sig-security: 2017-05-24 meeting notes

Signed-off-by: Tycho Andersen <tycho@docker.com>

reports/sig-security/2017-05-24.md

@@ -26,3 +26,60 @@ Announcement: [Moby project forum post](https://forums.mobyproject.org/t/introdu
   - we can propose additional deep dives and discussion topics!
 
 ## Meeting Notes
+
+* Administrivia
+  * There is a code of conduct
+  * Attendees from Docker, Intel, HP, Google, IBM, ARM, Arksan (sp?) technologies
+* What is LinuxKit?
+  * LinuxKit is a toolkit for building container-focused Linuxen. i.e. distro
+    building tool, not a distro itself
+  * Grew out of Docker for \* ({AWS, Mac, etc.})
+  * Borrowed userspace mostly from Alpine
+  * system daemons (e.g. DHCP, possibly SSH, etc.) run in containers, which are
+    distributed as Docker images
+  * base OS is immutable, since daemons are containers
+* Projects
+  * Clear Containers
+    * Question: what's the Intel feeling r.e. kvmtool, are they still
+      interested in using it for clear containers?
+  * Kernel config
+    * working on a more-sane way to manage kernel config, centered around diffs
+      from defconfig instead of whole configs
+  * Landlock
+    * eBPF LSM that may be a better solution to some of the problems that
+      SELinux can also solve
+    * no assumptions about policy, subjects, objects, etc. made by other LSMs
+  * LSM stacking
+    * hopefully this decade :)
+    * previous versions went up to a v22, but progress being made
+  * mirageSDK
+    * re-write system daemons that have lots attack surface but don't get much
+      attention (dhcpd is a great example, needs privs for netlink and such)
+    * dhcpd works (used in Docker desktop client)
+    * hoping to submit to google clusterfuzz
+  * okernel
+    * improve the linux kernel's ability to protect its own integrity
+    * leverage modern CPU support for things like EPT, to split the kernel into
+      two parts
+    * https://github.com/linux-okernel/linux-okernel
+  * Wireguard
+    * new "VPN" tunnel, meant to replace IPSec or OpenVPN
+    * much smaller codebase
+    * modern crypto
+    * less complexity: no certs, etc. key exchange is done out of band, simply
+      base64 encoded keys
+    * kernel module for now, working on upstreaming
+    * exposes a network device, so everything going through it is secure
+  * IMA namespacing
+    * IMA itself is designed to detect any changes to files
+    * allows users to specify policies about which files to check
+    * EVM protects changes to file xattrs, etc.
+    * IMA is not namespace aware right now, the goal is to be able to add
+      custom policies per-mount-namespace policies
+* "hardened" channel
+  * maybe don't call it "hardened", since it really means "testing" (staging,
+    probational)
+  * require CI for graduation
+* wrap up
+  * forum link above
+  * video recording: (TBD)