On Wed, Mar 13, 2019 at 10:45:04AM -0700, James Bottomley wrote: > > If they can't break root, then the OS's user-id based access > > control checks (or SELinux checks if you are using SELinux) will > > still protect you. > > Well, that's what one would think about the recent runc exploit as > well. The thing I was looking to do was reduce the chances that > unencrypted data would be lying around to be discovered. I suppose the > potentially biggest problem is leaking the image after it's decrypted > by admin means like a badly configured backup, but unencryped data is > potentially discoverable by breakouts as well. But while the container is running, the key is available and instantiated in the kernel, and the kernel is free to decrypt any encrypted file/block. The reason why the kernel won't do this is because of its access control checks. And we're talking about this within the context of the overlayfs. When in the container world will we have persistent data that lasts beyond the lifetime of the running container that will be using overlayfs? I didn't think that existed; if you are using, say, a Docker storage volume, does overlayfs ever get into the act? And if so, how, and what are the desired security properties? - Ted