Unverified Commit 6d9089c6 authored by Martin Weinelt's avatar Martin Weinelt
Browse files

nixos/coturn: set up sandboxing

parent 101d1229

nixos/modules/services/networking/coturn.nix

+56 −15
Original line number Diff line number Diff line 
{ config, lib, pkgs, ... }:

{ config, lib, pkgs, utils, ... }:

let

  cfg = config.services.coturn;

  pidfile = "/run/turnserver/turnserver.pid";
@@ -341,25 +341,66 @@ in { 
          '' }

          chmod 640 ${runConfig}

        '';

        serviceConfig = {

        serviceConfig = rec {

          Type = "simple";

          ExecStart = "${pkgs.coturn}/bin/turnserver -c ${runConfig}";

          RuntimeDirectory = "turnserver";

          ExecStart = utils.escapeSystemdExecArgs [

            (lib.getExe' pkgs.coturn "turnserver")

            "-c"

            runConfig

          ];

          User = "turnserver";

          Group = "turnserver";

          AmbientCapabilities =

            lib.mkIf (

          RuntimeDirectory = [

            "coturn"

            "turnserver"

          ];

          RuntimeDirectoryMode = "0700";

          Restart = "on-abort";



          # Hardening

          AmbientCapabilities = if

            cfg.listening-port < 1024 ||

            cfg.alt-listening-port < 1024 ||

            cfg.tls-listening-port < 1024 ||

            cfg.alt-tls-listening-port < 1024 ||

            cfg.min-port < 1024

            ) "cap_net_bind_service";

          Restart = "on-abort";

            then [ "CAP_NET_BIND_SERVICE" ] else [ "" ];

          CapabilityBoundingSet = AmbientCapabilities;

          DevicePolicy = "closed";

          LockPersonality = true;

          MemoryDenyWriteExecute = true;

          NoNewPrivileges = true;

          PrivateDevices = true;

          PrivateTmp = true;

          PrivateUsers = true;

          ProcSubset = "pid";

          ProtectClock = true;

          ProtectControlGroups = true;

          ProtectHome = true;

          ProtectHostname = true;

          ProtectKernelLogs = true;

          ProtectKernelModules = true;

          ProtectKernelTunables = true;

          ProtectProc = "invisible";

          ProtectSystem = "strict";

          RemoveIPC = true;

          RestrictAddressFamilies = [

            "AF_INET"

            "AF_INET6"

          ] ++ lib.optionals (cfg.listening-ips == [ ]) [

            # only used for interface discovery when no listening ips are configured

            "AF_NETLINK"

          ];

          RestrictNamespaces = true;

          RestrictRealtime = true;

          RestrictSUIDSGID = true;

          SystemCallArchitectures = "native";

          SystemCallFilter = [

            "@system-service"

            "~@privileged @resources"

          ];

          UMask = "0077";

        };

      };

    systemd.tmpfiles.rules = [

      "d  /run/coturn 0700 turnserver turnserver - -"

    ];

  }]));

}

nixos/tests/coturn.nix

+2 −0
Original line number Diff line number Diff line
@@ -30,5 +30,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { 
          secretsfile.fail("${pkgs.coturn}/bin/turnutils_uclient -W some-very-secret-string 127.0.0.1 -DgX -e 127.0.0.1 -n 1 -c -y")

          # allowed-peer-ip, should succeed:

          secretsfile.succeed("${pkgs.coturn}/bin/turnutils_uclient -W some-very-secret-string 192.168.1.2 -DgX -e 192.168.1.2 -n 1 -c -y")



      default.log(default.execute("systemd-analyze security coturn.service | grep -v '✓'")[1])

    '';

})