Received: by 2002:ac0:950c:0:0:0:0:0 with SMTP id f12csp3221853imc; Wed, 13 Mar 2019 12:00:42 -0700 (PDT) X-Google-Smtp-Source: APXvYqxUEPVWls2J7oRvO3YO0DwfO6liTu3Se3M3BCSXL52ERLXMwnGJXK30toUHcN+hexKX9s0t X-Received: by 2002:a65:6548:: with SMTP id a8mr41581032pgw.103.1552503642365; Wed, 13 Mar 2019 12:00:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1552503642; cv=none; d=google.com; s=arc-20160816; b=X8nNglwxF8mrA2voW8uaLPB/fMPskIDT8UMx8uOfaKJ9BgMqTHbk4A5CEjObJ6Gbqd UA3NdGlsJg31vKeGun2kGlMVpS31mHwEea6UVW2U85Owpdp+N8QwZw28Y3dH9Y0MD3Gw RIoAo4MqqHtlT+R0GtAHu8fEI82E/JtZbsRkT2rL9TkDzQNkRAJ7MZRFZcCOvH1kG3R2 fmlzt3hh64HCtvL1PXu0b+5E73M/2aitfP2edaT8V9l0FVlcJddVQ00ItGdZGGSc9MfT cN47ceHYgUULa/i22k/tnNNkmfWMxUyhryAsfobxehNKqRhj1ZiRFmqR4v7MnDlcDykr GbHw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date; bh=9aJ84Qr4bcK1Ss5EKdwSlRUZWacWN3O8GIE6d49IqjA=; b=FcDBeb4EsiKG22XC8+DVxWiLaUw3VFTN8DgEJDfXSYN+kXe1shwTNLIJewzLFOQt2B u1iFdUDVTUHielc4HyO3qWHmcWVeLvMq/HEsAct9maVDYk/FQeR2vMo60JKHMmCZuiny e+ydKfeYU4eXQpdyTQE83ebyR4MXNdc69LfBSYZ/+JzWeeSYPg0PwamGD7vZDieHhUWF 5U0lZ2gcFgBIPE/bS3XRJGjUgbGKXf2MKgcNn6e0vTwDq536WnUaxmcVYABApd89cfct MIgtvb+AhjEzRVfi6Y1cOyY6a/r3i3EknnP7oAz8YAmYGzuJs3n3/9pAQ0Jqnu+LBUsM S/ig== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u62si3426336pgc.204.2019.03.13.12.00.25; Wed, 13 Mar 2019 12:00:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726886AbfCMS6i (ORCPT + 99 others); Wed, 13 Mar 2019 14:58:38 -0400 Received: from outgoing-auth-1.mit.edu ([18.9.28.11]:56087 "EHLO outgoing.mit.edu" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726272AbfCMS6i (ORCPT ); Wed, 13 Mar 2019 14:58:38 -0400 Received: from callcc.thunk.org (guestnat-104-133-0-99.corp.google.com [104.133.0.99] (may be forged)) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x2DIwRLl031027 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 13 Mar 2019 14:58:28 -0400 Received: by callcc.thunk.org (Postfix, from userid 15806) id 0460D42080E; Wed, 13 Mar 2019 14:58:26 -0400 (EDT) Date: Wed, 13 Mar 2019 14:58:26 -0400 From: "Theodore Ts'o" To: James Bottomley Cc: Amir Goldstein , Richard Weinberger , Miklos Szeredi , linux-fsdevel , linux-fscrypt@vger.kernel.org, overlayfs , linux-kernel , Paul Lawrence Subject: Re: overlayfs vs. fscrypt Message-ID: <20190313185826.GA4685@mit.edu> Mail-Followup-To: Theodore Ts'o , James Bottomley , Amir Goldstein , Richard Weinberger , Miklos Szeredi , linux-fsdevel , linux-fscrypt@vger.kernel.org, overlayfs , linux-kernel , Paul Lawrence References: <4603533.ZIfxmiEf7K@blindfold> <1854703.ve7plDhYWt@blindfold> <4066872.KGdO14EQMx@blindfold> <20190313151633.GA672@mit.edu> <1552491394.3022.8.camel@HansenPartnership.com> <20190313164439.GF672@mit.edu> <1552499104.3022.44.camel@HansenPartnership.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1552499104.3022.44.camel@HansenPartnership.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 13, 2019 at 10:45:04AM -0700, James Bottomley wrote: > > If they can't break root, then the OS's user-id based access > > control checks (or SELinux checks if you are using SELinux) will > > still protect you. > > Well, that's what one would think about the recent runc exploit as > well. The thing I was looking to do was reduce the chances that > unencrypted data would be lying around to be discovered. I suppose the > potentially biggest problem is leaking the image after it's decrypted > by admin means like a badly configured backup, but unencryped data is > potentially discoverable by breakouts as well. But while the container is running, the key is available and instantiated in the kernel, and the kernel is free to decrypt any encrypted file/block. The reason why the kernel won't do this is because of its access control checks. And we're talking about this within the context of the overlayfs. When in the container world will we have persistent data that lasts beyond the lifetime of the running container that will be using overlayfs? I didn't think that existed; if you are using, say, a Docker storage volume, does overlayfs ever get into the act? And if so, how, and what are the desired security properties? - Ted