New command: podmansh

This commit creates a new command `podmansh` command which can be used by
administrators to provide a confined shell to their users.

The user will only have access to the volumes and capabilities for that
user.

Co-authored-by: Paul Holzinger <pholzing@redhat.com>
Co-authored-by: Daniel Walsh <dwalsh@redhat.com>
Co-authored-by: Petr Lautrbach <lautrbach@redhat.com>
Co-authored-by: Ed Santiago <santiago@redhat.com>

Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>

1 files changed, 18 insertions, 0 deletions

diff --git a/rpm/podman.spec b/rpm/podman.spec
index 042fd2915..69d7143e7 100644
--- a/rpm/podman.spec
+++ b/rpm/podman.spec
@@ -241,6 +241,19 @@ It is based on the network stack of gVisor. Compared to libslirp,
 gvisor-tap-vsock brings a configurable DNS server and
 dynamic port forwarding.
 
+%package -n %{name}sh
+Summary: Confined login and user shell using %{name}
+Requires: %{name} = %{epoch}:%{version}-%{release}
+Provides: %{name}-shell = %{epoch}:%{version}-%{release}
+Provides: %{name}-%{name}sh = %{epoch}:%{version}-%{release}
+
+%description -n %{name}sh
+%{name}sh provides a confined login and user shell with access to volumes and
+capabilities specified in user quadlets.
+
+It is a symlink to %{_bindir}/%{name} and execs into the `%{name}sh` container
+when `%{_bindir}/%{name}sh is set as a login shell or set as os.Args[0].
+
 %prep
 %autosetup -Sgit -n %{name}-%{version}
 sed -i 's;@@PODMAN@@\;$(BINDIR);@@PODMAN@@\;%{_bindir};' Makefile
@@ -414,6 +427,11 @@ cp -pav test/system %{buildroot}/%{_datadir}/%{name}/test/
 %{_libexecdir}/%{name}/gvproxy
 %{_libexecdir}/%{name}/gvforwarder
 
+%files -n %{name}sh
+%license LICENSE
+%doc README.md CONTRIBUTING.md install.md transfer.md
+%{_bindir}/%{name}sh
+
 %changelog
 %if %{with changelog}
 * Mon May 01 2023 RH Container Bot <rhcontainerbot@fedoraproject.org>