github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2025-07-18 17:01:07 +00:00
Code Issues Projects Releases Wiki Activity
master
linuxkit/reports/sig-security/2017-08-02.md
Riyaz Faizullabhoy b68f7e6dc5 sig-security: add video for alpine SIG 
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2017-08-03 09:42:16 -07:00

1.7 KiB
Raw Permalink Blame History

2017-08-02

Time: 9am PDT (12pm EDT, 5pm BST) see the time in your timezone

Meeting location: https://docker.zoom.us/j/779801882

Announcement: Moby project forum post - coming soon

Video recording: https://www.youtube.com/watch?v=5FHYdwQlAMs

Previous meeting notes: 2017-07-19

Agenda

  • Introductions & Administrivia (5 min)
  • Alpine Linux - security deep dive - @ncopa (45 min)
  • Project updates (10 min)
  • Next meeting: 2017-08-16
    • deep dive TBD
    • please feel free to propose additional deep dives and discussion topics!

Meeting Notes

  • Alpine Linux intro slides
    • Question: what's the strategy for getting rid of SUID? File capabilities?
      • Answer: no real plan
    • Question: what's the strategy in the face of no more public GRSecurity patches?
      • Answer: Currently forward porting last test patch, slightly risky, not a good solution. May discontinue use at some point.
    • Question: Thoughts on capabilities?
      • Answer: fs-caps sound like a nice way to get rid of SUID bits, since they're uid-independent.
    • Question: Thoughts on LSMs?
      • Answer: SELinux is complicated, AppArmor is simpler and perhaps better in that sense, not on the roadmap currently for Alpine to implement default profiles (but may be in the future)
    • Question: What exactly is the deal with TLS?
      • glibc does lazy allocation, so after pthread_create(), at some later point, the actual allocation for TLS may fail, and glibc simply aborts(). This is one reason dlopen is a noop, but not the only reason.