nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-22 15:03:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

nixos/coturn: set up sandboxing

Browse Source
This commit is contained in:
Martin Weinelt 2024-10-14 03:31:09 +02:00
parent 101d12296d
commit 6d9089c67d
No known key found for this signature in database
GPG Key ID: 87C1E9888F856759
2 changed files with 58 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
nixos/modules/services/networking/coturn.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, utils, ... }:
let let
cfg = config.services.coturn; cfg = config.services.coturn;
pidfile = "/run/turnserver/turnserver.pid"; pidfile = "/run/turnserver/turnserver.pid";
@ -341,25 +341,66 @@ in {
'' } '' }
chmod 640 ${runConfig} chmod 640 ${runConfig}
''; '';
serviceConfig = { serviceConfig = rec {
Type = "simple"; Type = "simple";
ExecStart = "${pkgs.coturn}/bin/turnserver -c ${runConfig}"; ExecStart = utils.escapeSystemdExecArgs [
RuntimeDirectory = "turnserver"; (lib.getExe' pkgs.coturn "turnserver")
"-c"
runConfig
];
User = "turnserver"; User = "turnserver";
Group = "turnserver"; Group = "turnserver";
AmbientCapabilities = RuntimeDirectory = [
lib.mkIf ( "coturn"
cfg.listening-port < 1024 || "turnserver"
cfg.alt-listening-port < 1024 || ];
cfg.tls-listening-port < 1024 || RuntimeDirectoryMode = "0700";
cfg.alt-tls-listening-port < 1024 ||
cfg.min-port < 1024
) "cap_net_bind_service";
Restart = "on-abort"; Restart = "on-abort";
# Hardening
AmbientCapabilities = if
cfg.listening-port < 1024 ||
cfg.alt-listening-port < 1024 ||
cfg.tls-listening-port < 1024 ||
cfg.alt-tls-listening-port < 1024 ||
cfg.min-port < 1024
then [ "CAP_NET_BIND_SERVICE" ] else [ "" ];
CapabilityBoundingSet = AmbientCapabilities;
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
] ++ lib.optionals (cfg.listening-ips == [ ]) [
# only used for interface discovery when no listening ips are configured
"AF_NETLINK"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged @resources"
];
UMask = "0077";
}; };
}; };
systemd.tmpfiles.rules = [
"d /run/coturn 0700 turnserver turnserver - -"
];
}])); }]));
} }

2
nixos/tests/coturn.nix
View File

@ -30,5 +30,7 @@ import ./make-test-python.nix ({ pkgs, ... }: {
secretsfile.fail("${pkgs.coturn}/bin/turnutils_uclient -W some-very-secret-string 127.0.0.1 -DgX -e 127.0.0.1 -n 1 -c -y") secretsfile.fail("${pkgs.coturn}/bin/turnutils_uclient -W some-very-secret-string 127.0.0.1 -DgX -e 127.0.0.1 -n 1 -c -y")
# allowed-peer-ip, should succeed: # allowed-peer-ip, should succeed:
secretsfile.succeed("${pkgs.coturn}/bin/turnutils_uclient -W some-very-secret-string 192.168.1.2 -DgX -e 192.168.1.2 -n 1 -c -y") secretsfile.succeed("${pkgs.coturn}/bin/turnutils_uclient -W some-very-secret-string 192.168.1.2 -DgX -e 192.168.1.2 -n 1 -c -y")
default.log(default.execute("systemd-analyze security coturn.service | grep -v ''")[1])
''; '';
}) })