From 9d7c50aa030ee70d507c414bb02f0add8ffa2835 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 18 May 2018 16:28:51 -0400 Subject: Tighten the security on the podman varlink socket We only want root to be allowed to access this socket. Also move socket to /run/podman directory. This requires us to drop a podman.conf tmpfiles.d file. Signed-off-by: Daniel J Walsh Closes: #806 Approved by: mheon --- contrib/varlink/io.projectatomic.podman.service | 5 +++-- contrib/varlink/io.projectatomic.podman.socket | 6 ++++-- contrib/varlink/podman.conf | 1 + 3 files changed, 8 insertions(+), 4 deletions(-) create mode 100644 contrib/varlink/podman.conf (limited to 'contrib/varlink') diff --git a/contrib/varlink/io.projectatomic.podman.service b/contrib/varlink/io.projectatomic.podman.service index fe3a236ad..1c4c1435f 100644 --- a/contrib/varlink/io.projectatomic.podman.service +++ b/contrib/varlink/io.projectatomic.podman.service @@ -1,11 +1,12 @@ [Unit] -Description=Pod Manager +Description=Podman Remote API Service Requires=io.projectatomic.podman.socket After=io.projectatomic.podman.socket +Documentation=man:podman-varlink(1) [Service] Type=simple -ExecStart=/usr/bin/podman varlink unix:/run/io.projectatomic.podman +ExecStart=/usr/bin/podman varlink unix:/run/podman/io.projectatomic.podman [Install] WantedBy=multi-user.target diff --git a/contrib/varlink/io.projectatomic.podman.socket b/contrib/varlink/io.projectatomic.podman.socket index d49b458a0..bd82c4240 100644 --- a/contrib/varlink/io.projectatomic.podman.socket +++ b/contrib/varlink/io.projectatomic.podman.socket @@ -1,8 +1,10 @@ [Unit] -Description=Pod Manager Socket +Description=Podman Remote API Socket +Documentation=man:podman-varlink(1) [Socket] -ListenStream=/run/io.projectatomic.podman +ListenStream=/run/podman/io.projectatomic.podman +SocketMode=0600 [Install] WantedBy=sockets.target diff --git a/contrib/varlink/podman.conf b/contrib/varlink/podman.conf new file mode 100644 index 000000000..732c15185 --- /dev/null +++ b/contrib/varlink/podman.conf @@ -0,0 +1 @@ +d /run/podman 0700 root root -- cgit v1.2.3-54-g00ecf