Tighten the security on the podman varlink socket

We only want root to be allowed to access this socket. Also move socket to /run/podman directory. This requires us to drop a podman.conf tmpfiles.d file. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #806 Approved by: mheon
author: Daniel J Walsh <dwalsh@redhat.com> 2018-05-18 16:28:51 -0400
committer: Atomic Bot <atomic-devel@projectatomic.io> 2018-05-19 07:47:03 +0000
commit: 9d7c50aa030ee70d507c414bb02f0add8ffa2835 (patch)
tree: b4151e582e3e123be0dd55505ef3984073b579bf /contrib
parent: 4b804e85165a29f9d712f1ec4f289040f942f459 (diff)
download: podman-9d7c50aa030ee70d507c414bb02f0add8ffa2835.tar.gz
podman-9d7c50aa030ee70d507c414bb02f0add8ffa2835.tar.bz2
podman-9d7c50aa030ee70d507c414bb02f0add8ffa2835.zip
4 files changed, 9 insertions, 4 deletions
diff --git a/contrib/spec/podman.spec.in b/contrib/spec/podman.spec.in
index d0ddcea25..b1afee208 100644
--- a/contrib/spec/podman.spec.in
+++ b/contrib/spec/podman.spec.in
@@ -469,6 +469,7 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
 %config(noreplace) %{_sysconfdir}/cni/net.d/87-%{name}-bridge.conflist
 %{_unitdir}/io.%{project}.%{name}.service
 %{_unitdir}/io.%{project}.%{name}.socket
+%{_tmpfilesdir}/%{name}.conf
 
 %if 0%{?fedora} >= 28
 %files -n python3-%{name}
diff --git a/contrib/varlink/io.projectatomic.podman.service b/contrib/varlink/io.projectatomic.podman.service
index fe3a236ad..1c4c1435f 100644
--- a/contrib/varlink/io.projectatomic.podman.service
+++ b/contrib/varlink/io.projectatomic.podman.service
@@ -1,11 +1,12 @@
 [Unit]
-Description=Pod Manager
+Description=Podman Remote API Service
 Requires=io.projectatomic.podman.socket
 After=io.projectatomic.podman.socket
+Documentation=man:podman-varlink(1)
 
 [Service]
 Type=simple
-ExecStart=/usr/bin/podman varlink unix:/run/io.projectatomic.podman
+ExecStart=/usr/bin/podman varlink unix:/run/podman/io.projectatomic.podman
 
 [Install]
 WantedBy=multi-user.target
diff --git a/contrib/varlink/io.projectatomic.podman.socket b/contrib/varlink/io.projectatomic.podman.socket
index d49b458a0..bd82c4240 100644
--- a/contrib/varlink/io.projectatomic.podman.socket
+++ b/contrib/varlink/io.projectatomic.podman.socket
@@ -1,8 +1,10 @@
 [Unit]
-Description=Pod Manager Socket
+Description=Podman Remote API Socket
+Documentation=man:podman-varlink(1)
 
 [Socket]
-ListenStream=/run/io.projectatomic.podman
+ListenStream=/run/podman/io.projectatomic.podman
+SocketMode=0600
 
 [Install]
 WantedBy=sockets.target
diff --git a/contrib/varlink/podman.conf b/contrib/varlink/podman.conf
new file mode 100644
index 000000000..732c15185
--- /dev/null
+++ b/contrib/varlink/podman.conf
@@ -0,0 +1 @@
+d /run/podman 0700 root root
author	Daniel J Walsh <dwalsh@redhat.com>	2018-05-18 16:28:51 -0400
committer	Atomic Bot <atomic-devel@projectatomic.io>	2018-05-19 07:47:03 +0000
commit	9d7c50aa030ee70d507c414bb02f0add8ffa2835 (patch)
tree	b4151e582e3e123be0dd55505ef3984073b579bf /contrib
parent	4b804e85165a29f9d712f1ec4f289040f942f459 (diff)
download	podman-9d7c50aa030ee70d507c414bb02f0add8ffa2835.tar.gz podman-9d7c50aa030ee70d507c414bb02f0add8ffa2835.tar.bz2 podman-9d7c50aa030ee70d507c414bb02f0add8ffa2835.zip