From 9d7c50aa030ee70d507c414bb02f0add8ffa2835 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 18 May 2018 16:28:51 -0400 Subject: Tighten the security on the podman varlink socket We only want root to be allowed to access this socket. Also move socket to /run/podman directory. This requires us to drop a podman.conf tmpfiles.d file. Signed-off-by: Daniel J Walsh Closes: #806 Approved by: mheon --- Makefile | 2 ++ contrib/spec/podman.spec.in | 1 + contrib/varlink/io.projectatomic.podman.service | 5 +++-- contrib/varlink/io.projectatomic.podman.socket | 6 ++++-- contrib/varlink/podman.conf | 1 + docs/podman-varlink.1.md | 10 +++++++++- 6 files changed, 20 insertions(+), 5 deletions(-) create mode 100644 contrib/varlink/podman.conf diff --git a/Makefile b/Makefile index a839b1ab9..3833ac78d 100644 --- a/Makefile +++ b/Makefile @@ -15,6 +15,7 @@ MANDIR ?= ${PREFIX}/share/man SHAREDIR_CONTAINERS ?= ${PREFIX}/share/containers ETCDIR ?= ${DESTDIR}/etc ETCDIR_LIBPOD ?= ${ETCDIR}/crio +TMPFILESDIR ?= ${PREFIX}/lib/tmpfiles.d SYSTEMDDIR ?= ${PREFIX}/lib/systemd/system BUILDTAGS ?= seccomp $(shell hack/btrfs_tag.sh) $(shell hack/libdm_tag.sh) $(shell hack/btrfs_installed_tag.sh) $(shell hack/ostree_tag.sh) $(shell hack/selinux_tag.sh) PYTHON ?= /usr/bin/python3 @@ -208,6 +209,7 @@ install.docker: docker-docs install.systemd: install ${SELINUXOPT} -m 644 -D contrib/varlink/io.projectatomic.podman.socket ${SYSTEMDDIR}/io.projectatomic.podman.socket install ${SELINUXOPT} -m 644 -D contrib/varlink/io.projectatomic.podman.service ${SYSTEMDDIR}/io.projectatomic.podman.service + install ${SELINUXOPT} -m 644 -D contrib/varlink/podman.conf ${TMPFILESDIR}/podman.conf uninstall: for i in $(filter %.1,$(MANPAGES)); do \ diff --git a/contrib/spec/podman.spec.in b/contrib/spec/podman.spec.in index d0ddcea25..b1afee208 100644 --- a/contrib/spec/podman.spec.in +++ b/contrib/spec/podman.spec.in @@ -469,6 +469,7 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %config(noreplace) %{_sysconfdir}/cni/net.d/87-%{name}-bridge.conflist %{_unitdir}/io.%{project}.%{name}.service %{_unitdir}/io.%{project}.%{name}.socket +%{_tmpfilesdir}/%{name}.conf %if 0%{?fedora} >= 28 %files -n python3-%{name} diff --git a/contrib/varlink/io.projectatomic.podman.service b/contrib/varlink/io.projectatomic.podman.service index fe3a236ad..1c4c1435f 100644 --- a/contrib/varlink/io.projectatomic.podman.service +++ b/contrib/varlink/io.projectatomic.podman.service @@ -1,11 +1,12 @@ [Unit] -Description=Pod Manager +Description=Podman Remote API Service Requires=io.projectatomic.podman.socket After=io.projectatomic.podman.socket +Documentation=man:podman-varlink(1) [Service] Type=simple -ExecStart=/usr/bin/podman varlink unix:/run/io.projectatomic.podman +ExecStart=/usr/bin/podman varlink unix:/run/podman/io.projectatomic.podman [Install] WantedBy=multi-user.target diff --git a/contrib/varlink/io.projectatomic.podman.socket b/contrib/varlink/io.projectatomic.podman.socket index d49b458a0..bd82c4240 100644 --- a/contrib/varlink/io.projectatomic.podman.socket +++ b/contrib/varlink/io.projectatomic.podman.socket @@ -1,8 +1,10 @@ [Unit] -Description=Pod Manager Socket +Description=Podman Remote API Socket +Documentation=man:podman-varlink(1) [Socket] -ListenStream=/run/io.projectatomic.podman +ListenStream=/run/podman/io.projectatomic.podman +SocketMode=0600 [Install] WantedBy=sockets.target diff --git a/contrib/varlink/podman.conf b/contrib/varlink/podman.conf new file mode 100644 index 000000000..732c15185 --- /dev/null +++ b/contrib/varlink/podman.conf @@ -0,0 +1 @@ +d /run/podman 0700 root root diff --git a/docs/podman-varlink.1.md b/docs/podman-varlink.1.md index 6cfa8c84a..68a0f08a2 100644 --- a/docs/podman-varlink.1.md +++ b/docs/podman-varlink.1.md @@ -31,8 +31,16 @@ More will go here as the docs and api firm up. as well. --> +## CONFIGURATION + +Users of the podman varlink service should enable the io.projectatomic.podman.socket and io.projectatomic.podman.service. + +You can do this via systemctl + +systemctl enable --now io.projectatomic.podman.socket + ## SEE ALSO -podman(1) +podman(1), systemctl(1) ## HISTORY April 2018, Originally compiled by Brent Baude -- cgit v1.2.3-54-g00ecf