aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2018-05-18 16:28:51 -0400
committerAtomic Bot <atomic-devel@projectatomic.io>2018-05-19 07:47:03 +0000
commit9d7c50aa030ee70d507c414bb02f0add8ffa2835 (patch)
treeb4151e582e3e123be0dd55505ef3984073b579bf
parent4b804e85165a29f9d712f1ec4f289040f942f459 (diff)
downloadpodman-9d7c50aa030ee70d507c414bb02f0add8ffa2835.tar.gz
podman-9d7c50aa030ee70d507c414bb02f0add8ffa2835.tar.bz2
podman-9d7c50aa030ee70d507c414bb02f0add8ffa2835.zip
Tighten the security on the podman varlink socket
We only want root to be allowed to access this socket. Also move socket to /run/podman directory. This requires us to drop a podman.conf tmpfiles.d file. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #806 Approved by: mheon
-rw-r--r--Makefile2
-rw-r--r--contrib/spec/podman.spec.in1
-rw-r--r--contrib/varlink/io.projectatomic.podman.service5
-rw-r--r--contrib/varlink/io.projectatomic.podman.socket6
-rw-r--r--contrib/varlink/podman.conf1
-rw-r--r--docs/podman-varlink.1.md10
6 files changed, 20 insertions, 5 deletions
diff --git a/Makefile b/Makefile
index a839b1ab9..3833ac78d 100644
--- a/Makefile
+++ b/Makefile
@@ -15,6 +15,7 @@ MANDIR ?= ${PREFIX}/share/man
SHAREDIR_CONTAINERS ?= ${PREFIX}/share/containers
ETCDIR ?= ${DESTDIR}/etc
ETCDIR_LIBPOD ?= ${ETCDIR}/crio
+TMPFILESDIR ?= ${PREFIX}/lib/tmpfiles.d
SYSTEMDDIR ?= ${PREFIX}/lib/systemd/system
BUILDTAGS ?= seccomp $(shell hack/btrfs_tag.sh) $(shell hack/libdm_tag.sh) $(shell hack/btrfs_installed_tag.sh) $(shell hack/ostree_tag.sh) $(shell hack/selinux_tag.sh)
PYTHON ?= /usr/bin/python3
@@ -208,6 +209,7 @@ install.docker: docker-docs
install.systemd:
install ${SELINUXOPT} -m 644 -D contrib/varlink/io.projectatomic.podman.socket ${SYSTEMDDIR}/io.projectatomic.podman.socket
install ${SELINUXOPT} -m 644 -D contrib/varlink/io.projectatomic.podman.service ${SYSTEMDDIR}/io.projectatomic.podman.service
+ install ${SELINUXOPT} -m 644 -D contrib/varlink/podman.conf ${TMPFILESDIR}/podman.conf
uninstall:
for i in $(filter %.1,$(MANPAGES)); do \
diff --git a/contrib/spec/podman.spec.in b/contrib/spec/podman.spec.in
index d0ddcea25..b1afee208 100644
--- a/contrib/spec/podman.spec.in
+++ b/contrib/spec/podman.spec.in
@@ -469,6 +469,7 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
%config(noreplace) %{_sysconfdir}/cni/net.d/87-%{name}-bridge.conflist
%{_unitdir}/io.%{project}.%{name}.service
%{_unitdir}/io.%{project}.%{name}.socket
+%{_tmpfilesdir}/%{name}.conf
%if 0%{?fedora} >= 28
%files -n python3-%{name}
diff --git a/contrib/varlink/io.projectatomic.podman.service b/contrib/varlink/io.projectatomic.podman.service
index fe3a236ad..1c4c1435f 100644
--- a/contrib/varlink/io.projectatomic.podman.service
+++ b/contrib/varlink/io.projectatomic.podman.service
@@ -1,11 +1,12 @@
[Unit]
-Description=Pod Manager
+Description=Podman Remote API Service
Requires=io.projectatomic.podman.socket
After=io.projectatomic.podman.socket
+Documentation=man:podman-varlink(1)
[Service]
Type=simple
-ExecStart=/usr/bin/podman varlink unix:/run/io.projectatomic.podman
+ExecStart=/usr/bin/podman varlink unix:/run/podman/io.projectatomic.podman
[Install]
WantedBy=multi-user.target
diff --git a/contrib/varlink/io.projectatomic.podman.socket b/contrib/varlink/io.projectatomic.podman.socket
index d49b458a0..bd82c4240 100644
--- a/contrib/varlink/io.projectatomic.podman.socket
+++ b/contrib/varlink/io.projectatomic.podman.socket
@@ -1,8 +1,10 @@
[Unit]
-Description=Pod Manager Socket
+Description=Podman Remote API Socket
+Documentation=man:podman-varlink(1)
[Socket]
-ListenStream=/run/io.projectatomic.podman
+ListenStream=/run/podman/io.projectatomic.podman
+SocketMode=0600
[Install]
WantedBy=sockets.target
diff --git a/contrib/varlink/podman.conf b/contrib/varlink/podman.conf
new file mode 100644
index 000000000..732c15185
--- /dev/null
+++ b/contrib/varlink/podman.conf
@@ -0,0 +1 @@
+d /run/podman 0700 root root
diff --git a/docs/podman-varlink.1.md b/docs/podman-varlink.1.md
index 6cfa8c84a..68a0f08a2 100644
--- a/docs/podman-varlink.1.md
+++ b/docs/podman-varlink.1.md
@@ -31,8 +31,16 @@ More will go here as the docs and api firm up.
as well.
-->
+## CONFIGURATION
+
+Users of the podman varlink service should enable the io.projectatomic.podman.socket and io.projectatomic.podman.service.
+
+You can do this via systemctl
+
+systemctl enable --now io.projectatomic.podman.socket
+
## SEE ALSO
-podman(1)
+podman(1), systemctl(1)
## HISTORY
April 2018, Originally compiled by Brent Baude<bbaude@redhat.com>