Accepting request 858909 from home:stroeder:branches:network:telephony
- AppArmor profile has ABI 3.0 and some minor changes - Modified systemd unit: * do not use daemon mode * Type=simple * added security settings - added multi-instance systemd unit OBS-URL: https://build.opensuse.org/request/show/858909 OBS-URL: https://build.opensuse.org/package/show/network:telephony/coturn?expand=0&rev=15
This commit is contained in:
Johannes Weberhofer
Git OBS Bridge
parent
828e7289d2
commit
a23b99d3d2
@ -1,6 +1,8 @@
|
||||
abi <abi/3.0>,
|
||||
|
||||
#include <tunables/global>
|
||||
|
||||
/usr/bin/turnserver {
|
||||
profile coturn /usr/{bin,sbin}/turnserver flags=(attach_disconnected) {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/user-tmp>
|
||||
@ -9,11 +11,13 @@
|
||||
/etc/pki/coturn/** r,
|
||||
/usr/bin/turnserver mr,
|
||||
owner /run/coturn/* w,
|
||||
owner /var/lib/coturn r,
|
||||
owner /var/lib/coturn/* rwk,
|
||||
owner /var/log/coturn/*.log rw,
|
||||
owner /var/log/turn*.log w,
|
||||
|
||||
deny /etc/ssl/openssl.cnf r,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
#include <local/usr.bin.turnserver>
|
||||
}
|
||||
|
||||
|
||||
@ -1,3 +1,13 @@
|
||||
-------------------------------------------------------------------
|
||||
Sun Dec 27 15:42:09 UTC 2020 - Michael Ströder <michael@stroeder.com>
|
||||
|
||||
- AppArmor profile has ABI 3.0 and some minor changes
|
||||
- Modified systemd unit:
|
||||
* do not use daemon mode
|
||||
* Type=simple
|
||||
* added security settings
|
||||
- added multi-instance systemd unit
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Aug 19 10:48:41 UTC 2020 - Callum Farmer <callumjfarmer13@gmail.com>
|
||||
|
||||
|
||||
@ -6,14 +6,15 @@ After=syslog.target network.target
|
||||
[Service]
|
||||
User=coturn
|
||||
Group=coturn
|
||||
Type=forking
|
||||
Type=simple
|
||||
EnvironmentFile=-/etc/sysconfig/coturn
|
||||
PIDFile=/run/coturn/turnserver.pid
|
||||
ExecStart=/usr/bin/turnserver -o -c /etc/coturn/turnserver.conf --pidfile /run/coturn/turnserver.pid $EXTRA_OPTIONS
|
||||
ExecStart=/usr/bin/turnserver -c /etc/coturn/turnserver.conf --pidfile /run/coturn/turnserver.pid $EXTRA_OPTIONS
|
||||
Restart=on-abort
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
|
||||
# next line allows coturn to bind to a port below 1024
|
||||
# next lines allow coturn to bind to a port below 1024
|
||||
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||||
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||||
|
||||
LimitCORE=infinity
|
||||
@ -24,5 +25,27 @@ LimitRTTIME=7000000
|
||||
CPUSchedulingPolicy=other
|
||||
UMask=0007
|
||||
|
||||
# various hardening options
|
||||
LockPersonality=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
MountFlags=private
|
||||
NoNewPrivileges=yes
|
||||
PrivateDevices=yes
|
||||
PrivateTmp=yes
|
||||
ProtectClock=yes
|
||||
ProtectControlGroups=yes
|
||||
ProtectHome=yes
|
||||
ProtectHostname=yes
|
||||
ProtectKernelLogs=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectSystem=full
|
||||
RemoveIPC=yes
|
||||
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
||||
RestrictNamespaces=yes
|
||||
RestrictSUIDSGID=yes
|
||||
SystemCallArchitectures=native
|
||||
SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
@ -39,6 +39,7 @@ Source5: %{name}.sysconfig
|
||||
Source6: %{name}.firewalld
|
||||
Source7: README.SUSE
|
||||
Source8: %{name}-apparmor-usr.bin.turnserver
|
||||
Source9: %{name}@.service
|
||||
BuildRequires: fdupes
|
||||
BuildRequires: firewall-macros
|
||||
BuildRequires: libevent-devel >= 2.0.0
|
||||
@ -115,6 +116,7 @@ This package contains the TURN development headers.
|
||||
%make_install
|
||||
mkdir -p %{buildroot}{%{_sysconfdir}/pki/coturn/{public,private},{%{_rundir},%{_localstatedir}/{lib,log}}/%{name},%{_unitdir},%{_sysusersdir},%{_sbindir},%{_sysconfdir}/apparmor.d/local}
|
||||
install -Dpm 0644 %{SOURCE1} %{buildroot}%{_unitdir}/
|
||||
install -Dpm 0644 %{SOURCE9} %{buildroot}%{_unitdir}/
|
||||
install -Dpm 0644 %{SOURCE2} %{buildroot}%{_tmpfilesdir}/%{name}.conf
|
||||
install -Dpm 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
|
||||
install -Dpm 0644 %{SOURCE4} %{buildroot}%{_sysusersdir}/
|
||||
@ -160,9 +162,11 @@ done
|
||||
|
||||
%pre -f %{name}.pre
|
||||
%service_add_pre %{name}.service
|
||||
%service_add_pre %{name}@.service
|
||||
|
||||
%post
|
||||
%service_add_post %{name}.service
|
||||
%service_add_post %{name}@.service
|
||||
systemd-tmpfiles --create %{_prefix}/lib/tmpfiles.d/%{name}.conf
|
||||
%{fillup_only -n %{name}}
|
||||
%firewalld_reload
|
||||
@ -172,9 +176,11 @@ systemd-tmpfiles --create %{_prefix}/lib/tmpfiles.d/%{name}.conf
|
||||
|
||||
%preun
|
||||
%service_del_preun %{name}.service
|
||||
%service_del_preun %{name}@.service
|
||||
|
||||
%postun
|
||||
%service_del_postun %{name}.service
|
||||
%service_del_postun %{name}@.service
|
||||
|
||||
%files
|
||||
%license LICENSE
|
||||
@ -218,6 +224,7 @@ systemd-tmpfiles --create %{_prefix}/lib/tmpfiles.d/%{name}.conf
|
||||
%dir %{_sysconfdir}/pki/%{name}/public
|
||||
%dir %attr(0750,root,%{name}) %{_sysconfdir}/pki/%{name}/private
|
||||
%{_unitdir}/coturn.service
|
||||
%{_unitdir}/coturn@.service
|
||||
%{_tmpfilesdir}/coturn.conf
|
||||
%dir %ghost %attr(0750,%{name},%{name}) %{_rundir}/%{name}
|
||||
%dir %attr(0750,%{name},%{name}) %{_localstatedir}/lib/%{name}
|
||||
|
||||
51
coturn@.service
Normal file
51
coturn@.service
Normal file
@ -0,0 +1,51 @@
|
||||
[Unit]
|
||||
Description=STUN and TURN relay server for VoIP and WebRTC %i
|
||||
Documentation=man:coturn(1) man:turnadmin(1) man:turnserver(1)
|
||||
After=syslog.target network.target
|
||||
|
||||
[Service]
|
||||
User=coturn
|
||||
Group=coturn
|
||||
Type=simple
|
||||
EnvironmentFile=-/etc/sysconfig/coturn-%i
|
||||
PIDFile=/run/coturn/turnserver.pid
|
||||
ExecStart=/usr/bin/turnserver -c /etc/coturn/%i.conf --pidfile /run/coturn/turnserver-%i.pid $EXTRA_OPTIONS
|
||||
Restart=on-abort
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
|
||||
# next lines allow coturn to bind to a port below 1024
|
||||
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||||
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||||
|
||||
LimitCORE=infinity
|
||||
LimitNOFILE=999999
|
||||
LimitNPROC=60000
|
||||
LimitRTPRIO=infinity
|
||||
LimitRTTIME=7000000
|
||||
CPUSchedulingPolicy=other
|
||||
UMask=0007
|
||||
|
||||
# various hardening options
|
||||
LockPersonality=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
MountFlags=private
|
||||
NoNewPrivileges=yes
|
||||
PrivateDevices=yes
|
||||
PrivateTmp=yes
|
||||
ProtectClock=yes
|
||||
ProtectControlGroups=yes
|
||||
ProtectHome=yes
|
||||
ProtectHostname=yes
|
||||
ProtectKernelLogs=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectSystem=full
|
||||
RemoveIPC=yes
|
||||
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
||||
RestrictNamespaces=yes
|
||||
RestrictSUIDSGID=yes
|
||||
SystemCallArchitectures=native
|
||||
SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Loading…
Reference in New Issue
Block a user