Received: by 2002:ac0:950c:0:0:0:0:0 with SMTP id f12csp3138747imc; Wed, 13 Mar 2019 09:45:30 -0700 (PDT) X-Google-Smtp-Source: APXvYqzmTaZTWM9Z0CbfetgnYHabcgJagQPJTbUL7am7UUAPyP1TgAfJQQDoddtMmEDTQLhA7cz0 X-Received: by 2002:a65:6210:: with SMTP id d16mr27456679pgv.189.1552495530471; Wed, 13 Mar 2019 09:45:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1552495530; cv=none; d=google.com; s=arc-20160816; b=JvwXSHIL06k1tAdvSaXN6b3frGS25tuGALUBkLWIIqZrcV3kfLSTXCzaBQWU1Q1/cJ m3i/e4LM8zVaxbVPNH/WDHDlN1ZNIOgsccu6DTw6tNJ9VQc2AxLr/FMObZTPh15f/749 x0sozW3D2BmvTvA1BAdKctW0ycs8ISviPpbSiKr7NHLer78V4uQ5Hh/xsUonS54LqhC7 dqIPHOJjtAbAiaI/owW77U6yOdmSfvQPghF9JbNg9pGvEXzFNhUMV6Xd1a9nxaOBI1RR jNG8Zra7BfPWypypiVzgTYjMJmAVHMGZP09cjG1+Lw3T2uF5R4DeA+ej3ZNhux8AG1V3 9Zpw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date; bh=eynO1QzANXOwMueR23qKt2tfMAuh5Lj3ep73sMuN2tQ=; b=XLEeaX4KCx8pLrfnGG9sXW1Z+L2MrErUTJX0oYfunzvybAORiPzkDj31I2oTBZsunr J3WDAicVg1NpH7Pwisw2kAf/A+AoDm14ATIvKNhr014u2p51zZZ80ZYGbIu4OmRYbS4W yk423MpDX0DhdOx8pqCkOZJ4M9Vir2lIT/HeCiYsy4SnSItMb+/HzaTlIFrUmRMy2jCg 9f2ATdDO24Z1uMlkDvoosdlBOgTfYxdaEu1imMoacjv030l+aSw9lbDO8j0N9NedxHMq nMnXYB1D68PRxNDK6UYVvuh2Y9Mk2R7wsSjSb4paABzcnkwmwpmlLTZdxp2Vebjkb7F0 S1qQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n4si9807253pgq.198.2019.03.13.09.45.14; Wed, 13 Mar 2019 09:45:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726616AbfCMQou (ORCPT + 99 others); Wed, 13 Mar 2019 12:44:50 -0400 Received: from outgoing-auth-1.mit.edu ([18.9.28.11]:52632 "EHLO outgoing.mit.edu" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725856AbfCMQot (ORCPT ); Wed, 13 Mar 2019 12:44:49 -0400 Received: from callcc.thunk.org (guestnat-104-133-0-99.corp.google.com [104.133.0.99] (may be forged)) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x2DGidZW006648 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 13 Mar 2019 12:44:40 -0400 Received: by callcc.thunk.org (Postfix, from userid 15806) id 3075142080E; Wed, 13 Mar 2019 12:44:39 -0400 (EDT) Date: Wed, 13 Mar 2019 12:44:39 -0400 From: "Theodore Ts'o" To: James Bottomley Cc: Amir Goldstein , Richard Weinberger , Miklos Szeredi , linux-fsdevel , linux-fscrypt@vger.kernel.org, overlayfs , linux-kernel , Paul Lawrence Subject: Re: overlayfs vs. fscrypt Message-ID: <20190313164439.GF672@mit.edu> Mail-Followup-To: Theodore Ts'o , James Bottomley , Amir Goldstein , Richard Weinberger , Miklos Szeredi , linux-fsdevel , linux-fscrypt@vger.kernel.org, overlayfs , linux-kernel , Paul Lawrence References: <4603533.ZIfxmiEf7K@blindfold> <1854703.ve7plDhYWt@blindfold> <4066872.KGdO14EQMx@blindfold> <20190313151633.GA672@mit.edu> <1552491394.3022.8.camel@HansenPartnership.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1552491394.3022.8.camel@HansenPartnership.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 13, 2019 at 08:36:34AM -0700, James Bottomley wrote: > On Wed, 2019-03-13 at 11:16 -0400, Theodore Ts'o wrote: > > So before we talk about how to make things work from a technical > > perspective, we should consider what the use case happens to be, and > > what are the security requirements. *Why* are we trying to use the > > combination of overlayfs and fscrypt, and what are the security > > properties we are trying to provide to someone who is relying on this > > combination? > > I can give one: encrypted containers: > > https://github.com/opencontainers/image-spec/issues/747 > > The current proposal imagines that the key would be delivered to the > physical node and the physical node containerd would decrypt all the > layers before handing them off to to the kubelet. However, one could > imagine a slightly more secure use case where the layers were > constructed as an encrypted filesystem tar and so the key would go into > the kernel and the layers would be constructed with encryption in place > using fscrypt. > > Most of the desired security properties are in image at rest but one > can imagine that the running image wants some protection against > containment breaches by other tenants and using fscrypt could provide > that. What kind of containment breaches? If they can break root, it's all over no matter what sort of encryption you are using. If they can't break root, then the OS's user-id based access control checks (or SELinux checks if you are using SELinux) will still protect you. - Ted