github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2025-07-18 17:01:07 +00:00
Code Issues Projects Releases Wiki Activity
master
linuxkit/reports/sig-security/2017-05-24.md
Riyaz Faizullabhoy 3950d8fb82 sig-security: Fix link to ima-namespace project 
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2017-05-25 10:44:36 -07:00

89 lines
3.8 KiB
Markdown
Raw Permalink Blame History

# 2017-05-24
Time: **9am PDT** (12pm EDT, 5pm BST) [see the time in your timezone](https://www.timeanddate.com/worldclock/fixedtime.html?msg=Linuxkit+Security+SIG&iso=20170524T09&p1=224)
Meeting location: https://docker.zoom.us/j/779801882
Announcement: [Moby project forum post](https://forums.mobyproject.org/t/introducing-linuxkit-security-sig-first-meeting-may-24th/47)
Video Recording: https://youtu.be/OB1Tu6cISLg
## Agenda
- Introductions
- Overview of LinuxKit and its security initiatives
- Discuss goals of SIG
- Updates on security `/projects`:
- clear-containers
- kernel-config
- kspp
- landlock
- miragesdk
- okernel
- wireguard
- IMA namespace support
- Proposal: `hardened` channel - combining multiple security `/projects` into one yml
- which projects are ready? When is a project "ready"?
- which projects can / cannot be combined?
- Next meeting: 2017-06-07
- miragesdk demo and deep dive - @samoht
- we can propose additional deep dives and discussion topics!
## Meeting Notes
* Administrivia
* There is a code of conduct
* Attendees from Docker, Intel, HPE, Google, IBM, ARM, Arxan Technologies
* What is LinuxKit?
* LinuxKit is a toolkit for building container-focused Linuxen. i.e. distro
building tool, not a distro itself
* Grew out of Docker for \* ({AWS, Mac, etc.})
* Borrowed userspace mostly from Alpine
* system daemons (e.g. DHCP, possibly SSH, etc.) run in containers, which are
distributed as Docker images
* base OS is immutable, since daemons are containers
* Projects
* [Clear Containers](../../projects/clear-containers/)
* Question: what's the Intel feeling r.e. kvmtool, are they still
interested in using it for clear containers?
* [Kernel config](../../projects/kernel-config/)
* working on a more-sane way to manage kernel config, centered around diffs
from defconfig instead of whole configs
* [Landlock](../../projects/landlock/)
* eBPF LSM that may be a better solution to some of the problems that
SELinux can also solve
* no assumptions about policy, subjects, objects, etc. made by other LSMs
* LSM stacking
* hopefully this decade :)
* previous versions went up to a v22, but progress being made
* [mirageSDK](../../projects/miragesdk/)
* re-write system daemons that have lots attack surface but don't get much
attention (dhcpd is a great example, needs privs for netlink and such)
* dhcpd works (used in Docker desktop client)
* hoping to submit to google clusterfuzz
* [okernel](../../projects/okernel/)
* improve the linux kernel's ability to protect its own integrity
* leverage modern CPU support for things like EPT, to split the kernel into
two parts
* https://github.com/linux-okernel/linux-okernel
* [Wireguard](../../projects/wireguard/)
* new "VPN" tunnel, meant to replace IPSec or OpenVPN
* much smaller codebase
* modern crypto
* less complexity: no certs, etc. key exchange is done out of band, simply
base64 encoded keys
* kernel module for now, working on upstreaming
* exposes a network device, so everything going through it is secure
* [IMA namespacing](../../projects/ima-namespace/)
* IMA itself is designed to detect any changes to files
* allows users to specify policies about which files to check
* EVM protects changes to file xattrs, etc.
* IMA is not namespace aware right now, the goal is to be able to add
custom policies per-mount-namespace policies
* "hardened" channel
* maybe don't call it "hardened", since it really means "testing" (staging,
probational), "hardened" also makes it sound like mainline LinuxKit isn't
secure somehow
* require CI for graduation
* wrap up
* forum link above
* [video recording](https://youtu.be/OB1Tu6cISLg)
Reference in New Issue View Git Blame Copy Permalink