diff --git a/rpm/phantun.spec b/rpm/phantun.spec new file mode 100644 index 0000000..428de0a --- /dev/null +++ b/rpm/phantun.spec @@ -0,0 +1,128 @@ +Name: phantun +Version: 0.7.0 +Release: 2%{?dist} +Summary: A lightweight and fast UDP to TCP obfuscator + +License: Apache-2.0 +URL: https://github.com/dndx/phantun/tree/main +Source0: %{name}-%{version}.tar.gz + +BuildRequires: rust +BuildRequires: cargo +BuildRequires: selinux-policy-devel + +%description +Your project with client and server components. + +%package client +Summary: Client component of phantun +Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) + +%description client +Phantun Client is like a machine with private IP address +(192.168.200.2/fcc8::2) behind a router. In order for it to reach +the Internet, you will need to SNAT the private IP address +before it's traffic leaves the NIC. + +%package server +Summary: Server component of phantun +Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) + +%description server +Phantun Server is like a server with private IP address +(192.168.201.2/fcc9::2) behind a router. In order to access it from +the Internet, you need to DNAT it's listening port on the router +and change the destination IP address to where the server +is listening for incoming connections. + +%package selinux +Summary: SELinux module for phantun +%{?selinux_requires} +%global modulename phantun +%global selinuxtype targeted + +%description selinux +This package provides the SELinux policy module to ensure phantun +runs properly under an environment with SELinux enabled. + +%global debug_package %{nil} + +%prep +%setup -q + +%build +cargo build --release +make -C selinux + +%install +# Install binaries +install -D -m 0755 target/release/client %{buildroot}/usr/libexec/phantun/phantun-client +install -D -m 0755 target/release/server %{buildroot}/usr/libexec/phantun/phantun-server + +mkdir -p %{buildroot}/usr/bin +# Create wrapper scripts +echo '#!/bin/bash +PID_FILE=$1 +shift 1 +mkdir -p /var/run/phantun +/usr/libexec/phantun/phantun-client "$@" & +echo $! > /var/run/phantun/${PID_FILE}' > %{buildroot}/usr/bin/phantun-client + +echo '#!/bin/bash +PID_FILE=$1 +shift 1 +mkdir -p /var/run/phantun +/usr/libexec/phantun/phantun-server "$@" & +echo $! > /var/run/phantun/${PID_FILE}' > %{buildroot}/usr/bin/phantun-server + +# Make wrapper scripts executable +chmod +x %{buildroot}/usr/bin/phantun-client +chmod +x %{buildroot}/usr/bin/phantun-server + +# SELinux +install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} +install -m 0644 selinux/%{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} + +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{modulename} +fi + +%posttrans selinux +%selinux_relabel_post -s %{selinuxtype} + +%files client +/usr/libexec/phantun/phantun-client +/usr/bin/phantun-client + +%files server +/usr/libexec/phantun/phantun-server +/usr/bin/phantun-server + +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 + +%changelog +* Wed Dec 11 2024 Randy Li - 0.7.0-2 +- chore(deps): update tokio-tun requirement from 0.9 to 0.11 +- chore(deps): update nix requirement from 0.27 to 0.28 +- chore(deps): bump softprops/action-gh-release from 1 to 2 +- chore(docs): update license year to 2024 +- docs(readme): update `README.md` to include incoming interface (`-i tun0`) in client NAT commands example (#163) +- Revert "docs(readme): update `README.md` to include incoming interface (`-i t…" +- fix(fake-tcp): when `connect()`-ing, attempt to get ephemeral port using algorithm similar to Linux (#162) +- chore(deps): bump dependencies to latest +- chore(cargo): bump `fake-tcp` version to `0.6.0` and `phantun` to `0.7.0` +- chore(deps): bump docker/build-push-action from 5 to 6 +- chore(release): remove MIPS targets due to being downgraded to Tier 3 support by Rust +- docs(readme): latest release is now `v0.7.0` + +* Sat Oct 14 2023 Randy Li - 0.6.1-1 +- Initial package + diff --git a/selinux/Makefile b/selinux/Makefile new file mode 100644 index 0000000..ec0933b --- /dev/null +++ b/selinux/Makefile @@ -0,0 +1,26 @@ +TARGET?=phantun +MODULES?=${TARGET:=.pp.bz2} +SHAREDIR?=/usr/share + +all: ${TARGET:=.pp.bz2} + +%.pp.bz2: %.pp + @echo Compressing $^ -\> $@ + bzip2 -9 $^ + +%.pp: %.te + make -f ${SHAREDIR}/selinux/devel/Makefile $@ + +clean: + rm -f *~ *.tc *.pp *.pp.bz2 + rm -rf tmp *.tar.gz + +man: install-policy + sepolicy manpage --path . --domain ${TARGET}_t + +install-policy: all + semodule -i ${TARGET}.pp.bz2 + +install: man + install -D -m 644 ${TARGET}.pp.bz2 ${DESTDIR}${SHAREDIR}/selinux/packages/${TARGET}.pp.bz2 + install -D -m 644 ${TARGET}_selinux.8 ${DESTDIR}${SHAREDIR}/man/man8/ diff --git a/selinux/phantun.fc b/selinux/phantun.fc new file mode 100644 index 0000000..3be4103 --- /dev/null +++ b/selinux/phantun.fc @@ -0,0 +1,5 @@ +/usr/libexec/phantun/phantun-client -- gen_context(system_u:object_r:phantun_client_exec_t,s0) +/usr/libexec/phantun/phantun-server -- gen_context(system_u:object_r:phantun_server_exec_t,s0) +/usr/bin/phantun-client -- gen_context(system_u:object_r:wireguard_exec_t,s0) +/usr/bin/phantun-server -- gen_context(system_u:object_r:wireguard_exec_t,s0) +/var/run/phantun(/.*)? gen_context(system_u:object_r:phantun_var_run_t,s0) \ No newline at end of file diff --git a/selinux/phantun.te b/selinux/phantun.te new file mode 100644 index 0000000..d889e8c --- /dev/null +++ b/selinux/phantun.te @@ -0,0 +1,60 @@ +policy_module(phantun, 1.0) + +gen_require(` + type wireguard_t; + type wireguard_exec_t; + class capability net_admin; + class tun_socket { append bind connect create getattr getopt ioctl lock read relabelfrom relabelto setattr setopt shutdown write }; + class tcp_socket { name_bind listen accept connect }; + class udp_socket { name_bind }; + class file { getattr open read write create unlink execute }; + class process { transition }; +') + + +# Define custom types +type phantun_server_exec_t; +type phantun_client_exec_t; +type phantun_server_port_t; +type phantun_client_port_t; +type phantun_var_run_t; + +# Allow the wrapper scripts to execute the phantun client and server binaries +allow wireguard_exec_t phantun_client_exec_t:file { getattr open read execute }; +allow wireguard_exec_t phantun_server_exec_t:file { getattr open read execute }; + +# Allow the wrapper scripts to write to the PID file +allow wireguard_exec_t phantun_var_run_t:file { getattr open read write create unlink }; +allow wireguard_t self:process transition; + +#################################### +# Server +# + +# Allow wireguard_t to execute the server binary +allow wireguard_t phantun_server_exec_t:file { getattr open read execute }; + +# Allow the server to create and manage tun devices +allow phantun_server_exec_t self:tun_socket { append bind connect create getattr getopt ioctl lock read relabelfrom relabelto setattr setopt shutdown write }; + +# Allow the server to bind to the custom TCP port and listen for incoming connections +allow phantun_server_exec_t phantun_server_port_t:tcp_socket { name_bind listen accept }; + +# Allow the server to use net_admin capability +allow phantun_server_exec_t self:capability net_admin; + +#################################### +# Client +# + +# Allow wireguard_t to execute the client binary +allow wireguard_t phantun_client_exec_t:file { getattr open read execute }; + +# Allow the client to create and manage tun devices +allow phantun_client_exec_t self:tun_socket { append bind connect create getattr getopt ioctl lock read relabelfrom relabelto setattr setopt shutdown write }; + +# Allow the client to bind to the custom UDP port +#allow phantun_client_exec_t phantun_client_port_t:udp_socket { name_bind }; + +# Allow the client to use net_admin capability +allow phantun_client_exec_t self:capability net_admin; \ No newline at end of file