opensnitch{,-ui,ebpf}: is very broken

[LordGrimmauld]

Currently, opensnitch is very broken in various ways.
Fixing it is non-trivial, and needs a bit more tracking than just a PR. And, ideally, documentation about what is broken and the fixes in progress.

Broken:

• opensnitch-ebpf kernel module is missing passthru tests
• opensnitch-ebpf kernel module maintainers are not the same as for opensnitch
• opensnitch nixos module has inconsistent maintainer list
• opensnitch nixos VM test does not check the backend actually being used is the same as defined in config, meaning even when proc fallback takes effect the test passes
• opensnitch nixos VM test does not check for successful ebpf module loading
• opensnitch nixos VM test does not check for presence of audit rules
• opensnitch-ui does not correctly display information on 4 digit version string: opensnitch: 4 digit version breaks opensnitch-ui connection #418773
• opensnitchd systemd service is missing audit package in its $PATH when monitoring method is audit
• audit monitoring method relies on audisp-af_unix plugin in auditd
  • auditd does not support plugins on nixos yet
  • making auditd support plugins either needs a patch (ideally upstream) to allow symlinks for the plugin config file: https://github.com/linux-audit/audit-userspace/blob/3ab32ecd9924ed0cd4f41a05ff91594b30fe0a25/audisp/audispd.c#L121-L122

There might be more problems, these are the problems i have identified so far.

cc @onny

[LordGrimmauld]

I have some WIP work on master...LordGrimmauld:nixpkgs:opensnitch-testing, with questionable stability and ongoing testing

[chopper2000uk]

Hey @LordGrimmauld, not sure if you want to consider this request during your review: #418776
You weren't notified as you aren't on the maintainers list for the nixos module.

[LordGrimmauld]

Fair enough, that is indeed cleanup and can happen at the same time. But it is not directly broken right now, so i didn't list it.

[LordGrimmauld]

Update: I managed to make auditd plugins work (somewhat - i cheated a little). Now the next step is to apply those changes to the opensnitch test, and make audit backend work properly. Once that is done, i'll clean up my work and PR to audit.

[LordGrimmauld]

Update wrt opensnitch: It now picks up audit backend, but unexpectedly lets even blocked traffic pass. Likely connected to the errors it logs:

vm-test-run-opensnitch> client_blocked_audit # [  188.611871] opensnitchd[620]: [2025-06-24 15:51:50]  ERR  Error adding audit rule, err32=exit status 255, err=exit status 255
vm-test-run-opensnitch> client_blocked_audit # [  188.685907] audisp-af_unix[594]: Client connected
vm-test-run-opensnitch> client_blocked_audit # [  188.703640] opensnitchd[620]: [2025-06-24 15:51:51]  INF  Process monitor method audit
vm-test-run-opensnitch> client_blocked_audit # [  188.715022] opensnitchd[620]: [2025-06-24 15:51:51]  ERR  Reconf() -> Init() error: &{2 <nil>}
vm-test-run-opensnitch> client_blocked_audit # [  188.734011] opensnitchd[620]: [2025-06-24 15:51:51]  ERR  [client] error loading config file: reloading configuration: %!s(<nil>)

Not sure what the 255 exit code actually means, and i didn't look into the other two at all. Maybe permission issues?

[LordGrimmauld]

Huh, was something else. Adding capabilities made the test pass, though those errors are still present. And it is still using Process monitor method audit. But, with this now succeeding, i can move on to cleanup and upstreaming!

[LordGrimmauld]

PR to audit, prerequisite to get the audisp-af_unix plugin working: linux-audit/audit-userspace#467

[LordGrimmauld]

First step within nixpkgs to cleaning up audit: #420001
audit really should be built with libcap_ng compiled in (it currently is not). But, for me to feel confident, i first wanted to clean up libcap_ng.