New policy type to check client credentials?

[Markku Savela]

On August 4th 2008, I posted a message with topic "An issue with group
based <policy> in dbus daemon". The core of my complaint was the ghet
"<policy group=xx >" tests static information based on /etc/group
file. I wanted it to test the actual current gid/supplementary groups
of the client process. The conclusion was that I should not change the
semantics of the group policy.

I now have a patch to DBus daemon and some supplementary code, which
adds the functionality of the DBus policy features as follows:

I propose adding a new syntax for policy construct as

  <policy creds="credentials-value"> ...

The credentials value in my prototype implementation can be

- if your policy depends on the uid of the client process (essentially
  replicates the <policy user=username> (but, for completenes):

    "uid::username"

- if your policy depends on gid of the client process (as contained in
  credentials of the process context -- not based on uid and
  /etc/group):

     "gid::groupname"

- if your policy depends on client having some capability set its
  credentials, then

     "cap::capability-name"

Examples...

  <policy creds="uid::root"> ...
  <policy creds="gid::audio"> ...
  <policy creds="cap::cap_net_bind_service"> ...

The credential-value has the "namespace"-like prefix ("uid", "gid",
"cap"), because in future, there might be additional types of
credentials that might be checked against.

The current commonly used linux kernels do not have a proper way for
accessing the credentials of another task. But, for a reference
implementation, the information required by above policies can be
extracted from "/proc/<pid>/status" at some parsing cost (and with
additional limitation that only 32 supplementary groups can be seen).

I've writen a separate library, which I have named "libcreds1", which
hides the nasty details. From this library, my proposed DBus patch
uses the following three functions

 // Get credential of another process
     creds_t creds_gettask(pid_t pid);
 // Convert credentials literal to value  (returns creds type: cap/uid/gid)
     long creds_str2creds(const char *credential, creds_value_t *value);
 // Check whether a specific credential is present
     int creds_have_p(const creds_t creds, creds_type_t type, creds_value_t value);
 // Free credentials blob
     void creds_free(creds_t creds);

In future, I hope the linux kernel will have some way of querying the
credentials of another process, and the implementation of the library
can be updated to use it. (In the meantime, I'm planning to use
alternate implementation and my own kernel module, which returns the
full credentials -- more than 32 supplementary groups, if present).

My query is: would the described feature be useful in general? Would
it be sensible to have this available in DBus mainline code? And if
yes, how to proceed? Post the patch and source of the libcreds
reference impelentation here?