ngcp-rtpengine-daemon service state BEFORE this change:
| $ sudo systemd-analyze security ngcp-rtpengine-daemon | tail -1
| → Overall exposure level for ngcp-rtpengine-daemon.service: 9.3 UNSAFE 😨
ngcp-rtpengine-daemon service state AFTER this change:
| $ sudo SYSTEMD_COLORS=0 PAGER= COLUMNS=100 unbuffer systemd-analyze security ngcp-rtpengine-daemon | grep -v '✓'
| NAME DESCRIPTION EXPOSURE
| ✗ PrivateNetwork= Service has access to the host's network 0.5
| ✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
| ✗ DeviceAllow= Service has a device ACL with some special … 0.1
| ✗ IPAddressDeny= Service does not define an IP address allow… 0.2
| ✗ SystemCallFilter=~@privileged System call allow list defined for service,… 0.2
| ✗ SystemCallFilter=~@resources System call allow list defined for service,… 0.2
| ✗ AmbientCapabilities= Service process receives ambient capabiliti… 0.1
| ✗ RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1
| ✗ RootDirectory=/RootImage= Service runs within the host's root directo… 0.1
| ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
| ✗ ProcSubset= Service has full access to non-process /pro… 0.1
|
| → Overall exposure level for ngcp-rtpengine-daemon.service: 1.4 OK 🙂
As of systemd v247.3-7.
Change-Id: I1bc2a82b0b9a945a3fa25f3e35d1b751ee0e4041
These packages do not provide architecture-specific interfaces. The only
problematic one is the kernel module, which requires a matching kernel
where to run on, independently of the userland. In addition the kernel
interface is arch-specific so running, say, a 64-bit kernel and module
and a 32-bit userland will not work.
Change-Id: Ic7327e422ec6f2e3cd4145b8ae172db9149287b4
We have had DKMS support for a long time, which is easier to integrate
to, and manage as a user. As we have not been testing module-assistant
support and it's redundant with the DKMS support, let's just remove it.
Change-Id: Iff546a4a333a2e4e48fbc1e49fecee9bab3a0138
This prevents empty mixed output files from being created when mixed
output is enabled in the config but recording isn't active for that
call.
Change-Id: I66ead89dc8a7ea80b81164b3e24d997b0df5f37e
Provide a standard output format if no other outputs are configured, so
that the decoder has something to work with. Applicable to TLS-send-only
scenarios without recording.
Change-Id: I627bb7af3f3033e1025009c21a4da6991e491dcf
DTX and delay buffers and their timers are shut down during the codec
negotiation phase, which also happens for the offer side while
processing an answer. If the codec negotiation routine determines that
the existing codec handlers can be kept intact, we must restart the DTX
and delay buffers that have previously been shut down.
Buffer objects are never freed during a shutdown, therefore we simply
need to restore the contained references to indicate that these buffers
are active again.
closes#1481
Change-Id: I57181ba1655fd781a7c543ee31aa67fd179ba89b
This eliminates a spurious false warning log message for rejected
streams that use a dummy payload type
Change-Id: Id628cafb8d7c4ea576cd01ff35f5dd9cd2151280
Since we're already doing the full parsing of the request flags, use the
same function to parse all required flags
Change-Id: I0880ccbbbc36eae7b172440ce51afc1c544583a1
Related to commit a3062b5f, let's also update the RPM spec file, its
configs/scripts and the README, to use /usr/bin instead of /usr/sbin.
While at it, noticed that el/ngcp-rtpengine-iptables-setup seemed to use
a wrong path (/sbin/rtpengine-get-table instead of
/usr/sbin/rtpengine-get-table), adjusted accordingly.
While at it, also fixed mixed-use-of-spaces-and-tabs issues (as reported
by rpmlint) in rtpengine.spec.
FTR, we have the following layout in the resulting RPMs now:
* /usr/bin/rtpengine
* /usr/bin/rtpengine-ctl
* /usr/bin/rtpengine-recording
* /usr/sbin/ngcp-rtpengine-iptables-setup
* /usr/sbin/rtpengine-get-table
Change-Id: I7e9e3527f4dc07adba425172cebb5672f2541690
Neither main daemons nor auxiliary tools require root privileges to run,
therefore they should go into /usr/bin instead of /usr/sbin.
Change-Id: I22fd0f4e622df0362a686dfe9e0ce1fb86b43a9e
Instead of always generating a new ICE foundation string for every
learned peer-reflexive candidate, try to use the same foundation string
for candidates that belong together. We use the priority number plus the
component ID for this to see if we've learned a candidate with a fitting
priority number before. If we have then re-use the same ICE foundation
string. This allows ICE to complete with only learned prflx candidates
and without (or before) re-invite to communicate the correct ICE
foundations.
Change-Id: I74bde6ef22a164df57d0b77cbaef34e4a499da72
Victor Seva
Michael Prokop
Richard Fuchs
Guillem Jover
szcom
Sipwise Jenkins Builder