linuxkit/reports/sig-security/2017-05-24.md

2017-05-24

Time: 9am PDT (12pm EDT, 5pm BST) see the time in your timezone

Meeting location: https://docker.zoom.us/j/779801882

Announcement: Moby project forum post

Video Recording: https://youtu.be/OB1Tu6cISLg

Agenda

• Introductions
• Overview of LinuxKit and its security initiatives
• Discuss goals of SIG
• Updates on security /projects:
  • clear-containers
  • kernel-config
  • kspp
  • landlock
  • miragesdk
  • okernel
  • wireguard
  • IMA namespace support
• Proposal: hardened channel - combining multiple security /projects into one yml
  • which projects are ready? When is a project "ready"?
  • which projects can / cannot be combined?
• Next meeting: 2017-06-07
  • miragesdk demo and deep dive - @samoht
  • we can propose additional deep dives and discussion topics!

Meeting Notes

• Administrivia
  • There is a code of conduct
  • Attendees from Docker, Intel, HPE, Google, IBM, ARM, Arxan Technologies
• What is LinuxKit?
  • LinuxKit is a toolkit for building container-focused Linuxen. i.e. distro building tool, not a distro itself
  • Grew out of Docker for * ({AWS, Mac, etc.})
  • Borrowed userspace mostly from Alpine
  • system daemons (e.g. DHCP, possibly SSH, etc.) run in containers, which are distributed as Docker images
  • base OS is immutable, since daemons are containers
• Projects
  • Clear Containers
    • Question: what's the Intel feeling r.e. kvmtool, are they still interested in using it for clear containers?
  • Kernel config
    • working on a more-sane way to manage kernel config, centered around diffs from defconfig instead of whole configs
  • Landlock
    • eBPF LSM that may be a better solution to some of the problems that SELinux can also solve
    • no assumptions about policy, subjects, objects, etc. made by other LSMs
  • LSM stacking
    • hopefully this decade :)
    • previous versions went up to a v22, but progress being made
  • mirageSDK
    • re-write system daemons that have lots attack surface but don't get much attention (dhcpd is a great example, needs privs for netlink and such)
    • dhcpd works (used in Docker desktop client)
    • hoping to submit to google clusterfuzz
  • okernel
    • improve the linux kernel's ability to protect its own integrity
    • leverage modern CPU support for things like EPT, to split the kernel into two parts
    • https://github.com/linux-okernel/linux-okernel
  • Wireguard
    • new "VPN" tunnel, meant to replace IPSec or OpenVPN
    • much smaller codebase
    • modern crypto
    • less complexity: no certs, etc. key exchange is done out of band, simply base64 encoded keys
    • kernel module for now, working on upstreaming
    • exposes a network device, so everything going through it is secure
  • IMA namespacing
    • IMA itself is designed to detect any changes to files
    • allows users to specify policies about which files to check
    • EVM protects changes to file xattrs, etc.
    • IMA is not namespace aware right now, the goal is to be able to add custom policies per-mount-namespace policies
• "hardened" channel
  • maybe don't call it "hardened", since it really means "testing" (staging, probational), "hardened" also makes it sound like mainline LinuxKit isn't secure somehow
  • require CI for graduation
• wrap up
  • forum link above
  • video recording