Re: [atomic-devel] Authentication/Roles Based Access Control with Docker API.

[Daniel J Walsh <dwalsh redhat com>]

On 11/25/2014 03:04 AM, Stef Walter wrote:
> On 22.11.2014 17:41, Clayton Coleman wrote:
> > We'll need to authorize containers to talk to docker - what
> > limitations would polkit have in those circumstances?  We can
> > ensure we run the requesting container as a known uid, but in some
> > cases we may need to rely on other characteristics of the
> > container.
>
> Correct me if I'm wrong ... but the linux kernel doesn't yet have a
> way to pass credentials other than UID/PID/SELinux context as socket
> credentials. Anything that uses the PID to do a lookup for other stuff
>  (eg: cgroup or namespace of caller) is very broken and racy.
>
> There is a kernel patch being worked on to allow passing of further
> credentials. This patch is a prerequisite of kbus, but not strictly
> related. Dan may know more about the status of this patch.
>
> Once this kernel feature is available, lots of software will need to
> be updated to take advantage of it, including polkit, where new
> 'subjects' will need to be added for caller cgroup and/or namespace.
>
> Hope that answers the question ... and I didn't miss the point all
> together :D
>
> Stef
Yes KDBUS solves a lot of these problems by passing all of the
Authentication data in the payload.

UID/EUID/GID/EGID/AUDITUID/SELINUX/Capabilities/Cgroups ...

Problem is we will not have this until RHEL8 and Maybe Fedora 22.

Now as Stef says the only non racy data is UID/GID/SELinux.