On Mon, 2015-03-30 at 13:15 -0400, Daniel J Walsh wrote: > I have thrown up some of my original ideas on RBAC separation on > github, Described in the readme.md > > https://github.com/rhatdan/docker-rbac > > Please review and tell me if you have other ideas. I guess we can carry > the conversation via issues, this email or pull requests. > Hey, I've laid some groundwork to which I call 'TrusteDocker' in this branch: https://github.com/shaded-enmity/docker/blob/trustedv2/engine/trusted/trusted.go It's supposed to work in the following way: - docker daemon is started with the --trusted flag, this labels the process as SELinux type 'docker_daemon_t', daemon also labels the created Unix socket as 'docker_socket_t'. Define a policy that allows only docker_daemon_t to talk to docker_socket_t. This ensures that the daemon communicates only with compatible binary; other methods of communication with the daemon have to be disabled (TCP). - each request that is sent from Docker Cli to the daemon is decorated with 2 additional HTTP headers, UID/EUID of the user. - Containers can be labeled on per-process basis, but I'm not sure how to label image files so that users can have private images (with the v2 image spec this is easy as we can simply label the manifest, which is what defines the image) - I'm not sure whether to define a specific label for each user, or just use the UID aka MCS. -- Pavel Odvody <podvody redhat com> Software Engineer - EMEA ENG Developer Experience 5EC1 95C1 8E08 5BD9 9BBF 9241 3AFA 3A66 024F F68D Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno
Attachment:
signature.asc
Description: This is a digitally signed message part