github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2025-07-21 10:09:07 +00:00
Code Issues Projects Releases Wiki Activity

fixes from review

Browse Source 
* make each relevant heading a link
* HP->HPE, fix spelling of Arxan
* add mainline linuxkit insecure blurb

Signed-off-by: Tycho Andersen <tycho@docker.com>
This commit is contained in:
Tycho Andersen 2017-05-24 11:35:14 -06:00
parent 020c84d01f
commit dfbbfee3b5
1 changed files with 10 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
reports/sig-security/2017-05-24.md
View File

@ -29,7 +29,7 @@ Announcement: [Moby project forum post](https://forums.mobyproject.org/t/introdu
* Administrivia * Administrivia
* There is a code of conduct * There is a code of conduct
* Attendees from Docker, Intel, HP, Google, IBM, ARM, Arksan (sp?) technologies * Attendees from Docker, Intel, HPE, Google, IBM, ARM, Arkxan Technologies
* What is LinuxKit? * What is LinuxKit?
* LinuxKit is a toolkit for building container-focused Linuxen. i.e. distro * LinuxKit is a toolkit for building container-focused Linuxen. i.e. distro
building tool, not a distro itself building tool, not a distro itself
@ -39,30 +39,30 @@ Announcement: [Moby project forum post](https://forums.mobyproject.org/t/introdu
distributed as Docker images distributed as Docker images
* base OS is immutable, since daemons are containers * base OS is immutable, since daemons are containers
* Projects * Projects
* Clear Containers * [Clear Containers](../../projects/clear-containers/)
* Question: what's the Intel feeling r.e. kvmtool, are they still * Question: what's the Intel feeling r.e. kvmtool, are they still
interested in using it for clear containers? interested in using it for clear containers?
* Kernel config * [Kernel config](../../projects/kernel-config/)
* working on a more-sane way to manage kernel config, centered around diffs * working on a more-sane way to manage kernel config, centered around diffs
from defconfig instead of whole configs from defconfig instead of whole configs
* Landlock * [Landlock](../../projects/landlock/)
* eBPF LSM that may be a better solution to some of the problems that * eBPF LSM that may be a better solution to some of the problems that
SELinux can also solve SELinux can also solve
* no assumptions about policy, subjects, objects, etc. made by other LSMs * no assumptions about policy, subjects, objects, etc. made by other LSMs
* LSM stacking * LSM stacking
* hopefully this decade :) * hopefully this decade :)
* previous versions went up to a v22, but progress being made * previous versions went up to a v22, but progress being made
* mirageSDK * [mirageSDK](../../projects/miragesdk/)
* re-write system daemons that have lots attack surface but don't get much * re-write system daemons that have lots attack surface but don't get much
attention (dhcpd is a great example, needs privs for netlink and such) attention (dhcpd is a great example, needs privs for netlink and such)
* dhcpd works (used in Docker desktop client) * dhcpd works (used in Docker desktop client)
* hoping to submit to google clusterfuzz * hoping to submit to google clusterfuzz
* okernel * [okernel](../../projects/okernel/)
* improve the linux kernel's ability to protect its own integrity * improve the linux kernel's ability to protect its own integrity
* leverage modern CPU support for things like EPT, to split the kernel into * leverage modern CPU support for things like EPT, to split the kernel into
two parts two parts
* https://github.com/linux-okernel/linux-okernel * https://github.com/linux-okernel/linux-okernel
* Wireguard * [Wireguard](../../projects/wireguard/)
* new "VPN" tunnel, meant to replace IPSec or OpenVPN * new "VPN" tunnel, meant to replace IPSec or OpenVPN
* much smaller codebase * much smaller codebase
* modern crypto * modern crypto
@ -70,7 +70,7 @@ Announcement: [Moby project forum post](https://forums.mobyproject.org/t/introdu
base64 encoded keys base64 encoded keys
* kernel module for now, working on upstreaming * kernel module for now, working on upstreaming
* exposes a network device, so everything going through it is secure * exposes a network device, so everything going through it is secure
* IMA namespacing * [IMA namespacing](../../projects/wireguard/)
* IMA itself is designed to detect any changes to files * IMA itself is designed to detect any changes to files
* allows users to specify policies about which files to check * allows users to specify policies about which files to check
* EVM protects changes to file xattrs, etc. * EVM protects changes to file xattrs, etc.
@ -78,7 +78,8 @@ Announcement: [Moby project forum post](https://forums.mobyproject.org/t/introdu
custom policies per-mount-namespace policies custom policies per-mount-namespace policies
* "hardened" channel * "hardened" channel
* maybe don't call it "hardened", since it really means "testing" (staging, * maybe don't call it "hardened", since it really means "testing" (staging,
probational) probational), "hardened" also makes it sound like mainline LinuxKit isn't
secure somehow
* require CI for graduation * require CI for graduation
* wrap up * wrap up
* forum link above * forum link above