Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
82 lines (71 sloc) 3.27 KB


Time: 9am PDT (12pm EDT, 5pm BST) see the time in your timezone

Meeting location:

Announcement: Moby project forum post

Video recording:

Previous meeting notes: 2017-06-07


  • Introductions & Administrivia (5 min)
  • signing: followup on last meeting's buildchain security discussion (15 min)
    • current state of signing in LinuxKit, explanation of delegations for auditing
    • propose pinning, policy, removing signatures
  • landlock deep dive - @l0kod (30 min)
    • What is it Landlock LSM? What is eBPF? Why do we care?
    • current state of the project, future patchsets and direction
    • architecture deep dive
    • demo
  • Project updates (10 min)
  • Next meeting: 2017-07-05
    • deep dive TBD
    • we can propose additional deep dives and discussion topics!

Meeting Notes

Scribe: @mgoelzer

  • Next meeting July 5

  • Recap of Moby Summit

    • slides for linuxkit update and linuxkit security, videos coming soon
    • Lots of bare metal linuxkit interest
    • auditd requested
    • Another Summit at Open Source Summit in LA
  • Package Signing

    • Based on Notary (based on The Update Framework) - implemented in Docker Content Trust in Docker CLI
    • all linuxkit/ images on Docker Hub are signed by maintainers
    • Guarantees:
      • authenticity
      • integrity
      • freshness
      • survivability after key compromise
    • Linuxkit yaml files container trust: block - tells moby builder that you want to verify all images in a given organization or per image control
    • Moby builder will first check the signatures for all images and validate expiration dates before pulling images
    • Future directions:
      • key pinning for signed packages
      • enforce multi-sig thresholds actively remove sigs for old packages (or let them expire)
      • private notary servers
  • Landlock LSM (presentation by @l0kod)

    • Presentation slides here
    • Threat: compromised processes (like browsers) -> privilege escalations -> access data on the system
    • Today we have:
      • access control through SELinux (fine grained)
      • seccomp-bpf (not an AC mechanism)
      • namespaces
    • Landlock is trying to do three things:
      • fine grained control
      • unprivileged
      • embedded in applications
    • Landlock = programmatic access control
    • Landlock rules:
      • written in C
      • compiled down to eBPF bytecode
      • embedded in application
      • application executes
      • Landlock rule loaded into running kernel
    • Example: rule that says application cannot write to files but can write to FIFOs
  • Key data structure: struct landlock_context

  • Overview of eBPF (extended Berkeley Packet Filtering)

    • In-kernel bytecode
    • For network filtering, tracing
  • Landlock Roadmap:

    • MVP
    • cgroups
    • new eBPF maps for fs checks
    • unprivileged mode
You can’t perform that action at this time.