Received: by 2002:ac0:950c:0:0:0:0:0 with SMTP id f12csp3237846imc;
        Wed, 13 Mar 2019 12:23:19 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwgL5WEIBl2b88Ntfg3wQ8r/TZxADqKieKC8YJNaW+w8HTu8fnhUDZmP8reAlWUYNzfCQQO
X-Received: by 2002:a62:76d4:: with SMTP id r203mr45960183pfc.15.1552504999226;
        Wed, 13 Mar 2019 12:23:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1552504999; cv=none;
        d=google.com; s=arc-20160816;
        b=x5whnVH5cKotQHg3YPLg/Zl3NNyUqLTBvpRHo4YLGYKXudX1M2+OAxYU9AZOCoY3np
         8oxlfmkjZKDEwCcfq0jFNIuJLZSKInMOWfgOUxhU1CVAQj17OLQvc047JRh7nt4dma6a
         NU2bN0NpX/0Da2eO92jFlmW44y82pEQZ5bMXIyCWcipG1FMu0ctyNfzzGUbZWdIkyF+q
         wjaOVzm6fNWz4p886JX9FiqbsZPC8HbgK37kui4GGgzF3/CRHj8eFWhwnwtwq/OepqzT
         WWI0++/8i9i8E5GavuaTzMmhl421esrOD0qP+lQQep6dSyEHsDZB6WcnP05UbXX8JIce
         lhLg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:date:cc:to:from:subject:message-id
         :dkim-signature;
        bh=0jdZG1qE/QYCnqDd02O/3NWbTTG7KKAXmpa3DMqBYoM=;
        b=0050dVgf2xOAQLJ40r+8tvkvhQM6Q/m+rJNSljuuBGsRH1Kuw7AR6Nhcnvr+sAl54J
         wqxzAYGqeQxfuL5xXVgMQ4ogZbReN91+xzW3SekzdndMSv1imhhafqOf6e8Jy5ati44+
         x+EFDiv4xnwHZYkCQbp/pm4krSXrShvNfjYfA1h2eJIqOEn2zfMoj29DU5h4cRA90Cj4
         aaRFGgsjLFvOzAxn9jUwuVR3qb9VVCnRW7koKWIqMqtVn0HaqTQXkSH50QiDs+ZHImrt
         B1FkLs2tUDt/Fu5E65icgBR/up8TOk5M9IAE2LQOATGWdR0QGb3EavOsxZDsPDzW/a8D
         BxOg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=MMAUL5b1;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g10si11959098plb.375.2019.03.13.12.23.03;
        Wed, 13 Mar 2019 12:23:19 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=MMAUL5b1;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728789AbfCMTWC (ORCPT <rfc822;michael.k.kehoe@gmail.com>
        + 99 others); Wed, 13 Mar 2019 15:22:02 -0400
Received: from bedivere.hansenpartnership.com ([66.63.167.143]:40092 "EHLO
        bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1728274AbfCMTRz (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 13 Mar 2019 15:17:55 -0400
Received: from localhost (localhost [127.0.0.1])
        by bedivere.hansenpartnership.com (Postfix) with ESMTP id 384F38EE20E;
        Wed, 13 Mar 2019 12:17:54 -0700 (PDT)
Received: from bedivere.hansenpartnership.com ([127.0.0.1])
        by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id aZt-0s5b79oz; Wed, 13 Mar 2019 12:17:53 -0700 (PDT)
Received: from [153.66.254.194] (unknown [50.35.68.20])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 7EAF38EE0D2;
        Wed, 13 Mar 2019 12:17:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com;
        s=20151216; t=1552504673;
        bh=Fu0rh0TRSo8BaUrCb49LTC7bQJGPtb3oRoEl3FHPnWQ=;
        h=Subject:From:To:Cc:Date:In-Reply-To:References:From;
        b=MMAUL5b13FHBelUi0weo/FqU+w76a/8A7uGTeOgVAIufwe4TjYgw6TCJ8YcNFS3mT
         MhPGWvI1phUSuCGudujMFwOUbXacW7dPUkwV4il9jQtbv5seYWCjq7gf88xj78kvHc
         d2vZLA0GzhrsqDC9W4YNuTO5JjmwF8OSimLcHA3k=
Message-ID: <1552504672.3022.59.camel@HansenPartnership.com>
Subject: Re: overlayfs vs. fscrypt
From:   James Bottomley <James.Bottomley@HansenPartnership.com>
To:     Theodore Ts'o <tytso@mit.edu>
Cc:     Amir Goldstein <amir73il@gmail.com>,
        Richard Weinberger <richard@nod.at>,
        Miklos Szeredi <miklos@szeredi.hu>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>,
        linux-fscrypt@vger.kernel.org,
        overlayfs <linux-unionfs@vger.kernel.org>,
        linux-kernel <linux-kernel@vger.kernel.org>,
        Paul Lawrence <paullawrence@google.com>
Date:   Wed, 13 Mar 2019 12:17:52 -0700
In-Reply-To: <20190313185826.GA4685@mit.edu>
References: <4603533.ZIfxmiEf7K@blindfold> <1854703.ve7plDhYWt@blindfold>
         <CAJfpegtgfuAkgv26QH6Ht25OeMiev-QvEf7ror4KAbud7FADgg@mail.gmail.com>
         <4066872.KGdO14EQMx@blindfold>
         <CAOQ4uxhqQKzriL0An4Tvzc1E_LffL-z9q1otOW_RdD1ZdKWP3Q@mail.gmail.com>
         <20190313151633.GA672@mit.edu>
         <1552491394.3022.8.camel@HansenPartnership.com>
         <20190313164439.GF672@mit.edu>
         <1552499104.3022.44.camel@HansenPartnership.com>
         <20190313185826.GA4685@mit.edu>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.26.6 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 2019-03-13 at 14:58 -0400, Theodore Ts'o wrote:
> On Wed, Mar 13, 2019 at 10:45:04AM -0700, James Bottomley wrote:
> > >   If they can't break root, then the OS's user-id based access
> > > control checks (or SELinux checks if you are using SELinux) will
> > > still protect you.
> > 
> > Well, that's what one would think about the recent runc exploit as
> > well.  The thing I was looking to do was reduce the chances that
> > unencrypted data would be lying around to be discovered.  I suppose
> > the potentially biggest problem is leaking the image after it's
> > decrypted by admin means like a badly configured backup, but
> > unencryped data is potentially discoverable by breakouts as well.
> 
> But while the container is running, the key is available and
> instantiated in the kernel, and the kernel is free to decrypt any
> encrypted file/block.

In the current encrypted tar file implementation, while the container
is running the decrypted tar file is extracted into the container root
and available for all to see.

The main security benefit of this implementation, as I said, is
security of at rest images and the runtime security is guaranteed by
other systems.

>   The reason why the kernel won't do this is because of its access
> control checks.
> 
> And we're talking about this within the context of the overlayfs.
> When in the container world will we have persistent data that lasts
> beyond the lifetime of the running container that will be using
> overlayfs?  I didn't think that existed; if you are using, say, a
> Docker storage volume, does overlayfs ever get into the act?  And if
> so, how, and what are the desired security properties?

Are you asking about persistent volumes?  I can answer, but that's not
the current use case.  The current use case is encrypted images, which
are overlays.  If you mean the misconfigured backup comment then I was
thinking a backup that wrongly sweeps container root while the
container is running.

Lets go back to basics: can fscrypt provide equivalent or better
protection than the current encrypted tarfile approach?  If the answer
is no because it's too tightly tied to the android use case then
perhaps there's not much point discussing it further.

James