|
 |
4f555ea |
From 9d7c50aa030ee70d507c414bb02f0add8ffa2835 Mon Sep 17 00:00:00 2001
|
|
|
4f555ea |
From: Daniel J Walsh <dwalsh@redhat.com>
|
|
|
4f555ea |
Date: Fri, 18 May 2018 16:28:51 -0400
|
|
|
4f555ea |
Subject: [PATCH] Tighten the security on the podman varlink socket
|
|
|
4f555ea |
|
|
|
4f555ea |
We only want root to be allowed to access this socket.
|
|
|
4f555ea |
Also move socket to /run/podman directory. This requires
|
|
|
4f555ea |
us to drop a podman.conf tmpfiles.d file.
|
|
|
4f555ea |
|
|
|
4f555ea |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|
|
4f555ea |
|
|
|
4f555ea |
Closes: #806
|
|
|
4f555ea |
Approved by: mheon
|
|
|
4f555ea |
---
|
|
|
4f555ea |
Makefile | 2 ++
|
|
|
4f555ea |
contrib/spec/podman.spec.in | 1 +
|
|
|
4f555ea |
contrib/varlink/io.projectatomic.podman.service | 5 +++--
|
|
|
4f555ea |
contrib/varlink/io.projectatomic.podman.socket | 6 ++++--
|
|
|
4f555ea |
contrib/varlink/podman.conf | 1 +
|
|
|
4f555ea |
docs/podman-varlink.1.md | 10 +++++++++-
|
|
|
4f555ea |
6 files changed, 20 insertions(+), 5 deletions(-)
|
|
|
4f555ea |
create mode 100644 contrib/varlink/podman.conf
|
|
|
4f555ea |
|
|
|
4f555ea |
diff --git a/Makefile b/Makefile
|
|
|
4f555ea |
index a839b1a..3833ac7 100644
|
|
|
4f555ea |
--- a/Makefile
|
|
|
4f555ea |
+++ b/Makefile
|
|
|
4f555ea |
@@ -15,6 +15,7 @@ MANDIR ?= ${PREFIX}/share/man
|
|
|
4f555ea |
SHAREDIR_CONTAINERS ?= ${PREFIX}/share/containers
|
|
|
4f555ea |
ETCDIR ?= ${DESTDIR}/etc
|
|
|
4f555ea |
ETCDIR_LIBPOD ?= ${ETCDIR}/crio
|
|
|
4f555ea |
+TMPFILESDIR ?= ${PREFIX}/lib/tmpfiles.d
|
|
|
4f555ea |
SYSTEMDDIR ?= ${PREFIX}/lib/systemd/system
|
|
|
4f555ea |
BUILDTAGS ?= seccomp $(shell hack/btrfs_tag.sh) $(shell hack/libdm_tag.sh) $(shell hack/btrfs_installed_tag.sh) $(shell hack/ostree_tag.sh) $(shell hack/selinux_tag.sh)
|
|
|
4f555ea |
PYTHON ?= /usr/bin/python3
|
|
|
4f555ea |
@@ -208,6 +209,7 @@ install.docker: docker-docs
|
|
|
4f555ea |
install.systemd:
|
|
|
4f555ea |
install ${SELINUXOPT} -m 644 -D contrib/varlink/io.projectatomic.podman.socket ${SYSTEMDDIR}/io.projectatomic.podman.socket
|
|
|
4f555ea |
install ${SELINUXOPT} -m 644 -D contrib/varlink/io.projectatomic.podman.service ${SYSTEMDDIR}/io.projectatomic.podman.service
|
|
|
4f555ea |
+ install ${SELINUXOPT} -m 644 -D contrib/varlink/podman.conf ${TMPFILESDIR}/podman.conf
|
|
|
4f555ea |
|
|
|
4f555ea |
uninstall:
|
|
|
4f555ea |
for i in $(filter %.1,$(MANPAGES)); do \
|
|
|
4f555ea |
diff --git a/contrib/spec/podman.spec.in b/contrib/spec/podman.spec.in
|
|
|
4f555ea |
index d0ddcea..b1afee2 100644
|
|
|
4f555ea |
--- a/contrib/spec/podman.spec.in
|
|
|
4f555ea |
+++ b/contrib/spec/podman.spec.in
|
|
|
4f555ea |
@@ -469,6 +469,7 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
|
|
|
4f555ea |
%config(noreplace) %{_sysconfdir}/cni/net.d/87-%{name}-bridge.conflist
|
|
|
4f555ea |
%{_unitdir}/io.%{project}.%{name}.service
|
|
|
4f555ea |
%{_unitdir}/io.%{project}.%{name}.socket
|
|
|
4f555ea |
+%{_tmpfilesdir}/%{name}.conf
|
|
|
4f555ea |
|
|
|
4f555ea |
%if 0%{?fedora} >= 28
|
|
|
4f555ea |
%files -n python3-%{name}
|
|
|
4f555ea |
diff --git a/contrib/varlink/io.projectatomic.podman.service b/contrib/varlink/io.projectatomic.podman.service
|
|
|
4f555ea |
index fe3a236..1c4c143 100644
|
|
|
4f555ea |
--- a/contrib/varlink/io.projectatomic.podman.service
|
|
|
4f555ea |
+++ b/contrib/varlink/io.projectatomic.podman.service
|
|
|
4f555ea |
@@ -1,11 +1,12 @@
|
|
|
4f555ea |
[Unit]
|
|
|
4f555ea |
-Description=Pod Manager
|
|
|
4f555ea |
+Description=Podman Remote API Service
|
|
|
4f555ea |
Requires=io.projectatomic.podman.socket
|
|
|
4f555ea |
After=io.projectatomic.podman.socket
|
|
|
4f555ea |
+Documentation=man:podman-varlink(1)
|
|
|
4f555ea |
|
|
|
4f555ea |
[Service]
|
|
|
4f555ea |
Type=simple
|
|
|
4f555ea |
-ExecStart=/usr/bin/podman varlink unix:/run/io.projectatomic.podman
|
|
|
4f555ea |
+ExecStart=/usr/bin/podman varlink unix:/run/podman/io.projectatomic.podman
|
|
|
4f555ea |
|
|
|
4f555ea |
[Install]
|
|
|
4f555ea |
WantedBy=multi-user.target
|
|
|
4f555ea |
diff --git a/contrib/varlink/io.projectatomic.podman.socket b/contrib/varlink/io.projectatomic.podman.socket
|
|
|
4f555ea |
index d49b458..bd82c42 100644
|
|
|
4f555ea |
--- a/contrib/varlink/io.projectatomic.podman.socket
|
|
|
4f555ea |
+++ b/contrib/varlink/io.projectatomic.podman.socket
|
|
|
4f555ea |
@@ -1,8 +1,10 @@
|
|
|
4f555ea |
[Unit]
|
|
|
4f555ea |
-Description=Pod Manager Socket
|
|
|
4f555ea |
+Description=Podman Remote API Socket
|
|
|
4f555ea |
+Documentation=man:podman-varlink(1)
|
|
|
4f555ea |
|
|
|
4f555ea |
[Socket]
|
|
|
4f555ea |
-ListenStream=/run/io.projectatomic.podman
|
|
|
4f555ea |
+ListenStream=/run/podman/io.projectatomic.podman
|
|
|
4f555ea |
+SocketMode=0600
|
|
|
4f555ea |
|
|
|
4f555ea |
[Install]
|
|
|
4f555ea |
WantedBy=sockets.target
|
|
|
4f555ea |
diff --git a/contrib/varlink/podman.conf b/contrib/varlink/podman.conf
|
|
|
4f555ea |
new file mode 100644
|
|
|
4f555ea |
index 0000000..732c151
|
|
|
4f555ea |
--- /dev/null
|
|
|
4f555ea |
+++ b/contrib/varlink/podman.conf
|
|
|
4f555ea |
@@ -0,0 +1 @@
|
|
|
4f555ea |
+d /run/podman 0700 root root
|
|
|
4f555ea |
diff --git a/docs/podman-varlink.1.md b/docs/podman-varlink.1.md
|
|
|
4f555ea |
index 6cfa8c8..68a0f08 100644
|
|
|
4f555ea |
--- a/docs/podman-varlink.1.md
|
|
|
4f555ea |
+++ b/docs/podman-varlink.1.md
|
|
|
4f555ea |
@@ -31,8 +31,16 @@ More will go here as the docs and api firm up.
|
|
|
4f555ea |
as well.
|
|
|
4f555ea |
-->
|
|
|
4f555ea |
|
|
|
4f555ea |
+## CONFIGURATION
|
|
|
4f555ea |
+
|
|
|
4f555ea |
+Users of the podman varlink service should enable the io.projectatomic.podman.socket and io.projectatomic.podman.service.
|
|
|
4f555ea |
+
|
|
|
4f555ea |
+You can do this via systemctl
|
|
|
4f555ea |
+
|
|
|
4f555ea |
+systemctl enable --now io.projectatomic.podman.socket
|
|
|
4f555ea |
+
|
|
|
4f555ea |
## SEE ALSO
|
|
|
4f555ea |
-podman(1)
|
|
|
4f555ea |
+podman(1), systemctl(1)
|
|
|
4f555ea |
|
|
|
4f555ea |
## HISTORY
|
|
|
4f555ea |
April 2018, Originally compiled by Brent Baude<bbaude@redhat.com>
|
|
|
4f555ea |
--
|
|
|
4f555ea |
2.14.3
|
|
|
4f555ea |
|