Received: by 2002:ac0:950c:0:0:0:0:0 with SMTP id f12csp3275197imc;
        Wed, 13 Mar 2019 13:27:12 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzeLKnh2WKadxX+/AxUMtn9aoiTiSKeK0772s3IV5SylMMQHc4SN/trQhfPJcHzhUmQYBPU
X-Received: by 2002:a17:902:b687:: with SMTP id c7mr323039pls.270.1552508832098;
        Wed, 13 Mar 2019 13:27:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1552508832; cv=none;
        d=google.com; s=arc-20160816;
        b=OuqsuF27aoD0MTGPWiSTAPoZHsK4WtjRlFobKSkYEab4ZiJsg1k3Kb3Gt/Ip5Wc1yp
         LpwZHCoFYaF09BQ7ll6cVuQwRjfqI7HgMZwSKGgLWTAIzeu7H9w0nqKCqcYwLU7srNVF
         dzWUk0zuniTkf0qAusGLwv9n3HkeMJa+NDEJjHBsyKCNUDoYv7ZKQMI8o3gk0mEZxS6D
         qwNSjequAK6+FEQPDsGmv0PA2zGiTZgmXUbe4TrMOdxkJKj54l+xQ4/s98m/TpnzL04v
         katHdyxShSOZJrVA4AxyXRAW26PwD+O700Z+fNq8V+223YP/HXS9YBner8mD2MNjVIoy
         5/XA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=/mos/hK8n6UoUxrfR/gmB9JSDm6Ko+eHKRquWeJIzv0=;
        b=kdVOw1tsx2b6NVhPxRN2DfdUD9oPd7KhJt1jvYop0ps5UsqHCEYgIGNtwkGsvsHPTv
         rMX6wqT3TX4J9u2CNOD27MfKUZKk75Vlcl221n7r+pOyfbkcczG+bPEwxT4LghKHS8Jx
         3/wInSktngGoRwWt1vm+SSrbNjm6T4j6uI4/vyuiXOyqqfm6WmCJ77FQpy5+Fq+Ujwip
         OX/6FLEmcYheWT7AFDOucjqUe1xblIm7FiqVAC+oHjXXYMWglQOqa50Pik85CWCDqn3y
         hLI29y4YpI8BHHvps5dGvdOReC99bTIN7UFArfCZ7Q1YN0ES6Jh6+ccnum4F7DbtphDj
         xlOQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=Mc2cEbLx;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t3si11345519plq.430.2019.03.13.13.26.56;
        Wed, 13 Mar 2019 13:27:12 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=Mc2cEbLx;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727253AbfCMUZX (ORCPT <rfc822;atom.tux.beastie@gmail.com>
        + 99 others); Wed, 13 Mar 2019 16:25:23 -0400
Received: from mail.kernel.org ([198.145.29.99]:45394 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726656AbfCMUZX (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 13 Mar 2019 16:25:23 -0400
Received: from gmail.com (unknown [104.132.1.77])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 03F7A206DF;
        Wed, 13 Mar 2019 20:25:21 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1552508722;
        bh=EXe+Ez5eFEmIkT8jEZDz6Y2InduzsahFDoJq2DbHfuM=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=Mc2cEbLxEwfuk8GuRGfe6pBnrtYt1cyIjOu4ojK/xG20SsPAorOSVXaBW1+8vKeMF
         NZXdXHZ0PtWDRk/VSj8lG+NxnPfL6NtIoYdaEeq4hFe42gT7Nh4Qp5hFu6u0eHNKBb
         C37Cbd7CO/GuSb2/FDNr5EB4xl9z525UIDu2L2H4=
Date:   Wed, 13 Mar 2019 13:25:20 -0700
From:   Eric Biggers <ebiggers@kernel.org>
To:     James Bottomley <James.Bottomley@HansenPartnership.com>
Cc:     Theodore Ts'o <tytso@mit.edu>, Amir Goldstein <amir73il@gmail.com>,
        Richard Weinberger <richard@nod.at>,
        Miklos Szeredi <miklos@szeredi.hu>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>,
        linux-fscrypt@vger.kernel.org,
        overlayfs <linux-unionfs@vger.kernel.org>,
        linux-kernel <linux-kernel@vger.kernel.org>,
        Paul Lawrence <paullawrence@google.com>
Subject: Re: overlayfs vs. fscrypt
Message-ID: <20190313202519.GD10169@gmail.com>
References: <4066872.KGdO14EQMx@blindfold>
 <CAOQ4uxhqQKzriL0An4Tvzc1E_LffL-z9q1otOW_RdD1ZdKWP3Q@mail.gmail.com>
 <20190313151633.GA672@mit.edu>
 <1552491394.3022.8.camel@HansenPartnership.com>
 <20190313164439.GF672@mit.edu>
 <1552499104.3022.44.camel@HansenPartnership.com>
 <20190313185826.GA4685@mit.edu>
 <1552504672.3022.59.camel@HansenPartnership.com>
 <20190313195713.GC10169@gmail.com>
 <1552507566.3022.65.camel@HansenPartnership.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1552507566.3022.65.camel@HansenPartnership.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Mar 13, 2019 at 01:06:06PM -0700, James Bottomley wrote:
> On Wed, 2019-03-13 at 12:57 -0700, Eric Biggers wrote:
> > On Wed, Mar 13, 2019 at 12:17:52PM -0700, James Bottomley wrote:
> > > On Wed, 2019-03-13 at 14:58 -0400, Theodore Ts'o wrote:
> > > > On Wed, Mar 13, 2019 at 10:45:04AM -0700, James Bottomley wrote:
> > > > > >   If they can't break root, then the OS's user-id based
> > > > > > access control checks (or SELinux checks if you are using
> > > > > > SELinux) will still protect you.
> > > > > 
> > > > > Well, that's what one would think about the recent runc exploit
> > > > > as well.  The thing I was looking to do was reduce the chances
> > > > > that unencrypted data would be lying around to be
> > > > > discovered.  I suppose the potentially biggest problem is
> > > > > leaking the image after it's decrypted by admin means like a
> > > > > badly configured backup, but unencryped data is potentially
> > > > > discoverable by breakouts as well.
> > > > 
> > > > But while the container is running, the key is available and
> > > > instantiated in the kernel, and the kernel is free to decrypt any
> > > > encrypted file/block.
> > > 
> > > In the current encrypted tar file implementation, while the
> > > container is running the decrypted tar file is extracted into the
> > > container root and available for all to see.
> > > 
> > > The main security benefit of this implementation, as I said, is
> > > security of at rest images and the runtime security is guaranteed
> > > by other systems.
> > 
> > That's not security at rest, because you're decrypting the data and
> > storing it onto the local disk.
> 
> I mean image at rest and image running.  The local disk untar only
> happens for running image.
> 
> > fscrypt would allow the data to be stored encrypted on the local
> > disk, so it's protected against offline compromise of the disk.
> 
> Container images are essentially tars of the overlays.  They only
> become actual filesystems when instantiated at runtime.  The current
> encrypted container image is an overlay or set of overlays which is
> tarred then encrypted.  So to instantiate it is decrypted then
> untarred.
> 
> The thing I was wondering about was whether instead of a tar encrypt we
> could instead produce an encrypted image from a fscrypt filesystem.
> 

Why do you care whether the container image is encrypted on the local disk, when
you're extracting it in plaintext onto the local disk anyway each time it runs?
Even after the runtime files are "deleted", they may still be recoverable from
the disk.  Are you using shred and BLKSECDISCARD, and a non-COW filesystem?

Now, if you wanted to avoid writing the plaintext to disk entirely (and thereby
use encryption to actually achieve a useful security property that can't be
achieved through file permissions), fscrypt is a good solution for that.

- Eric