mirror of https://github.com/sipwise/rtpengine.git
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
129 lines
4.1 KiB
129 lines
4.1 KiB
[Unit]
|
|
Description=NGCP RTP/media Proxy Daemon
|
|
After=network-online.target
|
|
After=remote-fs.target
|
|
Requires=network-online.target
|
|
|
|
[Service]
|
|
Type=notify
|
|
EnvironmentFile=/etc/default/ngcp-rtpengine-daemon
|
|
RuntimeDirectory=rtpengine
|
|
PIDFile=/run/rtpengine/ngcp-rtpengine-daemon.pid
|
|
User=rtpengine
|
|
Group=rtpengine
|
|
LimitNOFILE=150000
|
|
ExecStart=/usr/bin/rtpengine -f -E --no-log-timestamps --pidfile /run/rtpengine/ngcp-rtpengine-daemon.pid --config-file /etc/rtpengine/rtpengine.conf
|
|
|
|
# Service cannot create writable executable memory mappings that are writable and executable at the same time
|
|
MemoryDenyWriteExecute=true
|
|
|
|
# NOTE: we need access to /proc/rtpengine/
|
|
ProcSubset=all
|
|
|
|
# Writes to the hardware clock or system clock will be denied
|
|
ProtectClock=true
|
|
|
|
# Service cannot modify the control group file system (via /sys/fs/cgroup)
|
|
ProtectControlGroups=true
|
|
|
|
# Service has no access to home directories
|
|
ProtectHome=true
|
|
|
|
# Set up new UTS namespace for the executed processes + changing hostname or domainname is prevented
|
|
ProtectHostname=true
|
|
|
|
# Service cannot load or read kernel modules
|
|
ProtectKernelModules=true
|
|
|
|
# Service cannot alter kernel tunables (/proc + /sys)
|
|
ProtectKernelTunables=true
|
|
|
|
# Service has strict read-only access to the OS file hierarchy
|
|
ProtectSystem=strict
|
|
|
|
# Allow write access
|
|
ReadWritePaths=/var/cache/rtpengine /var/spool/rtpengine
|
|
|
|
# Access to the kernel log ring buffer will be denied
|
|
ProtectKernelLogs=true
|
|
|
|
# Processes owned by other users are hidden from /proc/
|
|
ProtectProc=invisible
|
|
|
|
# Service may execute system calls only with native ABI
|
|
SystemCallArchitectures=native
|
|
|
|
# Limit set of capabilities
|
|
CapabilityBoundingSet=
|
|
# NOTE: when running rtpengine under root user (via User=root/Group=root), further capabilities are required:
|
|
# * CAP_CHOWN CAP_DAC_OVERRIDE CAP_SETGID CAP_SETUID => for ownership handling in e.g. /run/rtpengine/
|
|
# * CAP_FOWNER => for chmod-ing e.g. /run/rtpengine/
|
|
# * CAP_NET_ADMIN => for network-related operations
|
|
# * CAP_SYS_NICE => for e.g. setpriority usage
|
|
#CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_SETGID CAP_SETUID CAP_FOWNER CAP_NET_ADMIN CAP_SYS_NICE
|
|
|
|
# Service process does not receive ambient capabilities
|
|
# NOTE: we need caps for running as non-root user
|
|
CapabilityBoundingSet=CAP_NET_ADMIN CAP_SYS_NICE
|
|
AmbientCapabilities=CAP_NET_ADMIN CAP_SYS_NICE
|
|
|
|
# Service has no access to other software's temporary files
|
|
PrivateTmp=true
|
|
|
|
# Service has no access to hardware devices
|
|
PrivateDevices=true
|
|
|
|
# Service cannot change ABI personality
|
|
LockPersonality=true
|
|
|
|
# Turn off acquisition of new privileges system-wide
|
|
NoNewPrivileges=true
|
|
|
|
# Service has own user namespace, only root, nobody, and the uid/gid under which the service is running are mapped
|
|
# Setting this to true prevents setup of nftables rules for some reason
|
|
PrivateUsers=false
|
|
|
|
# Service user cannot leave SysV IPC objects around
|
|
# NOTE: service runs as root, so option does not matter
|
|
RemoveIPC=true
|
|
|
|
# Restrict service to allocation of netlink, UNIX domain, ipv4 + ipv6 sockets
|
|
RestrictAddressFamilies=AF_NETLINK AF_UNIX AF_INET AF_INET6
|
|
|
|
# Restrict access to the various process namespace types the Linux kernel provides
|
|
RestrictNamespaces=true
|
|
|
|
# Service may not acquire realtime scheduling
|
|
RestrictRealtime=true
|
|
|
|
# Attempts to set SUID or SGID bits on files or directories will be denied
|
|
RestrictSUIDSGID=true
|
|
|
|
# Files created by service are accessible only by service's own user by default
|
|
UMask=0077
|
|
|
|
# NOTE: Service needs access to the host's network
|
|
PrivateNetwork=false
|
|
|
|
# Control access to specific device nodes by the executed processes
|
|
DevicePolicy=closed
|
|
|
|
# NOTE: we need network access
|
|
IPAddressAllow=any
|
|
|
|
# Maximum number of bytes of memory that may be locked into RAM
|
|
# NOTE: required for libgcrypt's mlock handling
|
|
LimitMEMLOCK=8388608
|
|
|
|
# Restrict system calls that are allowed to be executed
|
|
# NOTE: @system-service => reasonable set of system calls used by common system services
|
|
SystemCallFilter=@system-service
|
|
# NOTE: return with ENOSYS instead of terminating the process immediately
|
|
SystemCallErrorNumber=ENOSYS
|
|
|
|
# All system calls except the listed ones will be logged
|
|
SystemCallLog=~@system-service seccomp
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|