From 020c84d01f39ed9bb53bcbd37afaea0bfd50c22a Mon Sep 17 00:00:00 2001
From: Tycho Andersen <tycho@docker.com>
Date: Wed, 24 May 2017 11:04:44 -0600
Subject: [PATCH 1/2] sig-security: 2017-05-24 meeting notes

Signed-off-by: Tycho Andersen <tycho@docker.com>
---
 reports/sig-security/2017-05-24.md | 57 ++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)

diff --git a/reports/sig-security/2017-05-24.md b/reports/sig-security/2017-05-24.md
index e71e41d57..3c72e294b 100644
--- a/reports/sig-security/2017-05-24.md
+++ b/reports/sig-security/2017-05-24.md
@@ -26,3 +26,60 @@ Announcement: [Moby project forum post](https://forums.mobyproject.org/t/introdu
   - we can propose additional deep dives and discussion topics!
 
 ## Meeting Notes
+
+* Administrivia
+  * There is a code of conduct
+  * Attendees from Docker, Intel, HP, Google, IBM, ARM, Arksan (sp?) technologies
+* What is LinuxKit?
+  * LinuxKit is a toolkit for building container-focused Linuxen. i.e. distro
+    building tool, not a distro itself
+  * Grew out of Docker for \* ({AWS, Mac, etc.})
+  * Borrowed userspace mostly from Alpine
+  * system daemons (e.g. DHCP, possibly SSH, etc.) run in containers, which are
+    distributed as Docker images
+  * base OS is immutable, since daemons are containers
+* Projects
+  * Clear Containers
+    * Question: what's the Intel feeling r.e. kvmtool, are they still
+      interested in using it for clear containers?
+  * Kernel config
+    * working on a more-sane way to manage kernel config, centered around diffs
+      from defconfig instead of whole configs
+  * Landlock
+    * eBPF LSM that may be a better solution to some of the problems that
+      SELinux can also solve
+    * no assumptions about policy, subjects, objects, etc. made by other LSMs
+  * LSM stacking
+    * hopefully this decade :)
+    * previous versions went up to a v22, but progress being made
+  * mirageSDK
+    * re-write system daemons that have lots attack surface but don't get much
+      attention (dhcpd is a great example, needs privs for netlink and such)
+    * dhcpd works (used in Docker desktop client)
+    * hoping to submit to google clusterfuzz
+  * okernel
+    * improve the linux kernel's ability to protect its own integrity
+    * leverage modern CPU support for things like EPT, to split the kernel into
+      two parts
+    * https://github.com/linux-okernel/linux-okernel
+  * Wireguard
+    * new "VPN" tunnel, meant to replace IPSec or OpenVPN
+    * much smaller codebase
+    * modern crypto
+    * less complexity: no certs, etc. key exchange is done out of band, simply
+      base64 encoded keys
+    * kernel module for now, working on upstreaming
+    * exposes a network device, so everything going through it is secure
+  * IMA namespacing
+    * IMA itself is designed to detect any changes to files
+    * allows users to specify policies about which files to check
+    * EVM protects changes to file xattrs, etc.
+    * IMA is not namespace aware right now, the goal is to be able to add
+      custom policies per-mount-namespace policies
+* "hardened" channel
+  * maybe don't call it "hardened", since it really means "testing" (staging,
+    probational)
+  * require CI for graduation
+* wrap up
+  * forum link above
+  * video recording: (TBD)

From dfbbfee3b56d452044b2b624e5068ffcca40dcdc Mon Sep 17 00:00:00 2001
From: Tycho Andersen <tycho@docker.com>
Date: Wed, 24 May 2017 11:35:14 -0600
Subject: [PATCH 2/2] fixes from review

* make each relevant heading a link
* HP->HPE, fix spelling of Arxan
* add mainline linuxkit insecure blurb

Signed-off-by: Tycho Andersen <tycho@docker.com>
---
 reports/sig-security/2017-05-24.md | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/reports/sig-security/2017-05-24.md b/reports/sig-security/2017-05-24.md
index 3c72e294b..ed0f175f6 100644
--- a/reports/sig-security/2017-05-24.md
+++ b/reports/sig-security/2017-05-24.md
@@ -29,7 +29,7 @@ Announcement: [Moby project forum post](https://forums.mobyproject.org/t/introdu
 
 * Administrivia
   * There is a code of conduct
-  * Attendees from Docker, Intel, HP, Google, IBM, ARM, Arksan (sp?) technologies
+  * Attendees from Docker, Intel, HPE, Google, IBM, ARM, Arkxan Technologies
 * What is LinuxKit?
   * LinuxKit is a toolkit for building container-focused Linuxen. i.e. distro
     building tool, not a distro itself
@@ -39,30 +39,30 @@ Announcement: [Moby project forum post](https://forums.mobyproject.org/t/introdu
     distributed as Docker images
   * base OS is immutable, since daemons are containers
 * Projects
-  * Clear Containers
+  * [Clear Containers](../../projects/clear-containers/)
     * Question: what's the Intel feeling r.e. kvmtool, are they still
       interested in using it for clear containers?
-  * Kernel config
+  * [Kernel config](../../projects/kernel-config/)
     * working on a more-sane way to manage kernel config, centered around diffs
       from defconfig instead of whole configs
-  * Landlock
+  * [Landlock](../../projects/landlock/)
     * eBPF LSM that may be a better solution to some of the problems that
       SELinux can also solve
     * no assumptions about policy, subjects, objects, etc. made by other LSMs
   * LSM stacking
     * hopefully this decade :)
     * previous versions went up to a v22, but progress being made
-  * mirageSDK
+  * [mirageSDK](../../projects/miragesdk/)
     * re-write system daemons that have lots attack surface but don't get much
       attention (dhcpd is a great example, needs privs for netlink and such)
     * dhcpd works (used in Docker desktop client)
     * hoping to submit to google clusterfuzz
-  * okernel
+  * [okernel](../../projects/okernel/)
     * improve the linux kernel's ability to protect its own integrity
     * leverage modern CPU support for things like EPT, to split the kernel into
       two parts
     * https://github.com/linux-okernel/linux-okernel
-  * Wireguard
+  * [Wireguard](../../projects/wireguard/)
     * new "VPN" tunnel, meant to replace IPSec or OpenVPN
     * much smaller codebase
     * modern crypto
@@ -70,7 +70,7 @@ Announcement: [Moby project forum post](https://forums.mobyproject.org/t/introdu
       base64 encoded keys
     * kernel module for now, working on upstreaming
     * exposes a network device, so everything going through it is secure
-  * IMA namespacing
+  * [IMA namespacing](../../projects/wireguard/)
     * IMA itself is designed to detect any changes to files
     * allows users to specify policies about which files to check
     * EVM protects changes to file xattrs, etc.
@@ -78,7 +78,8 @@ Announcement: [Moby project forum post](https://forums.mobyproject.org/t/introdu
       custom policies per-mount-namespace policies
 * "hardened" channel
   * maybe don't call it "hardened", since it really means "testing" (staging,
-    probational)
+    probational), "hardened" also makes it sound like mainline LinuxKit isn't
+    secure somehow
   * require CI for graduation
 * wrap up
   * forum link above