summaryrefslogtreecommitdiff
path: root/contrib
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2018-05-18 16:28:51 -0400
committerAtomic Bot <atomic-devel@projectatomic.io>2018-05-19 07:47:03 +0000
commit9d7c50aa030ee70d507c414bb02f0add8ffa2835 (patch)
treeb4151e582e3e123be0dd55505ef3984073b579bf /contrib
parent4b804e85165a29f9d712f1ec4f289040f942f459 (diff)
downloadpodman-9d7c50aa030ee70d507c414bb02f0add8ffa2835.tar.gz
podman-9d7c50aa030ee70d507c414bb02f0add8ffa2835.tar.bz2
podman-9d7c50aa030ee70d507c414bb02f0add8ffa2835.zip
Tighten the security on the podman varlink socket
We only want root to be allowed to access this socket. Also move socket to /run/podman directory. This requires us to drop a podman.conf tmpfiles.d file. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #806 Approved by: mheon
Diffstat (limited to 'contrib')
-rw-r--r--contrib/spec/podman.spec.in1
-rw-r--r--contrib/varlink/io.projectatomic.podman.service5
-rw-r--r--contrib/varlink/io.projectatomic.podman.socket6
-rw-r--r--contrib/varlink/podman.conf1
4 files changed, 9 insertions, 4 deletions
diff --git a/contrib/spec/podman.spec.in b/contrib/spec/podman.spec.in
index d0ddcea25..b1afee208 100644
--- a/contrib/spec/podman.spec.in
+++ b/contrib/spec/podman.spec.in
@@ -469,6 +469,7 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
%config(noreplace) %{_sysconfdir}/cni/net.d/87-%{name}-bridge.conflist
%{_unitdir}/io.%{project}.%{name}.service
%{_unitdir}/io.%{project}.%{name}.socket
+%{_tmpfilesdir}/%{name}.conf
%if 0%{?fedora} >= 28
%files -n python3-%{name}
diff --git a/contrib/varlink/io.projectatomic.podman.service b/contrib/varlink/io.projectatomic.podman.service
index fe3a236ad..1c4c1435f 100644
--- a/contrib/varlink/io.projectatomic.podman.service
+++ b/contrib/varlink/io.projectatomic.podman.service
@@ -1,11 +1,12 @@
[Unit]
-Description=Pod Manager
+Description=Podman Remote API Service
Requires=io.projectatomic.podman.socket
After=io.projectatomic.podman.socket
+Documentation=man:podman-varlink(1)
[Service]
Type=simple
-ExecStart=/usr/bin/podman varlink unix:/run/io.projectatomic.podman
+ExecStart=/usr/bin/podman varlink unix:/run/podman/io.projectatomic.podman
[Install]
WantedBy=multi-user.target
diff --git a/contrib/varlink/io.projectatomic.podman.socket b/contrib/varlink/io.projectatomic.podman.socket
index d49b458a0..bd82c4240 100644
--- a/contrib/varlink/io.projectatomic.podman.socket
+++ b/contrib/varlink/io.projectatomic.podman.socket
@@ -1,8 +1,10 @@
[Unit]
-Description=Pod Manager Socket
+Description=Podman Remote API Socket
+Documentation=man:podman-varlink(1)
[Socket]
-ListenStream=/run/io.projectatomic.podman
+ListenStream=/run/podman/io.projectatomic.podman
+SocketMode=0600
[Install]
WantedBy=sockets.target
diff --git a/contrib/varlink/podman.conf b/contrib/varlink/podman.conf
new file mode 100644
index 000000000..732c15185
--- /dev/null
+++ b/contrib/varlink/podman.conf
@@ -0,0 +1 @@
+d /run/podman 0700 root root