# 2017-05-24
Time: **9am PDT** (12pm EDT, 5pm BST) [see the time in your timezone](https://www.timeanddate.com/worldclock/fixedtime.html?msg=Linuxkit+Security+SIG&iso=20170524T09&p1=224)

Meeting location: https://docker.zoom.us/j/779801882

Announcement: [Moby project forum post](https://forums.mobyproject.org/t/introducing-linuxkit-security-sig-first-meeting-may-24th/47)

Video Recording: https://youtu.be/OB1Tu6cISLg

## Agenda
- Introductions
- Overview of LinuxKit and its security initiatives
- Discuss goals of SIG
- Updates on security `/projects`:
  - clear-containers
  - kernel-config
  - kspp
  - landlock
  - miragesdk
  - okernel
  - wireguard
  - IMA namespace support
- Proposal: `hardened` channel - combining multiple security `/projects` into one yml
  - which projects are ready?  When is a project "ready"?
  - which projects can / cannot be combined?
- Next meeting: 2017-06-07
  - miragesdk demo and deep dive - @samoht
  - we can propose additional deep dives and discussion topics!

## Meeting Notes

* Administrivia
  * There is a code of conduct
  * Attendees from Docker, Intel, HPE, Google, IBM, ARM, Arxan Technologies
* What is LinuxKit?
  * LinuxKit is a toolkit for building container-focused Linuxen. i.e. distro
    building tool, not a distro itself
  * Grew out of Docker for \* ({AWS, Mac, etc.})
  * Borrowed userspace mostly from Alpine
  * system daemons (e.g. DHCP, possibly SSH, etc.) run in containers, which are
    distributed as Docker images
  * base OS is immutable, since daemons are containers
* Projects
  * [Clear Containers](../../projects/clear-containers/)
    * Question: what's the Intel feeling r.e. kvmtool, are they still
      interested in using it for clear containers?
  * [Kernel config](../../projects/kernel-config/)
    * working on a more-sane way to manage kernel config, centered around diffs
      from defconfig instead of whole configs
  * [Landlock](../../projects/landlock/)
    * eBPF LSM that may be a better solution to some of the problems that
      SELinux can also solve
    * no assumptions about policy, subjects, objects, etc. made by other LSMs
  * LSM stacking
    * hopefully this decade :)
    * previous versions went up to a v22, but progress being made
  * [mirageSDK](../../projects/miragesdk/)
    * re-write system daemons that have lots attack surface but don't get much
      attention (dhcpd is a great example, needs privs for netlink and such)
    * dhcpd works (used in Docker desktop client)
    * hoping to submit to google clusterfuzz
  * [okernel](../../projects/okernel/)
    * improve the linux kernel's ability to protect its own integrity
    * leverage modern CPU support for things like EPT, to split the kernel into
      two parts
    * https://github.com/linux-okernel/linux-okernel
  * [Wireguard](../../projects/wireguard/)
    * new "VPN" tunnel, meant to replace IPSec or OpenVPN
    * much smaller codebase
    * modern crypto
    * less complexity: no certs, etc. key exchange is done out of band, simply
      base64 encoded keys
    * kernel module for now, working on upstreaming
    * exposes a network device, so everything going through it is secure
  * [IMA namespacing](../../projects/ima-namespace/)
    * IMA itself is designed to detect any changes to files
    * allows users to specify policies about which files to check
    * EVM protects changes to file xattrs, etc.
    * IMA is not namespace aware right now, the goal is to be able to add
      custom policies per-mount-namespace policies
* "hardened" channel
  * maybe don't call it "hardened", since it really means "testing" (staging,
    probational), "hardened" also makes it sound like mainline LinuxKit isn't
    secure somehow
  * require CI for graduation
* wrap up
  * forum link above
  * [video recording](https://youtu.be/OB1Tu6cISLg)