Container vendor Docker is aiming to improve Linux kernel security by incubating several nascent Linux security projects within its LinuxKit community. LinuxKit is an open-source effort that Docker officially announced on April 18 as a toolkit to build container-optimized Linux distributions.
“Security is critically important for Docker, and LinuxKit represents an opportunity for us to help move security forward,” Nathan McCauley, director of security at Docker Inc., told eWEEK.
Within the LinuxKit effort there are a series of incubated projects that are focused on improving the security of Linux, according to McCauley. Docker and the LinuxKit project are also focused on making sure that all the Linux kernel security work moves upstream into the mainline Linux kernel, he added.
“We recognize that there are a ton of people in the Linux community working on security improvements, and we want LinuxKit to be a place where they can foster and grow their efforts,” McCauley said.
Among the projects incubated in the LinuxKit community is the open-source Wireguard VPN (virtual private network) for Linux.
“Wireguard is a new VPN for Linux using the cryptography that is behind some of the really good secure messaging apps like WhatsApp,” McCauley said.
The WhatsApp messaging application uses the Noise Protocol Framework, technology that is also at the core of the Wireguard VPN. Wireguard brings a very lightweight and secure VPN technology to Linux, he said.
“An interesting feature of Wireguard is that it can mount into a network namespace, enabling container-to-container encrypted communications,” McCauley said.
Kernel Self Protection Project
Google developer Kees Cook launched the Kernel Self Protection Project (KSPP) in 2016 as a way to provide additional layers of security to the Linux kernel. Among the many areas that KSPP is working on are protections to help mitigate memory corruption risks.
McCauley said KSPP is an important effort for improving Linux security and LinuxKit. As such, Docker Inc. has several full-time employees working on and contributing to the KSPP project.
There are several Linux Security Modules (LSMs) in the mainline Linux kernel that provide access control policies for processes running in Linux. The two most popular LSMs are SELinux and AppArmor. SELinux was originally developed by the U.S. National Security Agency (NSA) and is now a core part of Red Hat-based Linux distributions.
A new LSM being incubated by LinuxKit is Landlock. Landlock makes use of extended Berkeley Packet Filters (eBPFs) to hook small programs into the Linux kernel.
“These eBPF programs provide context that can allow for very robust decision-making when integrated with LSM hooks,” Riyaz Faizullabhoy, security engineer at Docker Inc., wrote in his GitHub commit adding Landlock to LinuxKit. “In particular, this lends itself very nicely to container-based environments.”
Faizullabhoy noted that one example of how Landlock could benefit Docker container users is that it can be used to write policies to restrict containers from accessing file descriptors they do not own, acting as a last line of defense to restrict container escapes.
McCauley noted that Landlock provides a very flexible set of rules that can be used to secure container deployments. Existing LSMs haven’t always been easy for system administrators to configure, and it is McCauley’s hope that Landlock will be easily usable.
The market for container security technology is a growing one, with multiple vendors including Twistlock, Anchore, Aqua Security, NeuVector, Aporeto, Tenable and Capsule8, among others, building products. With LinuxKit, Docker is aiming to help provide another core piece of the container security landscape.
“There is a lot of creativity in the container security ecosystem, and I’m really excited about that,” McCauley said. “As a platform provider, we’re doing as much as we can to solve foundational security problems and build a secure substrate upon which applications can use features of the platform.”