From dbd08aa705573a6f3fd604aee4f865b99d36cacb Mon Sep 17 00:00:00 2001
From: Jonathan Davies <jpds@protonmail.com>
Date: Wed, 1 Dec 2021 00:09:00 +0000
Subject: [PATCH] tor: Added interfaces and types for obfs4proxy support.

Signed-off-by: Jonathan Davies <jpds@protonmail.com>
---
 policy/modules/services/tor.fc |  1 +
 policy/modules/services/tor.if | 22 ++++++++++++++++++++++
 policy/modules/services/tor.te | 13 +++++++++++++
 3 files changed, 36 insertions(+)

diff --git a/policy/modules/services/tor.fc b/policy/modules/services/tor.fc
index 6da1b8775..b2e8a333f 100644
--- a/policy/modules/services/tor.fc
+++ b/policy/modules/services/tor.fc
@@ -8,6 +8,7 @@
 /usr/lib/systemd/system/tor.*\.service -- gen_context(system_u:object_r:tor_unit_t,s0)
 
 /var/lib/tor(/.*)?	gen_context(system_u:object_r:tor_var_lib_t,s0)
+/var/lib/tor/data/pt_state(/.*)?	gen_context(system_u:object_r:tor_pt_state_var_lib_t,s0)
 /var/lib/tor-data(/.*)?	gen_context(system_u:object_r:tor_var_lib_t,s0)
 
 /var/log/tor(/.*)?	gen_context(system_u:object_r:tor_var_log_t,s0)
diff --git a/policy/modules/services/tor.if b/policy/modules/services/tor.if
index 104a472f4..b4169fe1a 100644
--- a/policy/modules/services/tor.if
+++ b/policy/modules/services/tor.if
@@ -59,3 +59,25 @@ interface(`tor_admin',`
 	files_list_runtime($1)
 	admin_pattern($1, tor_runtime_t)
 ')
+
+########################################
+## <summary>
+##      Read and write Tor pluggable transport state var files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`tor_rw_pt_state_var_files',`
+        gen_require(`
+                type tor_var_lib_t;
+                type tor_pt_state_var_lib_t;
+        ')
+
+        files_search_var_lib($1)
+        allow $1 tor_var_lib_t:dir search_dir_perms;
+        allow $1 tor_pt_state_var_lib_t:dir search_dir_perms;
+        rw_files_pattern($1, tor_var_lib_t, tor_pt_state_var_lib_t)
+')
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
index 1f36bc6bc..20d90b280 100644
--- a/policy/modules/services/tor.te
+++ b/policy/modules/services/tor.te
@@ -33,6 +33,9 @@ init_unit_file(tor_unit_t)
 type tor_var_lib_t;
 files_type(tor_var_lib_t)
 
+type tor_pt_state_var_lib_t;
+files_type(tor_pt_state_var_lib_t)
+
 type tor_var_log_t;
 logging_log_file(tor_var_log_t)
 
@@ -59,6 +62,11 @@ allow tor_t tor_var_lib_t:file map;
 manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
 files_var_lib_filetrans(tor_t, tor_var_lib_t, dir)
 
+allow tor_t tor_pt_state_var_lib_t:file append_file_perms;
+manage_dirs_pattern(tor_t, tor_pt_state_var_lib_t, tor_pt_state_var_lib_t)
+manage_files_pattern(tor_t, tor_pt_state_var_lib_t, tor_pt_state_var_lib_t)
+filetrans_pattern(tor_t, tor_var_lib_t, tor_pt_state_var_lib_t, dir, "pt_state")
+
 allow tor_t tor_var_log_t:dir setattr_dir_perms;
 append_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
 create_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
@@ -119,6 +127,11 @@ tunable_policy(`tor_bind_all_unreserved_ports',`
 	corenet_tcp_bind_all_unreserved_ports(tor_t)
 ')
 
+optional_policy(`
+	obfs4proxy_domtrans(tor_t)
+	obfs4proxy_signal(tor_t)
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(tor_t)
 ')