[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [atomic-devel] Authentication/Roles Based Access Control with Docker API.

On 11/25/2014 03:04 AM, Stef Walter wrote:
> On 22.11.2014 17:41, Clayton Coleman wrote:
> > We'll need to authorize containers to talk to docker - what
> > limitations would polkit have in those circumstances?  We can
> > ensure we run the requesting container as a known uid, but in some
> > cases we may need to rely on other characteristics of the
> > container.
> Correct me if I'm wrong ... but the linux kernel doesn't yet have a
> way to pass credentials other than UID/PID/SELinux context as socket
> credentials. Anything that uses the PID to do a lookup for other stuff
>  (eg: cgroup or namespace of caller) is very broken and racy.
> There is a kernel patch being worked on to allow passing of further
> credentials. This patch is a prerequisite of kbus, but not strictly
> related. Dan may know more about the status of this patch.
> Once this kernel feature is available, lots of software will need to
> be updated to take advantage of it, including polkit, where new
> 'subjects' will need to be added for caller cgroup and/or namespace.
> Hope that answers the question ... and I didn't miss the point all
> together :D
> Stef
Yes KDBUS solves a lot of these problems by passing all of the
Authentication data in the payload.


Problem is we will not have this until RHEL8 and Maybe Fedora 22.

Now as Stef says the only non racy data is UID/GID/SELinux.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]