http://bugzilla.opensuse.org/show_bug.cgi?id=1184141 Bug ID: 1184141 Summary: coturn.service: syscall restrictions are too strict Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Network Assignee: screening-team-bugs@suse.de Reporter: xm.koutny+suse.com@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- I'm running coturn-4.5.2-lp152.20.1.x86_64 from network:telephony (on Leap 15.2). I updated from 4.5.1 (Leap) which worked fine but now I'm running into troubles: 1) Started process will terminate soon with SIGSYS 2) After resolving this, it'll fail with

0: : ERROR: main: Cannot configure any meaningful IP listener address

I strace'd both issues: 1) (very early at the start of binary, fails even with other executables, most likely anything linked with pthread)

1974 set_tid_address(0x7fefc2c04290) = 1974 1974 set_robust_list(0x7fefc2c042a0, 24) = 0 1974 rt_sigaction(SIGRTMIN, {sa_handler=0x7fefc1fc5bf0, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7fefc1fd22d0}, NULL, 8) = 0 1974 rt_sigaction(SIGRT_1, {sa_handler=0x7fefc1fc5c90, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fefc1fd22d0}, NULL, 8) = 0 1974 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 1974 prlimit64(0, RLIMIT_STACK, NULL, <unfinished ...>) = ? 1 <... epoll_pwait resumed>[{EPOLLHUP, {u32=2326093456, u64=94697765035664}}], 50, -1, NULL, 8) = 1 1974 +++ killed by SIGSYS +++

2)

2168 write(3, "0: : WARNING: cannot find privat"..., 69) = 69 2168 write(3, "0: : WARNING: cannot start TLS a"..., 95) = 95 2168 write(3, "0: : NO EXPLICIT LISTENER ADDRES"..., 53) = 53 2168 write(3, "0: : ===========Discovering list"..., 58) = 58 2168 socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_ROUTE) = -1 EAFNOSUPPORT (Address family not supported by protocol) 2168 write(3, "0: : ERROR: main: Cannot configu"..., 70) = 70

The following .service file modification fixes the issue for me: -SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete -RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @swap @privileged @cpu-emulation @obsolete +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK Note that the first change may not be needed with systemd newer than v235 [1] (I guess I shouldn't be running coturn from network:telephony on Leap). [1] 4c3a917617 ("seccomp: include prlimit64 and ugetrlimit in @default") v235~15^2~3 -- You are receiving this mail because: You are on the CC list for the bug.