[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [atomic-devel] We are working on Roles Based Access Control for docker.

From: Colin Walters <walters verbum org>
To: atomic-devel projectatomic io
Subject: Re: [atomic-devel] We are working on Roles Based Access Control for docker.
Date: Tue, 31 Mar 2015 17:02:09 -0400

On Tue, Mar 31, 2015, at 04:35 AM, Pavel Odvody wrote:

> It's supposed to work in the following way:
> - docker daemon is started with the --trusted flag, this labels the
> process as SELinux type 'docker_daemon_t', daemon also labels the
> created Unix socket as 'docker_socket_t'. Define a policy that allows
> only docker_daemon_t to talk to docker_socket_t. This ensures that the
> daemon communicates only with compatible binary; other methods of
> communication with the daemon have to be disabled (TCP).

But what domains can transition to docker_daemon_t ? Is e.g. unconfined_t -> docker_daemon_t a valid transition?  If so, we aren't gaining anything AFAICS.  If it's not, what domains can?

On Tue, Mar 31, 2015, at 04:35 AM, Pavel Odvody wrote:
>
> - each request that is sent from Docker Cli to the daemon is decorated
> with 2 additional HTTP headers, UID/EUID of the user.

You really want instead to have docker use `getsockopt` with `SO_PEERCRED` when the socket connection is first set up.  Anything else is subject to forgery.

References:
- [atomic-devel] We are working on Roles Based Access Control for docker.
  - From: Daniel J Walsh
- Re: [atomic-devel] We are working on Roles Based Access Control for docker.
  - From: Pavel Odvody

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]