On Thu, Mar 18, 2021 at 09:14:27PM +0100, Ilya Maximets wrote: > On 3/18/21 8:47 PM, Ilya Maximets wrote: > > On 3/18/21 6:52 PM, Stefan Hajnoczi wrote: > >> On Wed, Mar 17, 2021 at 09:25:26PM +0100, Ilya Maximets wrote: > >> BTW what is the security model of the broker? Unlike pathname UNIX > >> domain sockets there is no ownership permission check. > > > > I thought about this. Yes, we should allow connection to this socket > > for a wide group of applications. That might be a problem. > > However, 2 applications need to know the 1024 (at most) byte key in > > order to connect to each other. This might be considered as a > > sufficient security model in case these keys are not predictable. > > Suggestions on how to make this more secure are welcome. > > Digging more into unix sockets, I think that broker might use > SO_PEERCRED to identify at least a uid and gid of a client. > This way we can implement policies, e.g. one client might > request to pair it only with clients from the same group or > from the same user. > > This is actually a great extension for the SocketPair Broker Protocol. > > Might even use SO_PEERSEC to enforce even stricter policies > based on selinux context. Some piece of software or an administrator would need to understand the pid/uid/gid mappings used by specific containers in order to configure security policies in the broker like "app1 is allowed to connect to app2's socket". This is probably harder than it looks (and DBus already has everything to do this and more). Stefan