Bug#927213: Include an AppArmor profile

Jörg Sommer joerg at jo-so.de
Tue Apr 16 11:30:36 BST 2019 

Package: coturn
Version: 4.5.1.1-1
Severity: normal

I've created an AppArmor profile for coturn. It's pretty simple and it
works for me. Maybe it would be helpful for others, too. Put this in
/etc/apparmor.d/usr.bin.turnserver

```
include <tunables/global>

profile /usr/bin/turnserver {
    include <abstractions/base>
    include <abstractions/ssl_certs>
    include <abstractions/ssl_keys>

    /etc/turnserver.conf r,
    owner /var/lib/turn/turndb rwk,
}
```

I've also put `NoNewPrivileges=yes` in my Systemd service file.

Also, looking at the Systemd service file, why don't you run turnserver in
non-forking mode and leave the pidfile management to Systemd?

```
PIDFile=/run/turnserver.pid
ExecStart=/usr/bin/turnserver -c /etc/turnserver.conf --pidfile /dev/null --log-file stdout
```

Regards Jörg

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.0.0-trunk-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_CRAP, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages coturn depends on:
ii  adduser                  3.118
ii  libc6                    2.28-8
pn  libevent-core-2.1-6      <none>
pn  libevent-extra-2.1-6     <none>
pn  libevent-openssl-2.1-6   <none>
pn  libevent-pthreads-2.1-6  <none>
pn  libhiredis0.14           <none>
ii  libmariadb3              1:10.3.13-2
ii  libpq5                   11.2-2
ii  libsqlite3-0             3.27.2-2
ii  libssl1.1                1.1.1b-1
ii  lsb-base                 10.2019031300
ii  telnet [telnet-client]   0.17-41.2

coturn recommends no packages.

Versions of packages coturn suggests:
pn  sip-router   <none>
pn  xmpp-server  <none>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 269 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/attachments/20190416/f7083f3f/attachment.sig>

More information about the Pkg-voip-maintainers mailing list