From 020c84d01f39ed9bb53bcbd37afaea0bfd50c22a Mon Sep 17 00:00:00 2001 From: Tycho Andersen Date: Wed, 24 May 2017 11:04:44 -0600 Subject: [PATCH] sig-security: 2017-05-24 meeting notes Signed-off-by: Tycho Andersen --- reports/sig-security/2017-05-24.md | 57 ++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/reports/sig-security/2017-05-24.md b/reports/sig-security/2017-05-24.md index e71e41d57..3c72e294b 100644 --- a/reports/sig-security/2017-05-24.md +++ b/reports/sig-security/2017-05-24.md @@ -26,3 +26,60 @@ Announcement: [Moby project forum post](https://forums.mobyproject.org/t/introdu - we can propose additional deep dives and discussion topics! ## Meeting Notes + +* Administrivia + * There is a code of conduct + * Attendees from Docker, Intel, HP, Google, IBM, ARM, Arksan (sp?) technologies +* What is LinuxKit? + * LinuxKit is a toolkit for building container-focused Linuxen. i.e. distro + building tool, not a distro itself + * Grew out of Docker for \* ({AWS, Mac, etc.}) + * Borrowed userspace mostly from Alpine + * system daemons (e.g. DHCP, possibly SSH, etc.) run in containers, which are + distributed as Docker images + * base OS is immutable, since daemons are containers +* Projects + * Clear Containers + * Question: what's the Intel feeling r.e. kvmtool, are they still + interested in using it for clear containers? + * Kernel config + * working on a more-sane way to manage kernel config, centered around diffs + from defconfig instead of whole configs + * Landlock + * eBPF LSM that may be a better solution to some of the problems that + SELinux can also solve + * no assumptions about policy, subjects, objects, etc. made by other LSMs + * LSM stacking + * hopefully this decade :) + * previous versions went up to a v22, but progress being made + * mirageSDK + * re-write system daemons that have lots attack surface but don't get much + attention (dhcpd is a great example, needs privs for netlink and such) + * dhcpd works (used in Docker desktop client) + * hoping to submit to google clusterfuzz + * okernel + * improve the linux kernel's ability to protect its own integrity + * leverage modern CPU support for things like EPT, to split the kernel into + two parts + * https://github.com/linux-okernel/linux-okernel + * Wireguard + * new "VPN" tunnel, meant to replace IPSec or OpenVPN + * much smaller codebase + * modern crypto + * less complexity: no certs, etc. key exchange is done out of band, simply + base64 encoded keys + * kernel module for now, working on upstreaming + * exposes a network device, so everything going through it is secure + * IMA namespacing + * IMA itself is designed to detect any changes to files + * allows users to specify policies about which files to check + * EVM protects changes to file xattrs, etc. + * IMA is not namespace aware right now, the goal is to be able to add + custom policies per-mount-namespace policies +* "hardened" channel + * maybe don't call it "hardened", since it really means "testing" (staging, + probational) + * require CI for graduation +* wrap up + * forum link above + * video recording: (TBD)