pool/coturn
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 858909 from home:stroeder:branches:network:telephony

Browse Source 
- AppArmor profile has ABI 3.0 and some minor changes
- Modified systemd unit:
  * do not use daemon mode
  * Type=simple
  * added security settings
- added multi-instance systemd unit

OBS-URL: https://build.opensuse.org/request/show/858909
OBS-URL: https://build.opensuse.org/package/show/network:telephony/coturn?expand=0&rev=15
This commit is contained in:
Johannes Weberhofer 2020-12-29 16:21:36 +00:00 committed by Git OBS Bridge
parent 828e7289d2
commit a23b99d3d2
5 changed files with 100 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
coturn-apparmor-usr.bin.turnserver
View File

@ -1,6 +1,8 @@
abi <abi/3.0>,
#include <tunables/global> #include <tunables/global>
/usr/bin/turnserver { profile coturn /usr/{bin,sbin}/turnserver flags=(attach_disconnected) {
#include <abstractions/base> #include <abstractions/base>
#include <abstractions/nameservice> #include <abstractions/nameservice>
#include <abstractions/user-tmp> #include <abstractions/user-tmp>
@ -9,11 +11,13 @@
/etc/pki/coturn/** r, /etc/pki/coturn/** r,
/usr/bin/turnserver mr, /usr/bin/turnserver mr,
owner /run/coturn/* w, owner /run/coturn/* w,
owner /var/lib/coturn r,
owner /var/lib/coturn/* rwk, owner /var/lib/coturn/* rwk,
owner /var/log/coturn/*.log rw, owner /var/log/coturn/*.log rw,
owner /var/log/turn*.log w, owner /var/log/turn*.log w,
deny /etc/ssl/openssl.cnf r,
# Site-specific additions and overrides. See local/README for details. # Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.turnserver> #include <local/usr.bin.turnserver>
} }

10
coturn.changes
View File

@ -1,3 +1,13 @@
-------------------------------------------------------------------
Sun Dec 27 15:42:09 UTC 2020 - Michael Ströder <michael@stroeder.com>
- AppArmor profile has ABI 3.0 and some minor changes
- Modified systemd unit:
* do not use daemon mode
* Type=simple
* added security settings
- added multi-instance systemd unit
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Aug 19 10:48:41 UTC 2020 - Callum Farmer <callumjfarmer13@gmail.com> Wed Aug 19 10:48:41 UTC 2020 - Callum Farmer <callumjfarmer13@gmail.com>

29
coturn.service
View File

@ -6,14 +6,15 @@ After=syslog.target network.target
[Service] [Service]
User=coturn User=coturn
Group=coturn Group=coturn
Type=forking Type=simple
EnvironmentFile=-/etc/sysconfig/coturn EnvironmentFile=-/etc/sysconfig/coturn
PIDFile=/run/coturn/turnserver.pid PIDFile=/run/coturn/turnserver.pid
ExecStart=/usr/bin/turnserver -o -c /etc/coturn/turnserver.conf --pidfile /run/coturn/turnserver.pid $EXTRA_OPTIONS ExecStart=/usr/bin/turnserver -c /etc/coturn/turnserver.conf --pidfile /run/coturn/turnserver.pid $EXTRA_OPTIONS
Restart=on-abort Restart=on-abort
ExecReload=/bin/kill -HUP $MAINPID ExecReload=/bin/kill -HUP $MAINPID
# next line allows coturn to bind to a port below 1024 # next lines allow coturn to bind to a port below 1024
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_BIND_SERVICE
LimitCORE=infinity LimitCORE=infinity
@ -24,5 +25,27 @@ LimitRTTIME=7000000
CPUSchedulingPolicy=other CPUSchedulingPolicy=other
UMask=0007 UMask=0007
# various hardening options
LockPersonality=yes
MemoryDenyWriteExecute=yes
MountFlags=private
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=full
RemoveIPC=yes
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

7
coturn.spec
View File

@ -39,6 +39,7 @@ Source5: %{name}.sysconfig
Source6: %{name}.firewalld Source6: %{name}.firewalld
Source7: README.SUSE Source7: README.SUSE
Source8: %{name}-apparmor-usr.bin.turnserver Source8: %{name}-apparmor-usr.bin.turnserver
Source9: %{name}@.service
BuildRequires: fdupes BuildRequires: fdupes
BuildRequires: firewall-macros BuildRequires: firewall-macros
BuildRequires: libevent-devel >= 2.0.0 BuildRequires: libevent-devel >= 2.0.0
@ -115,6 +116,7 @@ This package contains the TURN development headers.
%make_install %make_install
mkdir -p %{buildroot}{%{_sysconfdir}/pki/coturn/{public,private},{%{_rundir},%{_localstatedir}/{lib,log}}/%{name},%{_unitdir},%{_sysusersdir},%{_sbindir},%{_sysconfdir}/apparmor.d/local} mkdir -p %{buildroot}{%{_sysconfdir}/pki/coturn/{public,private},{%{_rundir},%{_localstatedir}/{lib,log}}/%{name},%{_unitdir},%{_sysusersdir},%{_sbindir},%{_sysconfdir}/apparmor.d/local}
install -Dpm 0644 %{SOURCE1} %{buildroot}%{_unitdir}/ install -Dpm 0644 %{SOURCE1} %{buildroot}%{_unitdir}/
install -Dpm 0644 %{SOURCE9} %{buildroot}%{_unitdir}/
install -Dpm 0644 %{SOURCE2} %{buildroot}%{_tmpfilesdir}/%{name}.conf install -Dpm 0644 %{SOURCE2} %{buildroot}%{_tmpfilesdir}/%{name}.conf
install -Dpm 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name} install -Dpm 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
install -Dpm 0644 %{SOURCE4} %{buildroot}%{_sysusersdir}/ install -Dpm 0644 %{SOURCE4} %{buildroot}%{_sysusersdir}/
@ -160,9 +162,11 @@ done
%pre -f %{name}.pre %pre -f %{name}.pre
%service_add_pre %{name}.service %service_add_pre %{name}.service
%service_add_pre %{name}@.service
%post %post
%service_add_post %{name}.service %service_add_post %{name}.service
%service_add_post %{name}@.service
systemd-tmpfiles --create %{_prefix}/lib/tmpfiles.d/%{name}.conf systemd-tmpfiles --create %{_prefix}/lib/tmpfiles.d/%{name}.conf
%{fillup_only -n %{name}} %{fillup_only -n %{name}}
%firewalld_reload %firewalld_reload
@ -172,9 +176,11 @@ systemd-tmpfiles --create %{_prefix}/lib/tmpfiles.d/%{name}.conf
%preun %preun
%service_del_preun %{name}.service %service_del_preun %{name}.service
%service_del_preun %{name}@.service
%postun %postun
%service_del_postun %{name}.service %service_del_postun %{name}.service
%service_del_postun %{name}@.service
%files %files
%license LICENSE %license LICENSE
@ -218,6 +224,7 @@ systemd-tmpfiles --create %{_prefix}/lib/tmpfiles.d/%{name}.conf
%dir %{_sysconfdir}/pki/%{name}/public %dir %{_sysconfdir}/pki/%{name}/public
%dir %attr(0750,root,%{name}) %{_sysconfdir}/pki/%{name}/private %dir %attr(0750,root,%{name}) %{_sysconfdir}/pki/%{name}/private
%{_unitdir}/coturn.service %{_unitdir}/coturn.service
%{_unitdir}/coturn@.service
%{_tmpfilesdir}/coturn.conf %{_tmpfilesdir}/coturn.conf
%dir %ghost %attr(0750,%{name},%{name}) %{_rundir}/%{name} %dir %ghost %attr(0750,%{name},%{name}) %{_rundir}/%{name}
%dir %attr(0750,%{name},%{name}) %{_localstatedir}/lib/%{name} %dir %attr(0750,%{name},%{name}) %{_localstatedir}/lib/%{name}

51
coturn@.service Normal file
View File

@ -0,0 +1,51 @@
[Unit]
Description=STUN and TURN relay server for VoIP and WebRTC %i
Documentation=man:coturn(1) man:turnadmin(1) man:turnserver(1)
After=syslog.target network.target
[Service]
User=coturn
Group=coturn
Type=simple
EnvironmentFile=-/etc/sysconfig/coturn-%i
PIDFile=/run/coturn/turnserver.pid
ExecStart=/usr/bin/turnserver -c /etc/coturn/%i.conf --pidfile /run/coturn/turnserver-%i.pid $EXTRA_OPTIONS
Restart=on-abort
ExecReload=/bin/kill -HUP $MAINPID
# next lines allow coturn to bind to a port below 1024
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
LimitCORE=infinity
LimitNOFILE=999999
LimitNPROC=60000
LimitRTPRIO=infinity
LimitRTTIME=7000000
CPUSchedulingPolicy=other
UMask=0007
# various hardening options
LockPersonality=yes
MemoryDenyWriteExecute=yes
MountFlags=private
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=full
RemoveIPC=yes
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete
[Install]
WantedBy=multi-user.target