github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2025-07-18 17:01:07 +00:00
Code Issues Projects Releases Wiki Activity
master
linuxkit/reports/sig-security/2017-06-21.md
Riyaz Faizullabhoy d0af1d979d sig-security: add video link 
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2017-06-21 16:13:05 -07:00

3.3 KiB
Raw Permalink Blame History

2017-06-21

Time: 9am PDT (12pm EDT, 5pm BST) see the time in your timezone

Meeting location: https://docker.zoom.us/j/779801882

Announcement: Moby project forum post

Video recording: https://youtu.be/TN3p7dR7r3M

Previous meeting notes: 2017-06-07

Agenda

  • Introductions & Administrivia (5 min)
  • signing: followup on last meeting's buildchain security discussion (15 min)
    • current state of signing in LinuxKit, explanation of delegations for auditing
    • propose pinning, policy, removing signatures
  • landlock deep dive - @l0kod (30 min)
    • What is it Landlock LSM? What is eBPF? Why do we care?
    • current state of the project, future patchsets and direction
    • architecture deep dive
    • demo
  • Project updates (10 min)
  • Next meeting: 2017-07-05
    • deep dive TBD
    • we can propose additional deep dives and discussion topics!

Meeting Notes

Scribe: @mgoelzer

  • Next meeting July 5

  • Recap of Moby Summit

    • slides for linuxkit update and linuxkit security, videos coming soon
    • Lots of bare metal linuxkit interest
    • auditd requested
    • Another Summit at Open Source Summit in LA

  • Package Signing

    • Based on Notary (based on The Update Framework) - implemented in Docker Content Trust in Docker CLI
    • all linuxkit/ images on Docker Hub are signed by maintainers
    • Guarantees:
      • authenticity
      • integrity
      • freshness
      • survivability after key compromise
    • Linuxkit yaml files container trust: block - tells moby builder that you want to verify all images in a given organization or per image control
    • Moby builder will first check the signatures for all images and validate expiration dates before pulling images
    • Future directions:
      • key pinning for signed packages
      • enforce multi-sig thresholds actively remove sigs for old packages (or let them expire)
      • private notary servers

  • Landlock LSM (presentation by @l0kod)

    • Presentation slides here
    • Threat: compromised processes (like browsers) -> privilege escalations -> access data on the system
    • Today we have:
      • access control through SELinux (fine grained)
      • seccomp-bpf (not an AC mechanism)
      • namespaces
    • Landlock is trying to do three things:
      • fine grained control
      • unprivileged
      • embedded in applications
    • Landlock = programmatic access control
    • Landlock rules:
      • written in C
      • compiled down to eBPF bytecode
      • embedded in application
      • application executes
      • Landlock rule loaded into running kernel
    • Example: rule that says application cannot write to files but can write to FIFOs

  • Key data structure: struct landlock_context

  • Overview of eBPF (extended Berkeley Packet Filtering)

    • In-kernel bytecode
    • For network filtering, tracing

  • Landlock Roadmap:

    • MVP
    • cgroups
    • new eBPF maps for fs checks
    • unprivileged mode