diff --git a/coturn-apparmor-usr.bin.turnserver b/coturn-apparmor-usr.bin.turnserver index c20608d..1d42a4b 100644 --- a/coturn-apparmor-usr.bin.turnserver +++ b/coturn-apparmor-usr.bin.turnserver @@ -1,6 +1,8 @@ +abi , + #include -/usr/bin/turnserver { +profile coturn /usr/{bin,sbin}/turnserver flags=(attach_disconnected) { #include #include #include @@ -9,11 +11,13 @@ /etc/pki/coturn/** r, /usr/bin/turnserver mr, owner /run/coturn/* w, + owner /var/lib/coturn r, owner /var/lib/coturn/* rwk, owner /var/log/coturn/*.log rw, owner /var/log/turn*.log w, + deny /etc/ssl/openssl.cnf r, + # Site-specific additions and overrides. See local/README for details. #include } - diff --git a/coturn.changes b/coturn.changes index b4a5c1d..2ca16d9 100644 --- a/coturn.changes +++ b/coturn.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Sun Dec 27 15:42:09 UTC 2020 - Michael Ströder + +- AppArmor profile has ABI 3.0 and some minor changes +- Modified systemd unit: + * do not use daemon mode + * Type=simple + * added security settings +- added multi-instance systemd unit + ------------------------------------------------------------------- Wed Aug 19 10:48:41 UTC 2020 - Callum Farmer diff --git a/coturn.service b/coturn.service index 981c371..cad6da4 100644 --- a/coturn.service +++ b/coturn.service @@ -6,14 +6,15 @@ After=syslog.target network.target [Service] User=coturn Group=coturn -Type=forking +Type=simple EnvironmentFile=-/etc/sysconfig/coturn PIDFile=/run/coturn/turnserver.pid -ExecStart=/usr/bin/turnserver -o -c /etc/coturn/turnserver.conf --pidfile /run/coturn/turnserver.pid $EXTRA_OPTIONS +ExecStart=/usr/bin/turnserver -c /etc/coturn/turnserver.conf --pidfile /run/coturn/turnserver.pid $EXTRA_OPTIONS Restart=on-abort ExecReload=/bin/kill -HUP $MAINPID -# next line allows coturn to bind to a port below 1024 +# next lines allow coturn to bind to a port below 1024 +CapabilityBoundingSet=CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_BIND_SERVICE LimitCORE=infinity @@ -24,5 +25,27 @@ LimitRTTIME=7000000 CPUSchedulingPolicy=other UMask=0007 +# various hardening options +LockPersonality=yes +MemoryDenyWriteExecute=yes +MountFlags=private +NoNewPrivileges=yes +PrivateDevices=yes +PrivateTmp=yes +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectSystem=full +RemoveIPC=yes +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictNamespaces=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete + [Install] WantedBy=multi-user.target diff --git a/coturn.spec b/coturn.spec index ce0cfc8..7d19c8f 100644 --- a/coturn.spec +++ b/coturn.spec @@ -39,6 +39,7 @@ Source5: %{name}.sysconfig Source6: %{name}.firewalld Source7: README.SUSE Source8: %{name}-apparmor-usr.bin.turnserver +Source9: %{name}@.service BuildRequires: fdupes BuildRequires: firewall-macros BuildRequires: libevent-devel >= 2.0.0 @@ -115,6 +116,7 @@ This package contains the TURN development headers. %make_install mkdir -p %{buildroot}{%{_sysconfdir}/pki/coturn/{public,private},{%{_rundir},%{_localstatedir}/{lib,log}}/%{name},%{_unitdir},%{_sysusersdir},%{_sbindir},%{_sysconfdir}/apparmor.d/local} install -Dpm 0644 %{SOURCE1} %{buildroot}%{_unitdir}/ +install -Dpm 0644 %{SOURCE9} %{buildroot}%{_unitdir}/ install -Dpm 0644 %{SOURCE2} %{buildroot}%{_tmpfilesdir}/%{name}.conf install -Dpm 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name} install -Dpm 0644 %{SOURCE4} %{buildroot}%{_sysusersdir}/ @@ -160,9 +162,11 @@ done %pre -f %{name}.pre %service_add_pre %{name}.service +%service_add_pre %{name}@.service %post %service_add_post %{name}.service +%service_add_post %{name}@.service systemd-tmpfiles --create %{_prefix}/lib/tmpfiles.d/%{name}.conf %{fillup_only -n %{name}} %firewalld_reload @@ -172,9 +176,11 @@ systemd-tmpfiles --create %{_prefix}/lib/tmpfiles.d/%{name}.conf %preun %service_del_preun %{name}.service +%service_del_preun %{name}@.service %postun %service_del_postun %{name}.service +%service_del_postun %{name}@.service %files %license LICENSE @@ -218,6 +224,7 @@ systemd-tmpfiles --create %{_prefix}/lib/tmpfiles.d/%{name}.conf %dir %{_sysconfdir}/pki/%{name}/public %dir %attr(0750,root,%{name}) %{_sysconfdir}/pki/%{name}/private %{_unitdir}/coturn.service +%{_unitdir}/coturn@.service %{_tmpfilesdir}/coturn.conf %dir %ghost %attr(0750,%{name},%{name}) %{_rundir}/%{name} %dir %attr(0750,%{name},%{name}) %{_localstatedir}/lib/%{name} diff --git a/coturn@.service b/coturn@.service new file mode 100644 index 0000000..df543ae --- /dev/null +++ b/coturn@.service @@ -0,0 +1,51 @@ +[Unit] +Description=STUN and TURN relay server for VoIP and WebRTC %i +Documentation=man:coturn(1) man:turnadmin(1) man:turnserver(1) +After=syslog.target network.target + +[Service] +User=coturn +Group=coturn +Type=simple +EnvironmentFile=-/etc/sysconfig/coturn-%i +PIDFile=/run/coturn/turnserver.pid +ExecStart=/usr/bin/turnserver -c /etc/coturn/%i.conf --pidfile /run/coturn/turnserver-%i.pid $EXTRA_OPTIONS +Restart=on-abort +ExecReload=/bin/kill -HUP $MAINPID + +# next lines allow coturn to bind to a port below 1024 +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_BIND_SERVICE + +LimitCORE=infinity +LimitNOFILE=999999 +LimitNPROC=60000 +LimitRTPRIO=infinity +LimitRTTIME=7000000 +CPUSchedulingPolicy=other +UMask=0007 + +# various hardening options +LockPersonality=yes +MemoryDenyWriteExecute=yes +MountFlags=private +NoNewPrivileges=yes +PrivateDevices=yes +PrivateTmp=yes +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectSystem=full +RemoveIPC=yes +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictNamespaces=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete + +[Install] +WantedBy=multi-user.target