Tighten the security on the podman varlink socket

We only want root to be allowed to access this socket.
Also move socket to /run/podman directory.  This requires
us to drop a podman.conf tmpfiles.d file.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Closes: #806
Approved by: mheon

Makefile

@@ -15,6 +15,7 @@ MANDIR ?= ${PREFIX}/share/man
 SHAREDIR_CONTAINERS ?= ${PREFIX}/share/containers
 ETCDIR ?= ${DESTDIR}/etc
 ETCDIR_LIBPOD ?= ${ETCDIR}/crio
+TMPFILESDIR ?= ${PREFIX}/lib/tmpfiles.d
 SYSTEMDDIR ?= ${PREFIX}/lib/systemd/system
 BUILDTAGS ?= seccomp $(shell hack/btrfs_tag.sh) $(shell hack/libdm_tag.sh) $(shell hack/btrfs_installed_tag.sh) $(shell hack/ostree_tag.sh) $(shell hack/selinux_tag.sh)
 PYTHON ?= /usr/bin/python3
@@ -208,6 +209,7 @@ install.docker: docker-docs
 install.systemd:
 	install ${SELINUXOPT} -m 644 -D contrib/varlink/io.projectatomic.podman.socket ${SYSTEMDDIR}/io.projectatomic.podman.socket
 	install ${SELINUXOPT} -m 644 -D contrib/varlink/io.projectatomic.podman.service ${SYSTEMDDIR}/io.projectatomic.podman.service
+	install ${SELINUXOPT} -m 644 -D contrib/varlink/podman.conf ${TMPFILESDIR}/podman.conf
 
 uninstall:
 	for i in $(filter %.1,$(MANPAGES)); do \

contrib/spec/podman.spec.in

@@ -469,6 +469,7 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
 %config(noreplace) %{_sysconfdir}/cni/net.d/87-%{name}-bridge.conflist
 %{_unitdir}/io.%{project}.%{name}.service
 %{_unitdir}/io.%{project}.%{name}.socket
+%{_tmpfilesdir}/%{name}.conf
 
 %if 0%{?fedora} >= 28
 %files -n python3-%{name}

contrib/varlink/io.projectatomic.podman.service

@@ -1,11 +1,12 @@
 [Unit]
-Description=Pod Manager
+Description=Podman Remote API Service
 Requires=io.projectatomic.podman.socket
 After=io.projectatomic.podman.socket
+Documentation=man:podman-varlink(1)
 
 [Service]
 Type=simple
-ExecStart=/usr/bin/podman varlink unix:/run/io.projectatomic.podman
+ExecStart=/usr/bin/podman varlink unix:/run/podman/io.projectatomic.podman
 
 [Install]
 WantedBy=multi-user.target

contrib/varlink/io.projectatomic.podman.socket

@@ -1,8 +1,10 @@
 [Unit]
-Description=Pod Manager Socket
+Description=Podman Remote API Socket
+Documentation=man:podman-varlink(1)
 
 [Socket]
-ListenStream=/run/io.projectatomic.podman
+ListenStream=/run/podman/io.projectatomic.podman
+SocketMode=0600
 
 [Install]
 WantedBy=sockets.target

contrib/varlink/podman.conf

@@ -0,0 +1 @@
+d /run/podman 0700 root root

docs/podman-varlink.1.md

@@ -31,8 +31,16 @@ More will go here as the docs and api firm up.
     as well.
 -->
 
+## CONFIGURATION
+
+Users of the podman varlink service should enable the  io.projectatomic.podman.socket and io.projectatomic.podman.service.
+
+You can do this via systemctl
+
+systemctl enable --now io.projectatomic.podman.socket
+
 ## SEE ALSO
-podman(1)
+podman(1), systemctl(1)
 
 ## HISTORY
 April 2018, Originally compiled by Brent Baude<bbaude@redhat.com>