linuxkit/reports/sig-security/2017-08-02.md

# 2017-08-02
Time: **9am PDT** (12pm EDT, 5pm BST) [see the time in your timezone](https://www.timeanddate.com/worldclock/fixedtime.html?msg=Linuxkit+Security+SIG&iso=20170802T09&p1=224)

Meeting location: https://docker.zoom.us/j/779801882

Announcement: Moby project forum post - coming soon

Video recording: https://www.youtube.com/watch?v=5FHYdwQlAMs

Previous meeting notes: [2017-07-19](2017-07-19.md)

## Agenda
- Introductions & Administrivia (5 min)
- Alpine Linux - security deep dive - @ncopa (45 min)
- Project updates (10 min)
- Next meeting: 2017-08-16
  - deep dive TBD
  - please feel free to propose additional deep dives and discussion topics!

## Meeting Notes

- Alpine Linux intro [slides](https://dev.alpinelinux.org/~ncopa/presentations/alpine-security-mission.html)
  - Question: what's the strategy for getting rid of SUID? File capabilities?
    - Answer: no real plan
  - Question: what's the strategy in the face of no more public GRSecurity
    patches?
    - Answer: Currently forward porting last test patch, slightly risky, not a
      good solution. May discontinue use at some point.
  - Question: Thoughts on capabilities?
    - Answer: fs-caps sound like a nice way to get rid of SUID bits, since
      they're uid-independent.
  - Question: Thoughts on LSMs?
    - Answer: SELinux is complicated, AppArmor is simpler and perhaps better in
      that sense, not on the roadmap currently for Alpine to implement default
      profiles (but may be in the future)
  - Question: What exactly is the deal with TLS?
    - glibc does *lazy* allocation, so after pthread_create(), at some later
      point, the actual allocation for TLS may fail, and glibc simply aborts().
      This is one reason dlopen is a noop, but not the only reason.