diff --git a/reports/sig-security/2017-05-24.md b/reports/sig-security/2017-05-24.md index e71e41d57..ed0f175f6 100644 --- a/reports/sig-security/2017-05-24.md +++ b/reports/sig-security/2017-05-24.md @@ -26,3 +26,61 @@ Announcement: [Moby project forum post](https://forums.mobyproject.org/t/introdu - we can propose additional deep dives and discussion topics! ## Meeting Notes + +* Administrivia + * There is a code of conduct + * Attendees from Docker, Intel, HPE, Google, IBM, ARM, Arkxan Technologies +* What is LinuxKit? + * LinuxKit is a toolkit for building container-focused Linuxen. i.e. distro + building tool, not a distro itself + * Grew out of Docker for \* ({AWS, Mac, etc.}) + * Borrowed userspace mostly from Alpine + * system daemons (e.g. DHCP, possibly SSH, etc.) run in containers, which are + distributed as Docker images + * base OS is immutable, since daemons are containers +* Projects + * [Clear Containers](../../projects/clear-containers/) + * Question: what's the Intel feeling r.e. kvmtool, are they still + interested in using it for clear containers? + * [Kernel config](../../projects/kernel-config/) + * working on a more-sane way to manage kernel config, centered around diffs + from defconfig instead of whole configs + * [Landlock](../../projects/landlock/) + * eBPF LSM that may be a better solution to some of the problems that + SELinux can also solve + * no assumptions about policy, subjects, objects, etc. made by other LSMs + * LSM stacking + * hopefully this decade :) + * previous versions went up to a v22, but progress being made + * [mirageSDK](../../projects/miragesdk/) + * re-write system daemons that have lots attack surface but don't get much + attention (dhcpd is a great example, needs privs for netlink and such) + * dhcpd works (used in Docker desktop client) + * hoping to submit to google clusterfuzz + * [okernel](../../projects/okernel/) + * improve the linux kernel's ability to protect its own integrity + * leverage modern CPU support for things like EPT, to split the kernel into + two parts + * https://github.com/linux-okernel/linux-okernel + * [Wireguard](../../projects/wireguard/) + * new "VPN" tunnel, meant to replace IPSec or OpenVPN + * much smaller codebase + * modern crypto + * less complexity: no certs, etc. key exchange is done out of band, simply + base64 encoded keys + * kernel module for now, working on upstreaming + * exposes a network device, so everything going through it is secure + * [IMA namespacing](../../projects/wireguard/) + * IMA itself is designed to detect any changes to files + * allows users to specify policies about which files to check + * EVM protects changes to file xattrs, etc. + * IMA is not namespace aware right now, the goal is to be able to add + custom policies per-mount-namespace policies +* "hardened" channel + * maybe don't call it "hardened", since it really means "testing" (staging, + probational), "hardened" also makes it sound like mainline LinuxKit isn't + secure somehow + * require CI for graduation +* wrap up + * forum link above + * video recording: (TBD)