forked from subgraph/oz
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathoz.spec
More file actions
144 lines (116 loc) · 4.61 KB
/
oz.spec
File metadata and controls
144 lines (116 loc) · 4.61 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
Summary: Sandbox system for workstation applications
Name: oz
Version: 1
Release: 21
Group: System Environment/Base
License: BSD-3-Clause
Url: https://github.com/subgraph/oz
Source0: %{name}-%{version}.tar.xz
Source1: oz-daemon.service
BuildArch: x86_64
Requires: xpra
Requires: bridge-utils
Requires: ebtables
Requires: libacl
Requires: iptables-services
Requires: cairo-gobject
Requires: dbus-python
Requires: gtkglext-devel
Requires: gtkglext-libs
Requires: pygtkglext-devel
BuildRequires: cairo-gobject-devel
BuildRequires: gtk3-devel
BuildRequires: go
BuildRequires: libacl-devel
BuildRequires: git
%description
Oz is a sandboxing system targeting everyday workstation applications. It acts as a wrapper around application executables for completely transparent user operations. It achieves process containment through the use of Linux Namespaces, Seccomp filters, Capabilities, and X11 restriction using Xpra. It has built-in support with automatic configuration of bridge mode networking and also support working with contained network environment using the built in connection forwarding proxy.
%prep
%autosetup
%build
#Setup GOPATH
mkdir -p %{_builddir}/gocode/src/github.com/subgraph/
mv oz %{_builddir}/gocode/src/github.com/subgraph/
export GOPATH=%{_builddir}/gocode
# Build GOdep
go get github.com/tools/godep
# Start the build
cd $GOPATH/src/github.com/subgraph/oz/
$GOPATH/bin/godep go install ./...
%install
export GOPATH=%{_builddir}/gocode
# Install the binaries
mkdir -p %{buildroot}%{_bindir}
cp $GOPATH/bin/oz* %{buildroot}%{_bindir}
# Install conf files
mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
mkdir -p %{buildroot}%{_sysconfdir}/network/if-up.d/
mkdir -p %{buildroot}%{_sysconfdir}/network/if-post-down.d/
mkdir -p %{buildroot}%{_sysconfdir}/NetworkManager/conf.d/
mkdir -p %{buildroot}%{_sysconfdir}/oz
mkdir -p %{buildroot}%{_sysconfdir}/rsyslog.d
mkdir -p %{buildroot}%{_sysconfdir}/sysctl.d
mkdir -p %{buildroot}%{_sysconfdir}/X11
mkdir -p %{buildroot}%{_sysconfdir}/xpra
cp $GOPATH/src/github.com/subgraph/oz/sources/etc/logrotate.d/* %{buildroot}%{_sysconfdir}/logrotate.d/
cp $GOPATH/src/github.com/subgraph/oz/sources/etc/network/if-up.d/* %{buildroot}%{_sysconfdir}/network/if-up.d/
chmod a+x %{buildroot}/etc/network/if-up.d/oz
cp $GOPATH/src/github.com/subgraph/oz/sources/etc/NetworkManager/conf.d/oz.conf %{buildroot}%{_sysconfdir}/NetworkManager/conf.d/oz.conf
cp $GOPATH/src/github.com/subgraph/oz/sources/etc/oz/* %{buildroot}%{_sysconfdir}/oz/
cp $GOPATH/src/github.com/subgraph/oz/sources/etc/rsyslog.d/* %{buildroot}%{_sysconfdir}/rsyslog.d
cp $GOPATH/src/github.com/subgraph/oz/sources/etc/sysctl.d/* %{buildroot}%{_sysconfdir}/sysctl.d
cp $GOPATH/src/github.com/subgraph/oz/sources/etc/X11/* %{buildroot}%{_sysconfdir}/X11
cp $GOPATH/src/github.com/subgraph/oz/sources/etc/xpra/xpra.oz.conf %{buildroot}%{_sysconfdir}/xpra/xpra.oz.conf
# Install the service
mkdir -p %{buildroot}/lib/systemd/system
cp %{SOURCE1} %{buildroot}/lib/systemd/system/oz-daemon.service
# Make sym links
ln -s /etc/network/if-up.d/oz %{buildroot}/etc/network/if-post-down.d/oz
# Create Directories
mkdir -p %{buildroot}%{_prefix}/bin-oz
mkdir -p %{buildroot}/run/resolvconf
mkdir -p %{buildroot}%{_prefix}/lib/gvfs
%clean
%pre
%post
# Find default route, this is active network interface
INTERFACE=$(route | grep '^default' | grep -o '[^ ]*$')
# Enable IP Masquerading on primary network interface
iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE ;
ebtables -P FORWARD DROP
ebtables -F FORWARD
# Setup oz-default as a bridge with IP forwarding
ebtables -A FORWARD -i oz-default -j ACCEPT
ebtables -A FORWARD -o oz-default -j ACCEPT
# Make the rules persistent
service iptables save
# Start the sandbox service
systemctl enable oz-daemon.service
systemctl start oz-daemon.service
%files
# Binaries
%{_bindir}/oz*
# Conf files
%{_sysconfdir}/logrotate.d/oz-daemon
%{_sysconfdir}/network/if-up.d/oz
%{_sysconfdir}/network/if-post-down.d/oz
%{_sysconfdir}/NetworkManager/conf.d/oz.conf
%{_sysconfdir}/oz/*
%{_sysconfdir}/rsyslog.d/oz-daemon.conf
%{_sysconfdir}/sysctl.d/11-grsec-oz.conf
%{_sysconfdir}/sysctl.d/15-oz-net.conf
%{_sysconfdir}/X11/Xwrapper.config.oz
%{_sysconfdir}/xpra/xpra.oz.conf
# Services
/lib/systemd/system/oz-daemon.service
# Necessary Directories
%dir %{_prefix}/bin-oz
%dir /run/resolvconf
%dir %{_prefix}/lib/gvfs
%changelog
* Tue Aug 22 2017 Matthew Ruffell <msr50@uclive.ac.nz>
- Merged in fw-daemon integration
* Sun Jan 29 2017 Matthew Ruffell <msr50@uclive.ac.nz>
- Adding directories to start oz without errors
* Sun Dec 4 2016 Matthew Ruffell <msr50@uclive.ac.nz>
- First packaging