Re: overlayfs vs. fscrypt
From: Theodore Ts'o
Date: Wed Mar 13 2019 - 14:58:40 EST
On Wed, Mar 13, 2019 at 10:45:04AM -0700, James Bottomley wrote:
> > If they can't break root, then the OS's user-id based access
> > control checks (or SELinux checks if you are using SELinux) will
> > still protect you.
>
> Well, that's what one would think about the recent runc exploit as
> well. The thing I was looking to do was reduce the chances that
> unencrypted data would be lying around to be discovered. I suppose the
> potentially biggest problem is leaking the image after it's decrypted
> by admin means like a badly configured backup, but unencryped data is
> potentially discoverable by breakouts as well.
But while the container is running, the key is available and
instantiated in the kernel, and the kernel is free to decrypt any
encrypted file/block. The reason why the kernel won't do this is
because of its access control checks.
And we're talking about this within the context of the overlayfs.
When in the container world will we have persistent data that lasts
beyond the lifetime of the running container that will be using
overlayfs? I didn't think that existed; if you are using, say, a
Docker storage volume, does overlayfs ever get into the act? And if
so, how, and what are the desired security properties?
- Ted