From 23890538dbfe348adc761c8bf3e3d5a6784c95a08b733c39169e124ede9535ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Str=C3=B6der?= Date: Mon, 30 Aug 2021 22:28:45 +0000 Subject: [PATCH] Accepting request 915053 from home:jsegitz:branches:systemdhardening:network:telephony Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/915053 OBS-URL: https://build.opensuse.org/package/show/network:telephony/coturn?expand=0&rev=19 --- coturn.changes | 9 +++++++++ coturn.service | 4 ++++ coturn.spec | 1 + coturn@.service | 4 ++++ harden_coturn.service.patch | 23 +++++++++++++++++++++++ 5 files changed, 41 insertions(+) create mode 100644 harden_coturn.service.patch diff --git a/coturn.changes b/coturn.changes index 3acf16d..3fa5c12 100644 --- a/coturn.changes +++ b/coturn.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Mon Aug 30 11:55:53 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s). Added patch(es): + * harden_coturn.service.patch + Modified: + * coturn.service + * coturn@.service + ------------------------------------------------------------------- Mon Jan 11 10:27:20 UTC 2021 - Johannes Weberhofer diff --git a/coturn.service b/coturn.service index cad6da4..b22e214 100644 --- a/coturn.service +++ b/coturn.service @@ -44,6 +44,10 @@ RemoveIPC=yes RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX RestrictNamespaces=yes RestrictSUIDSGID=yes +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +RestrictRealtime=true +# end of automatic additions SystemCallArchitectures=native SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete diff --git a/coturn.spec b/coturn.spec index cdee087..e27f98d 100644 --- a/coturn.spec +++ b/coturn.spec @@ -40,6 +40,7 @@ Source6: %{name}.firewalld Source7: README.SUSE Source8: %{name}-apparmor-usr.bin.turnserver Source9: %{name}@.service +Patch0: harden_coturn.service.patch BuildRequires: fdupes BuildRequires: firewall-macros BuildRequires: libevent-devel >= 2.0.0 diff --git a/coturn@.service b/coturn@.service index df543ae..c8add03 100644 --- a/coturn@.service +++ b/coturn@.service @@ -44,6 +44,10 @@ RemoveIPC=yes RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX RestrictNamespaces=yes RestrictSUIDSGID=yes +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +RestrictRealtime=true +# end of automatic additions SystemCallArchitectures=native SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete diff --git a/harden_coturn.service.patch b/harden_coturn.service.patch new file mode 100644 index 0000000..197473b --- /dev/null +++ b/harden_coturn.service.patch @@ -0,0 +1,23 @@ +Index: coturn-4.5.2/examples/etc/coturn.service +=================================================================== +--- coturn-4.5.2.orig/examples/etc/coturn.service ++++ coturn-4.5.2/examples/etc/coturn.service +@@ -15,6 +15,18 @@ ExecStart=/usr/bin/turnserver -c /etc/tu + Restart=on-failure + InaccessibleDirectories=/home + PrivateTmp=yes ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + + [Install] + WantedBy=multi-user.target