a23b99d3d2
- AppArmor profile has ABI 3.0 and some minor changes - Modified systemd unit: * do not use daemon mode * Type=simple * added security settings - added multi-instance systemd unit OBS-URL: https://build.opensuse.org/request/show/858909 OBS-URL: https://build.opensuse.org/package/show/network:telephony/coturn?expand=0&rev=15
52 lines
1.3 KiB
Desktop File
52 lines
1.3 KiB
Desktop File
[Unit]
|
|
Description=STUN and TURN relay server for VoIP and WebRTC
|
|
Documentation=man:coturn(1) man:turnadmin(1) man:turnserver(1)
|
|
After=syslog.target network.target
|
|
|
|
[Service]
|
|
User=coturn
|
|
Group=coturn
|
|
Type=simple
|
|
EnvironmentFile=-/etc/sysconfig/coturn
|
|
PIDFile=/run/coturn/turnserver.pid
|
|
ExecStart=/usr/bin/turnserver -c /etc/coturn/turnserver.conf --pidfile /run/coturn/turnserver.pid $EXTRA_OPTIONS
|
|
Restart=on-abort
|
|
ExecReload=/bin/kill -HUP $MAINPID
|
|
|
|
# next lines allow coturn to bind to a port below 1024
|
|
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
|
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
|
|
|
LimitCORE=infinity
|
|
LimitNOFILE=999999
|
|
LimitNPROC=60000
|
|
LimitRTPRIO=infinity
|
|
LimitRTTIME=7000000
|
|
CPUSchedulingPolicy=other
|
|
UMask=0007
|
|
|
|
# various hardening options
|
|
LockPersonality=yes
|
|
MemoryDenyWriteExecute=yes
|
|
MountFlags=private
|
|
NoNewPrivileges=yes
|
|
PrivateDevices=yes
|
|
PrivateTmp=yes
|
|
ProtectClock=yes
|
|
ProtectControlGroups=yes
|
|
ProtectHome=yes
|
|
ProtectHostname=yes
|
|
ProtectKernelLogs=yes
|
|
ProtectKernelModules=yes
|
|
ProtectKernelTunables=yes
|
|
ProtectSystem=full
|
|
RemoveIPC=yes
|
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
|
RestrictNamespaces=yes
|
|
RestrictSUIDSGID=yes
|
|
SystemCallArchitectures=native
|
|
SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|