i18n/
+sh generate_i18n.sh
+for LANG in "${LANGS[@]}"
+do
+  install -Dm644 locales/$LANG/opensnitch-$LANG.ts $PKG/$SITE_PACKAGES/opensnitch/i18n/locales/$LANG
+done
+cd ../../
+
+# Install rc script
+mkdir -p $PKG/etc/rc.d
+cat $CWD/rc.opensnitchd > $PKG/etc/rc.d/rc.opensnitchd.new
+chmod 0644 $PKG/etc/rc.d/rc.opensnitchd.new
+
+# Remove tests from the site-packages directory
+rm -rf "$PKG/$SITE_PACKAGES/tests"
+
+find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | grep ELF \
+  | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true
+
+mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
+cp -a LICENSE README.md $PKG/usr/doc/$PRGNAM-$VERSION
+cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
+cat $CWD/README.SLACKWARE > $PKG/usr/doc/$PRGNAM-$VERSION/README.SLACKWARE
+
+mkdir -p $PKG/install
+cat $CWD/slack-desc > $PKG/install/slack-desc
+cat $CWD/doinst.sh > $PKG/install/doinst.sh
+
+cd $PKG
+/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.$PKGTYPE
diff --git a/system/OpenSnitch/OpenSnitch.info b/system/OpenSnitch/OpenSnitch.info
new file mode 100644
index 0000000000000..465123f3b71fb
--- /dev/null
+++ b/system/OpenSnitch/OpenSnitch.info
@@ -0,0 +1,46 @@
+PRGNAM="OpenSnitch"
+VERSION="1.6.4"
+HOMEPAGE="https://github.com/evilsocket/opensnitch"
+DOWNLOAD="https://github.com/evilsocket/opensnitch/archive/v1.6.4/opensnitch-1.6.4.tar.gz \
+          https://github.com/fsnotify/fsnotify/archive/v1.4.7/fsnotify-1.4.7.tar.gz \
+          https://github.com/golang/protobuf/archive/v1.5.0/protobuf-1.5.0.tar.gz \
+          https://github.com/google/gopacket/archive/v1.1.14/gopacket-1.1.14.tar.gz \
+          https://github.com/google/nftables/archive/v0.1.0/nftables-0.1.0.tar.gz \
+          https://github.com/google/uuid/archive/v1.3.0/uuid-1.3.0.tar.gz \
+          https://github.com/iovisor/gobpf/archive/v0.2.0/gobpf-0.2.0.tar.gz \
+          https://github.com/josharian/native/archive/b6b71de/native-b6b71def0850a2fbd7e6875f8e28217a48c5bcb4.tar.gz \
+          https://github.com/mdlayher/netlink/archive/v1.4.2/netlink-1.4.2.tar.gz \
+          https://github.com/mdlayher/socket/archive/57e3fa5/socket-57e3fa563ecb8fbbbf28b56c674ce382ae48f7db.tar.gz \
+          https://github.com/varlink/go/archive/v0.4.0/go-0.4.0.tar.gz \
+          https://github.com/vishvananda/netlink/archive/e1a867c/netlink-e1a867c6b45251cacffe13a17ae65713a01f3127.tar.gz \
+          https://github.com/vishvananda/netns/archive/db3c7e5/netns-db3c7e526aae966c4ccfa6c8189b693d6ac5d202.tar.gz \
+          https://github.com/golang/net/archive/491a49a/net-491a49abca63de5e07ef554052d180a1b5fe2d70.tar.gz \
+          https://github.com/golang/sys/archive/97ca703/sys-97ca703d548df069cb02aacea9efc3093ffdc3c4.tar.gz \
+          https://github.com/golang/text/archive/v0.3.6/text-0.3.6.tar.gz \
+          https://github.com/googleapis/go-genproto/archive/24fa4b2/go-genproto-24fa4b261c55da65468f2abfdae2b024eef27dfb.tar.gz \
+          https://github.com/grpc/grpc-go/archive/v1.32.0/grpc-go-1.32.0.tar.gz \
+          https://github.com/protocolbuffers/protobuf-go/archive/v1.26.0/protobuf-go-1.26.0.tar.gz"
+MD5SUM="072ebb1632ada723623203a8248e1996 \
+        e23b3240fc9e807fcffb97d12a433138 \
+        7bff4630d93dc4f9081b5dbc31067899 \
+        5e4827e740a060b8f97116955718de19 \
+        9efa300afa970d9d0d11361dd1fb6ce6 \
+        8d968751528dd23af2f0d79ea9f94a79 \
+        bed8fdc4fc7f844edfd034a7bcc64536 \
+        1967b9ffbde12b2a9ccbc761f22b513e \
+        7e0d02b68cd4c0d9bae88d52ab96a6e9 \
+        327e1dcae5c8b5f5e65efe796de3195b \
+        3527e437021606aa13d0eb55f50edb75 \
+        f7e4e46966ff3771ee77264b9672dae9 \
+        fb384110572b31ee6e222cecbe610013 \
+        880d2f4ea4c362492ed4403ebfb0b9b2 \
+        8ed6c2ccd833013f26c102106405b444 \
+        f406aa34e4555c0bac8c2f00f2ab729b \
+        cbb310e9b9ede71e0ff38df5f5dc8268 \
+        44d6398e2ee17187a8143446db595522 \
+        2e97ffc1575be0c3c82702464a8d7e01"
+DOWNLOAD_x86_64=""
+MD5SUM_x86_64=""
+REQUIRES="protoc-gen-go-grpc python3-grpcio pyinotify python3-slugify"
+MAINTAINER="Isaac Yu"
+EMAIL="isaacyu@protonmail.com"
diff --git a/system/OpenSnitch/README b/system/OpenSnitch/README
new file mode 100644
index 0000000000000..0ca99fa63746a
--- /dev/null
+++ b/system/OpenSnitch/README
@@ -0,0 +1,13 @@
+OpenSnitch is a GNU/Linux interactive application firewall inspired by
+Little Snitch.
+
+Opensnitch requires the opensnitchd rc script to execute upon startup.
+That is, add the following line to /etc/rc.local:
+[ -x /etc/rc.d/rc.opensnitchd ] && /etc/rc.d/rc.opensnitchd start
+
+To install the eBPF process monitor module (requires kernel-source),
+pass in eBPF=yes to the SlackBuild.
+
+The eBFP module additionally requires kernel support for KProbes
+(kernel probes) and syscalls tracing. README.SLACKWARE contains
+instructions for compiling a kernel with these features.
diff --git a/system/OpenSnitch/README.SLACKWARE b/system/OpenSnitch/README.SLACKWARE
new file mode 100644
index 0000000000000..22f0638e8123d
--- /dev/null
+++ b/system/OpenSnitch/README.SLACKWARE
@@ -0,0 +1,58 @@
+The eBPF module requires the following kernel features:
+KProbes (CONFIG_KPROBES = y)
+syscalls tracing support (CONFIG_FTRACE_SYSCALLS = y)
+
+Instructions are taken from the following website:
+https://www.slackbook.org/html/system-configuration-kernel.html
+
+Run all of the following commands below as root.
+
+- Enter into the kernel source directory:
+cd /usr/src/linux
+
+- Back up the current .config file:
+cp .config .config_backup
+
+- Bring the kernel back to its base state:
+make mrproper
+
+- Restore the previous .config file:
+cp .config_backup .config
+
+- Configure the kernel (it will load up .config):
+make menuconfig
+
+- Enable KProbes support:
+General architecture-dependent-options  --->
+    [*] KProbes
+
+- Enable syscalls tracing:
+Kernel Hacking  --->
+    [*] Tracers  --->
+        [*] Trace Syscalls
+
+- Save the changes before exiting.
+- After exiting, prepare the source tree for compiling:
+make dep
+make clean
+
+- Compile the kernel:
+make bzImage
+
+- Then compile kernel modules:
+make modules
+
+- Back up previous vmlinuz and System.map files
+- Then copy the new vmlinuz and System.map files to /boot
+- For example (change depending on ARCH, generic vs huge kernel, etc.):
+KERNEL_VER=$(uname -r)
+mv /boot/vmlinuz-generic-$KERNEL_VER /boot/vmlinuz-generic-$KERNEL_VER-old
+cp arch/x86_64/boot/bzImage /boot/vmlinuz-generic-$KERNEL_VER
+mv /boot/System.map-generic-$KERNEL_VER /boot/System.map-generic-$KERNEL_VER.old
+cp System.map /boot/System.map-generic-$KERNEL_VER
+
+- Finally, install the kernel:
+make modules_install
+
+- Please complete any extra necessary steps on your system
+(ex. recompile initrd, run /sbin/lilo, etc.)
diff --git a/system/OpenSnitch/doinst.sh b/system/OpenSnitch/doinst.sh
new file mode 100644
index 0000000000000..2dc4554f0e865
--- /dev/null
+++ b/system/OpenSnitch/doinst.sh
@@ -0,0 +1,39 @@
+config() {
+  NEW="$1"
+  OLD="`dirname $NEW`/`basename $NEW .new`"
+  # If there's no config file by that name, mv it over:
+  if [ ! -r $OLD ]; then
+    mv $NEW $OLD
+  elif [ "`cat $OLD | md5sum`" = "`cat $NEW | md5sum`" ]; then # toss the redundant copy
+    rm $NEW
+  fi
+  # Otherwise, we leave the .new copy for the admin to consider...
+}
+
+preserve_perms() {
+  NEW="$1"
+  OLD="$(dirname $NEW)/$(basename $NEW .new)"
+  if [ -e $OLD ]; then
+    cp -a $OLD ${NEW}.incoming
+    cat $NEW > ${NEW}.incoming
+    mv ${NEW}.incoming $NEW
+  fi
+  config $NEW
+}
+
+preserve_perms etc/rc.d/rc.opensnitchd.new
+config etc/logrotate.d/opensnitch.new
+config etc/opensnitchd/default-config.json.new
+config etc/opensnitchd/system-fw.json.new
+# Remove new log if one is already present
+config var/log/opensnitchd.log.new ; rm -f var/log/opensnitchd.log.new
+
+if [ -x /usr/bin/update-desktop-database ]; then
+  /usr/bin/update-desktop-database -q usr/share/applications >/dev/null 2>&1
+fi
+
+if [ -e usr/share/icons/hicolor/icon-theme.cache ]; then
+  if [ -x /usr/bin/gtk-update-icon-cache ]; then
+    /usr/bin/gtk-update-icon-cache -f usr/share/icons/hicolor >/dev/null 2>&1
+  fi
+fi
diff --git a/system/OpenSnitch/modules.txt b/system/OpenSnitch/modules.txt
new file mode 100644
index 0000000000000..df3c15795ff09
--- /dev/null
+++ b/system/OpenSnitch/modules.txt
@@ -0,0 +1,81 @@
+# github.com/fsnotify/fsnotify v1.4.7
+## explicit
+github.com/fsnotify/fsnotify
+# github.com/golang/protobuf v1.5.0
+## explicit
+github.com/golang/protobuf/jsonpb
+# github.com/google/gopacket v1.1.14
+## explicit
+github.com/google/gopacket
+github.com/google/gopacket/layers
+# github.com/google/nftables v0.1.0
+## explicit
+github.com/google/nftables
+github.com/google/nftables/binaryutil
+github.com/google/nftables/expr
+# github.com/google/uuid v1.3.0
+## explicit
+github.com/google/uuid
+# github.com/iovisor/gobpf v0.2.0
+## explicit
+github.com/iovisor/gobpf/elf
+# github.com/josharian/native v0.0.0-20200817173448-b6b71def0850
+## explicit
+github.com/josharian/native
+# github.com/mdlayher/netlink v1.4.2
+## explicit
+github.com/mdlayher/netlink/nltest
+# github.com/mdlayher/socket v0.0.0-20211102153432-57e3fa563ecb
+## explicit
+github.com/mdlayher/socket
+# github.com/varlink/go v0.4.0
+## explicit
+github.com/varlink/go/varlink
+# github.com/vishvananda/netlink v0.0.0-20210811191823-e1a867c6b452
+## explicit
+github.com/vishnananda/netlink
+github.com/vishnananda/netlink/netnl
+# github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae
+## explicit
+github.com/vishvananda/netns
+# golang.org/x/net v0.0.0-20211209124913-491a49abca63
+## explicit
+golang.org/x/net/context
+# golang.org/x/sys v0.0.0-20211205182925-97ca703d548d
+## explicit
+golang.org/x/sys/unix
+# golang.org/x/text v0.3.6
+## explicit
+golang.org/x/text/secure/bidirule
+# google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55
+## explicit
+google.golang.org/genproto/googleapis/rpc/status
+# google.golang.org/grpc v1.32.0
+## explicit
+google.golang.org/grpc
+google.golang.org/grpc/connectivity
+google.golang.org/grpc/credentials
+google.golang.org/grpc/encoding/gzip
+google.golang.org/grpc/keepalive
+# google.golang.org/protobuf v1.26.0
+## explicit
+google.golang.org/protobuf/cmd/protoc-gen-go/internal_gengo
+google.golang.org/protobuf/compiler/protogen
+google.golang.org/protobuf/encoding/protojson
+google.golang.org/protobuf/encoding/prototext
+google.golang.org/protobuf/encoding/protowire
+google.golang.org/protobuf/proto
+google.golang.org/protobuf/reflect/protodesc
+google.golang.org/protobuf/reflect/protoreflect
+google.golang.org/protobuf/reflect/protoregistry
+google.golang.org/protobuf/runtime/protoiface
+google.golang.org/protobuf/runtime/protoimpl
+google.golang.org/protobuf/testing/protopack
+google.golang.org/protobuf/types/descriptorpb
+google.golang.org/protobuf/types/known/anypb
+google.golang.org/protobuf/types/known/durationpb
+google.golang.org/protobuf/types/known/emptypb
+google.golang.org/protobuf/types/known/structpb
+google.golang.org/protobuf/types/known/timestamppb
+google.golang.org/protobuf/types/known/wrapperspb
+google.golang.org/protobuf/types/pluginpb
diff --git a/system/OpenSnitch/patches/fix-setup.py.patch b/system/OpenSnitch/patches/fix-setup.py.patch
new file mode 100644
index 0000000000000..c0ea3d94d5e6c
--- /dev/null
+++ b/system/OpenSnitch/patches/fix-setup.py.patch
@@ -0,0 +1,21 @@
+This patch was taken from Arch Linux repositories:
+https://gitlab.archlinux.org/archlinux/packaging/packages/opensnitch/-/blob/main/fix-setup.py.patch
+--- a/ui/setup.py
++++ b/ui/setup.py
+@@ -28,11 +28,9 @@ These rules can last forever, until the app restart or just one time.',
+       packages=find_packages(),
+       include_package_data = True,
+       package_data={'': ['*.*']},
+-      data_files=[('/usr/share/applications', ['resources/opensnitch_ui.desktop']),
+-               ('/usr/share/kservices5', ['resources/kcm_opensnitch.desktop']),
+-               ('/usr/share/icons/hicolor/scalable/apps', ['resources/icons/opensnitch-ui.svg']),
+-               ('/usr/share/icons/hicolor/48x48/apps', ['resources/icons/48x48/opensnitch-ui.png']),
+-               ('/usr/share/icons/hicolor/64x64/apps', ['resources/icons/64x64/opensnitch-ui.png']),
+-               ('/usr/share/metainfo', ['resources/io.github.evilsocket.opensnitch.appdata.xml'])],
++      data_files=[('share/applications', ['resources/opensnitch_ui.desktop']),
++               ('share/kservices5', ['resources/kcm_opensnitch.desktop']),
++               ('share/icons/hicolor/scalable/apps', ['resources/icons/opensnitch-ui.svg']),
++               ('share/metainfo', ['resources/io.github.evilsocket.opensnitch.appdata.xml'])],
+       scripts = [ 'bin/opensnitch-ui' ],
+       zip_safe=False)
+
diff --git a/system/OpenSnitch/patches/modify-go.mod-file.patch b/system/OpenSnitch/patches/modify-go.mod-file.patch
new file mode 100644
index 0000000000000..7b16668a1e283
--- /dev/null
+++ b/system/OpenSnitch/patches/modify-go.mod-file.patch
@@ -0,0 +1,22 @@
+# This patch was adapted from the one on Arch Linux:
+https://gitlab.archlinux.org/archlinux/packaging/packages/opensnitch/-/blob/main/add-go.sum-file.patch
+--- a/daemon/go.mod
++++ b/daemon/go.mod
+@@ -9,10 +9,16 @@ require (
+ 	github.com/google/nftables v0.1.0
+ 	github.com/google/uuid v1.3.0
+ 	github.com/iovisor/gobpf v0.2.0
++	github.com/josharian/native v0.0.0-20200817173448-b6b71def0850
++	github.com/mdlayher/netlink v1.4.2
++	github.com/mdlayher/socket v0.0.0-20211102153432-57e3fa563ecb
+ 	github.com/varlink/go v0.4.0
+ 	github.com/vishvananda/netlink v0.0.0-20210811191823-e1a867c6b452
++	github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae
+ 	golang.org/x/net v0.0.0-20211209124913-491a49abca63
+ 	golang.org/x/sys v0.0.0-20211205182925-97ca703d548d
++	golang.org/x/text v0.3.6
++	google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55
+ 	google.golang.org/grpc v1.32.0
+-	google.golang.org/protobuf v1.26.0 // indirect
++	google.golang.org/protobuf v1.26.0
+ )
diff --git a/system/OpenSnitch/patches/remove-debian-path.patch b/system/OpenSnitch/patches/remove-debian-path.patch
new file mode 100644
index 0000000000000..6cb62752cd7a5
--- /dev/null
+++ b/system/OpenSnitch/patches/remove-debian-path.patch
@@ -0,0 +1,15 @@
+This patch watch taken from Arch Linux repositories:
+https://gitlab.archlinux.org/archlinux/packaging/packages/opensnitch/-/blob/main/remove-debian-path.patch
+--- a/ui/bin/opensnitch-ui
++++ b/ui/bin/opensnitch-ui
+@@ -35,10 +35,6 @@ from concurrent import futures
+ 
+ import grpc
+ 
+-dist_path = '/usr/lib/python3/dist-packages/'
+-if dist_path not in sys.path:
+-    sys.path.append(dist_path)
+-
+ from opensnitch.service import UIService
+ from opensnitch.config import Config
+ from opensnitch.utils import Themes, Utils, Versions, Message
diff --git a/system/OpenSnitch/patches/use-system-python-packages.patch b/system/OpenSnitch/patches/use-system-python-packages.patch
new file mode 100644
index 0000000000000..441e01c4802ed
--- /dev/null
+++ b/system/OpenSnitch/patches/use-system-python-packages.patch
@@ -0,0 +1,22 @@
+This patch was taken from Arch Linux repositories:
+https://gitlab.archlinux.org/archlinux/packaging/packages/opensnitch/-/blob/main/use-system-python-packages.patch
+--- a/ui/Makefile
++++ b/ui/Makefile
+@@ -3,16 +3,13 @@ all: opensnitch/resources_rc.py
+ install:
+ 	@pip3 install --upgrade .
+ 
+-opensnitch/resources_rc.py: translations deps
++opensnitch/resources_rc.py: translations
+ 	@pyrcc5 -o opensnitch/resources_rc.py opensnitch/res/resources.qrc
+ 	sed -i 's/^import ui_pb2/from . import ui_pb2/' opensnitch/ui_pb2*
+ 
+ translations:
+ 	@cd i18n ; make
+ 	
+-deps:
+-	@pip3 install -r requirements.txt
+-
+ clean:
+ 	@rm -rf *.pyc
+ 	@rm -rf opensnitch/resources_rc.py
diff --git a/system/OpenSnitch/rc.opensnitchd b/system/OpenSnitch/rc.opensnitchd
new file mode 100644
index 0000000000000..7e8c30fa1c241
--- /dev/null
+++ b/system/OpenSnitch/rc.opensnitchd
@@ -0,0 +1,49 @@
+#!/bin/sh
+
+# Start opensnitchd:
+start_opensnitchd() {
+  echo "Start Opensnitch"
+
+  if [ -x /usr/bin/opensnitchd ]; then
+    [ ! -d /etc/opensnitchd/rules ] && mkdir -p /etc/opensnitchd/rules
+    chown -R root:root /etc/opensnitchd
+    chown root:root /var/log/opensnitchd.log
+    chmod -R 755 /etc/opensnitchd
+    chmod -R 644 /etc/opensnitchd/rules
+    chmod 600 /var/log/opensnitchd.log
+  fi
+
+  /usr/bin/opensnitchd -rules-path /etc/opensnitchd/rules -log-file /var/log/opensnitchd.log > /dev/null 2>&1 &
+}
+
+# Stop opensnitchd:
+stop_opensnitchd() {
+  if /usr/bin/pgrep -f /usr/bin/opensnitchd >/dev/null; then
+    echo "Stopping application firewall"
+    /usr/bin/pkill -SIGINT opensnitchd
+  else
+    echo "Opensnitch is not running"
+    exit 1
+  fi
+}
+
+# Restart opensnitchd:
+restart_opensnitchd() {
+  stop_opensnitchd
+  sleep 1
+  start_opensnitchd
+}
+
+case "$1" in
+'start')
+  start_opensnitchd
+  ;;
+'stop')
+  stop_opensnitchd
+  ;;
+'restart')
+  restart_opensnitchd
+  ;;
+*)
+  echo "usage $0 start|stop|restart"
+esac
diff --git a/system/OpenSnitch/slack-desc b/system/OpenSnitch/slack-desc
new file mode 100644
index 0000000000000..e0387e931b1f7
--- /dev/null
+++ b/system/OpenSnitch/slack-desc
@@ -0,0 +1,19 @@
+# HOW TO EDIT THIS FILE:
+# The "handy ruler" below makes it easier to edit a package description.
+# Line up the first '|' above the ':' following the base package name, and
+# the '|' on the right side marks the last column you can put a character in.
+# You must make exactly 11 lines for the formatting to be correct.  It's also
+# customary to leave one space after the ':' except on otherwise blank lines.
+
+          |-----handy-ruler------------------------------------------------------|
+OpenSnitch: OpenSnitch (Inbound application firewall)
+OpenSnitch:
+OpenSnitch: OpenSnitch is a GNU/Linux interactive application firewall inspired by
+OpenSnitch: Little Snitch.
+OpenSnitch:
+OpenSnitch:
+OpenSnitch:
+OpenSnitch:
+OpenSnitch:
+OpenSnitch:
+OpenSnitch: