From 1e494a40112a7eac91431dcc52c205032334d773 Mon Sep 17 00:00:00 2001
From: Randy Li <ayaka@soulik.info>
Date: Tue, 5 Nov 2024 17:35:03 +0800
Subject: [PATCH 1/2] rpm: add selinux and rpm spec
Signed-off-by: Randy Li <ayaka@soulik.info>
---
rpm/phantun.spec | 128 +++++++++++++++++++++++++++++++++++++++++++++
selinux/Makefile | 26 +++++++++
selinux/phantun.fc | 5 ++
selinux/phantun.te | 60 +++++++++++++++++++++
4 files changed, 219 insertions(+)
create mode 100644 rpm/phantun.spec
create mode 100644 selinux/Makefile
create mode 100644 selinux/phantun.fc
create mode 100644 selinux/phantun.te
diff --git a/rpm/phantun.spec b/rpm/phantun.spec
new file mode 100644
index 0000000..428de0a
--- /dev/null
+++ b/rpm/phantun.spec
@@ -0,0 +1,128 @@
+Name: phantun
+Version: 0.7.0
+Release: 2%{?dist}
+Summary: A lightweight and fast UDP to TCP obfuscator
+
+License: Apache-2.0
+URL: https://github.com/dndx/phantun/tree/main
+Source0: %{name}-%{version}.tar.gz
+
+BuildRequires: rust
+BuildRequires: cargo
+BuildRequires: selinux-policy-devel
+
+%description
+Your project with client and server components.
+
+%package client
+Summary: Client component of phantun
+Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
+
+%description client
+Phantun Client is like a machine with private IP address
+(192.168.200.2/fcc8::2) behind a router. In order for it to reach
+the Internet, you will need to SNAT the private IP address
+before it's traffic leaves the NIC.
+
+%package server
+Summary: Server component of phantun
+Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
+
+%description server
+Phantun Server is like a server with private IP address
+(192.168.201.2/fcc9::2) behind a router. In order to access it from
+the Internet, you need to DNAT it's listening port on the router
+and change the destination IP address to where the server
+is listening for incoming connections.
+
+%package selinux
+Summary: SELinux module for phantun
+%{?selinux_requires}
+%global modulename phantun
+%global selinuxtype targeted
+
+%description selinux
+This package provides the SELinux policy module to ensure phantun
+runs properly under an environment with SELinux enabled.
+
+%global debug_package %{nil}
+
+%prep
+%setup -q
+
+%build
+cargo build --release
+make -C selinux
+
+%install
+# Install binaries
+install -D -m 0755 target/release/client %{buildroot}/usr/libexec/phantun/phantun-client
+install -D -m 0755 target/release/server %{buildroot}/usr/libexec/phantun/phantun-server
+
+mkdir -p %{buildroot}/usr/bin
+# Create wrapper scripts
+echo '#!/bin/bash
+PID_FILE=$1
+shift 1
+mkdir -p /var/run/phantun
+/usr/libexec/phantun/phantun-client "$@" &
+echo $! > /var/run/phantun/${PID_FILE}' > %{buildroot}/usr/bin/phantun-client
+
+echo '#!/bin/bash
+PID_FILE=$1
+shift 1
+mkdir -p /var/run/phantun
+/usr/libexec/phantun/phantun-server "$@" &
+echo $! > /var/run/phantun/${PID_FILE}' > %{buildroot}/usr/bin/phantun-server
+
+# Make wrapper scripts executable
+chmod +x %{buildroot}/usr/bin/phantun-client
+chmod +x %{buildroot}/usr/bin/phantun-server
+
+# SELinux
+install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
+install -m 0644 selinux/%{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
+
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+ %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
+fi
+
+%posttrans selinux
+%selinux_relabel_post -s %{selinuxtype}
+
+%files client
+/usr/libexec/phantun/phantun-client
+/usr/bin/phantun-client
+
+%files server
+/usr/libexec/phantun/phantun-server
+/usr/bin/phantun-server
+
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+
+%changelog
+* Wed Dec 11 2024 Randy Li <ayaka@soulik.info> - 0.7.0-2
+- chore(deps): update tokio-tun requirement from 0.9 to 0.11
+- chore(deps): update nix requirement from 0.27 to 0.28
+- chore(deps): bump softprops/action-gh-release from 1 to 2
+- chore(docs): update license year to 2024
+- docs(readme): update `README.md` to include incoming interface (`-i tun0`) in client NAT commands example (#163)
+- Revert "docs(readme): update `README.md` to include incoming interface (`-i t…"
+- fix(fake-tcp): when `connect()`-ing, attempt to get ephemeral port using algorithm similar to Linux (#162)
+- chore(deps): bump dependencies to latest
+- chore(cargo): bump `fake-tcp` version to `0.6.0` and `phantun` to `0.7.0`
+- chore(deps): bump docker/build-push-action from 5 to 6
+- chore(release): remove MIPS targets due to being downgraded to Tier 3 support by Rust
+- docs(readme): latest release is now `v0.7.0`
+
+* Sat Oct 14 2023 Randy Li <ayaka@soulik.info> - 0.6.1-1
+- Initial package
+
diff --git a/selinux/Makefile b/selinux/Makefile
new file mode 100644
index 0000000..ec0933b
--- /dev/null
+++ b/selinux/Makefile
@@ -0,0 +1,26 @@
+TARGET?=phantun
+MODULES?=${TARGET:=.pp.bz2}
+SHAREDIR?=/usr/share
+
+all: ${TARGET:=.pp.bz2}
+
+%.pp.bz2: %.pp
+ @echo Compressing $^ -\> $@
+ bzip2 -9 $^
+
+%.pp: %.te
+ make -f ${SHAREDIR}/selinux/devel/Makefile $@
+
+clean:
+ rm -f *~ *.tc *.pp *.pp.bz2
+ rm -rf tmp *.tar.gz
+
+man: install-policy
+ sepolicy manpage --path . --domain ${TARGET}_t
+
+install-policy: all
+ semodule -i ${TARGET}.pp.bz2
+
+install: man
+ install -D -m 644 ${TARGET}.pp.bz2 ${DESTDIR}${SHAREDIR}/selinux/packages/${TARGET}.pp.bz2
+ install -D -m 644 ${TARGET}_selinux.8 ${DESTDIR}${SHAREDIR}/man/man8/
diff --git a/selinux/phantun.fc b/selinux/phantun.fc
new file mode 100644
index 0000000..3be4103
--- /dev/null
+++ b/selinux/phantun.fc
@@ -0,0 +1,5 @@
+/usr/libexec/phantun/phantun-client -- gen_context(system_u:object_r:phantun_client_exec_t,s0)
+/usr/libexec/phantun/phantun-server -- gen_context(system_u:object_r:phantun_server_exec_t,s0)
+/usr/bin/phantun-client -- gen_context(system_u:object_r:wireguard_exec_t,s0)
+/usr/bin/phantun-server -- gen_context(system_u:object_r:wireguard_exec_t,s0)
+/var/run/phantun(/.*)? gen_context(system_u:object_r:phantun_var_run_t,s0)
\ No newline at end of file
diff --git a/selinux/phantun.te b/selinux/phantun.te
new file mode 100644
index 0000000..d889e8c
--- /dev/null
+++ b/selinux/phantun.te
@@ -0,0 +1,60 @@
+policy_module(phantun, 1.0)
+
+gen_require(`
+ type wireguard_t;
+ type wireguard_exec_t;
+ class capability net_admin;
+ class tun_socket { append bind connect create getattr getopt ioctl lock read relabelfrom relabelto setattr setopt shutdown write };
+ class tcp_socket { name_bind listen accept connect };
+ class udp_socket { name_bind };
+ class file { getattr open read write create unlink execute };
+ class process { transition };
+')
+
+
+# Define custom types
+type phantun_server_exec_t;
+type phantun_client_exec_t;
+type phantun_server_port_t;
+type phantun_client_port_t;
+type phantun_var_run_t;
+
+# Allow the wrapper scripts to execute the phantun client and server binaries
+allow wireguard_exec_t phantun_client_exec_t:file { getattr open read execute };
+allow wireguard_exec_t phantun_server_exec_t:file { getattr open read execute };
+
+# Allow the wrapper scripts to write to the PID file
+allow wireguard_exec_t phantun_var_run_t:file { getattr open read write create unlink };
+allow wireguard_t self:process transition;
+
+####################################
+# Server
+#
+
+# Allow wireguard_t to execute the server binary
+allow wireguard_t phantun_server_exec_t:file { getattr open read execute };
+
+# Allow the server to create and manage tun devices
+allow phantun_server_exec_t self:tun_socket { append bind connect create getattr getopt ioctl lock read relabelfrom relabelto setattr setopt shutdown write };
+
+# Allow the server to bind to the custom TCP port and listen for incoming connections
+allow phantun_server_exec_t phantun_server_port_t:tcp_socket { name_bind listen accept };
+
+# Allow the server to use net_admin capability
+allow phantun_server_exec_t self:capability net_admin;
+
+####################################
+# Client
+#
+
+# Allow wireguard_t to execute the client binary
+allow wireguard_t phantun_client_exec_t:file { getattr open read execute };
+
+# Allow the client to create and manage tun devices
+allow phantun_client_exec_t self:tun_socket { append bind connect create getattr getopt ioctl lock read relabelfrom relabelto setattr setopt shutdown write };
+
+# Allow the client to bind to the custom UDP port
+#allow phantun_client_exec_t phantun_client_port_t:udp_socket { name_bind };
+
+# Allow the client to use net_admin capability
+allow phantun_client_exec_t self:capability net_admin;
\ No newline at end of file
From 4c04473dffce696cc90e368d515412446b45c282 Mon Sep 17 00:00:00 2001
From: Randy Li <ayaka@soulik.info>
Date: Thu, 7 Nov 2024 03:09:22 +0800
Subject: [PATCH 2/2] deb: add debian files
Signed-off-by: Randy Li <ayaka@soulik.info>
---
debian/cargo-checksum.json | 5 +++++
debian/changelog | 25 +++++++++++++++++++++++++
debian/compat | 1 +
debian/control | 19 +++++++++++++++++++
debian/copyright | 24 ++++++++++++++++++++++++
debian/phantun-client-wrapper | 6 ++++++
debian/phantun-client.install | 2 ++
debian/phantun-server-wrapper | 6 ++++++
debian/phantun-server.install | 2 ++
debian/rules | 35 +++++++++++++++++++++++++++++++++++
10 files changed, 125 insertions(+)
create mode 100644 debian/cargo-checksum.json
create mode 100644 debian/changelog
create mode 100644 debian/compat
create mode 100644 debian/control
create mode 100644 debian/copyright
create mode 100644 debian/phantun-client-wrapper
create mode 100644 debian/phantun-client.install
create mode 100644 debian/phantun-server-wrapper
create mode 100644 debian/phantun-server.install
create mode 100755 debian/rules
diff --git a/debian/cargo-checksum.json b/debian/cargo-checksum.json
new file mode 100644
index 0000000..0236928
--- /dev/null
+++ b/debian/cargo-checksum.json
@@ -0,0 +1,5 @@
+[source.crates-io]
+replace-with = "vendored-sources"
+
+[source.vendored-sources]
+directory = "vendor"
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..72710bc
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,25 @@
+phantun (0.7.0) UNRELEASED; urgency=medium
+
+ [ Datong Sun ]
+ * fix(fake-tcp): when `connect()`-ing, attempt to get ephemeral port using algorithm similar to Linux (#162)
+ * chore(deps): bump dependencies to latest
+ * chore(cargo): bump `fake-tcp` version to `0.6.0` and `phantun` to `0.7.0`
+
+ [ dependabot[bot] ]
+ * chore(deps): bump docker/build-push-action from 5 to 6
+ * chore(release): remove MIPS targets due to being downgraded to Tier 3 support by Rust
+ * docs(readme): latest release is now `v0.7.0`
+
+ [ Randy Li ]
+ * phantun: change default tun address to link local
+ * phantun: add client and server xor support
+ * rpm: add selinux and rpm spec
+ * deb: add debian files
+
+ -- Randy Li <ayaka@soulik.info> Wed, 11 Dec 2024 15:30:45 +0000
+
+phantun (0.6.1-1) UNRELEASED; urgency=medium
+
+ * Initial release. (Closes: #nnnn) <nnnn is the bug number of your ITP>
+
+ -- Randy Li <ayaka@soulik.info> Wed, 06 Nov 2024 18:58:00 +0000
diff --git a/debian/compat b/debian/compat
new file mode 100644
index 0000000..f599e28
--- /dev/null
+++ b/debian/compat
@@ -0,0 +1 @@
+10
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..6a46bb6
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,19 @@
+Source: phantun
+Section: net
+Priority: optional
+Maintainer: Randy Li <ayaka@soulik.info>
+Build-Depends: debhelper (>= 9), cargo, rustc
+Standards-Version: 4.5.0
+Homepage: <insert homepage here>
+
+Package: phantun-client
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: Phantun client
+ Phantun client binary.
+
+Package: phantun-server
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: Phantun server
+ Phantun server binary.
\ No newline at end of file
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..688a978
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,24 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: phantun
+Source: https://github.com/hizukiayaka/phantun
+
+Files: *
+Copyright: 2023, Randy Li <ayaka@soulik.info>
+License: MIT
+ Permission is hereby granted, free of charge, to any person obtaining a copy
+ of this software and associated documentation files (the "Software"), to deal
+ in the Software without restriction, including without limitation the rights
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ copies of the Software, and to permit persons to whom the Software is
+ furnished to do so, subject to the following conditions:
+ .
+ The above copyright notice and this permission notice shall be included in all
+ copies or substantial portions of the Software.
+ .
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ SOFTWARE.
\ No newline at end of file
diff --git a/debian/phantun-client-wrapper b/debian/phantun-client-wrapper
new file mode 100644
index 0000000..8d3035e
--- /dev/null
+++ b/debian/phantun-client-wrapper
@@ -0,0 +1,6 @@
+#!/bin/bash
+PID_FILE=$1
+shift 1
+mkdir -p /var/run/phantun
+/usr/libexec/phantun/phantun-client "$@" &
+echo $! > /var/run/phantun/${PID_FILE}
diff --git a/debian/phantun-client.install b/debian/phantun-client.install
new file mode 100644
index 0000000..86d30ff
--- /dev/null
+++ b/debian/phantun-client.install
@@ -0,0 +1,2 @@
+usr/libexec/phantun/phantun-client
+usr/bin/phantun-client
diff --git a/debian/phantun-server-wrapper b/debian/phantun-server-wrapper
new file mode 100644
index 0000000..1377642
--- /dev/null
+++ b/debian/phantun-server-wrapper
@@ -0,0 +1,6 @@
+#!/bin/bash
+PID_FILE=$1
+shift 1
+mkdir -p /var/run/phantun
+/usr/libexec/phantun/phantun-server "$@" &
+echo $! > /var/run/phantun/${PID_FILE}
diff --git a/debian/phantun-server.install b/debian/phantun-server.install
new file mode 100644
index 0000000..ec4f272
--- /dev/null
+++ b/debian/phantun-server.install
@@ -0,0 +1,2 @@
+usr/libexec/phantun/phantun-server
+usr/bin/phantun-server
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..ff23b38
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,35 @@
+#!/usr/bin/make -f
+
+%:
+ dh $@ --buildsystem=cargo
+
+override_dh_auto_install:
+ # Define DESTDIR
+ DESTDIR=$(CURDIR)/debian/phantun
+
+ # Install client binary
+ install -D -m 0755 target/release/client debian/tmp/usr/libexec/phantun/phantun-client
+
+ # Install server binary
+ install -D -m 0755 target/release/server debian/tmp/usr/libexec/phantun/phantun-server
+
+ # Create wrapper scripts
+ install -D -m 0755 debian/phantun-client-wrapper debian/tmp/usr/bin/phantun-client
+
+ install -D -m 0755 debian/phantun-server-wrapper debian/tmp/usr/bin/phantun-server
+
+ chmod +x debian/tmp/usr/bin/phantun-client
+ chmod +x debian/tmp/usr/bin/phantun-server
+
+override_dh_auto_configure:
+ cp ./debian/cargo-checksum.json ./.cargo-checksum.json
+
+override_dh_auto_build:
+ cargo build --release
+
+override_dh_install:
+ dh_install
+
+override_dh_auto_test:
+ # Disable the auto test step
+ true