Linux Namespace

Transcript

1. -JOVY
   /BNFTQBDF !NBTBNJ

2. 5BCMF
   PG
   $POUFOUT w /BNFTQBDF
   PWFSWJFX
   w 4ZTUFN
   DBMMT
   w LFSOFM
   JNQMFNFOUBUJPO
   w /BNFTQBDF
   &YBNQMF

3. OBNFTQBDF
   PWFSWJFX

4. /BNFTQBDF w Ϧιʔε
   w ॴҦίϯςφܕԾ૝ԽΛ࣮ݱ͢Δ্Ͱॏཁͳػ ೳͷҰͭ

5. 3FTPVSDF w /BNFTQBDFʹ͓͚ΔϦιʔε
   w DQV΍NFNPSZͱݴͬͨ෺ཧతͳܭࢉࢿݯͰ ͸ͳ͍
   w ϗετ໊ɺωοτϫʔΫઃఆɺQJEͳͲͷΧʔω ϧ͕ѻ͏σʔλ

6. 'FBUVSF w ϓϩηεؒͰΧʔωϧͷϦιʔεΛڞ༗
   w GPSL  ͷ࣮ߦ࣌͸਌ϓϩηεͱϦιʔεΛڞ༗
   w OBNFTQBDFຖʹಠཱͨ͠Ϧιʔε
   w

   ໊લۭؒͷঢ়ଶΛม͑ΔΑ͏ͳॲཧΛߦͬͯ΋ ผͷ໊લۭؒʹଐ͢Δϓϩηεʹ͸Өڹ͸ٴ͹ ͳ͍

7. /BNFTQBDF
   SFQSFTFOUBUJPO w ໊લۭؒ͸ϑΝΠϧͱͯ͠Ϣʔβʔۭ͔ؒΒݟ͑ Δ
   w TFUOT  Ͱར༻
   masami@miko:~$ ls

   -l /proc/self/ns total 0 dr-x--x--x 2 masami masami 0 Aug 31 00:15 . dr-xr-xr-x 8 masami masami 0 Aug 31 00:15 .. lrwxrwxrwx 1 masami masami 0 Aug 31 00:15 ipc -> ipc:[4026531839] lrwxrwxrwx 1 masami masami 0 Aug 31 00:15 mnt -> mnt:[4026531840] lrwxrwxrwx 1 masami masami 0 Aug 31 00:15 net -> net:[4026531957] lrwxrwxrwx 1 masami masami 0 Aug 31 00:15 pid -> pid:[4026531836] lrwxrwxrwx 1 masami masami 0 Aug 31 00:15 user -> user:[4026531837] lrwxrwxrwx 1 masami masami 0 Aug 31 00:15 uts -> uts:[4026531838]

8. /BNFTQBDFT w VUT
   w OFU
   w QJE
   w NOU
   w

   JQD
   w VTFS

9. VUT
   OBNFTQBDF w ϗετ໊ɺυϝΠϯ໊ͳͲͷσʔλ
   w Χʔωϧόʔδϣϯ౳΋͋Δ͕มߋෆՄ
   w ήετ͕ࣗϗετ໊Λม͑ͯ΋ϗετ04ଆʹ͸ Өڹ͸Ͱͳ͍

10. OFU
    OBNFTQBDF w ωοτϫʔΫؔ࿈ͷϦιʔε
    w /FUXPSL
    EFWJDF
    w *1
    BEESFTT
    w 3PVUJOH
    UBCMF
    w

    'JMUFSJOH
    UBCMF
    w 1PSU
    OVNCFS
    w QSPDOFU
    w FUDʜ

11. QJE
    OBNFTQBDF w ਌ϓϩηεͱ͸ผͷQJEΛར༻Մೳʹ
    w OBNFTQBDF
    "ͷQJEɿͱOBNFTQBDF
    #ͷ QJEɿ͸ผͷଘࡏ
    w QSPDGTΛద੾ʹ෼͚Ε͹ଞͷOBNFTQDFͷϓϩ ηεΛࢀরͰ͖ͳ͘ͳΔ

12. NOU
    OBNFTQBDF w Ϛ΢ϯτ͍ͯ͠ΔϑΝΠϧγεςϜΛද͢
    w ໊લۭؒ෼཭࣌͸਌ϓϩηεͷNOU
    OBNFTQBDF Λίϐʔ
    w ෼཭ޙʹ਌ϓϩηε͕VTC
    TUJDLͳͲΛϚ΢ϯ τͯ͠΋ήετଆ͔Β͸ݟ͑ͳ͍

13. JQD
    OBNFTQBDF w 4ZTUFN
    7
    *1$Ͱ࢖༻͢ΔϦιʔεΛ෼཭
    w ڞ༗ϝϞϦɺηϚϑΥɺϝοηʔδΩϡʔ

14. VTFS
    OBNFTQBDF w ϗετͱ͸ผͷVJEHJEମܥΛ࣋ͯΔ
    w ϗετͷVJEHJEͱήετͷVJEHJEϚοϐϯά͕ඞཁ
    w ઃఆ͠ͳ͍ͱ͕ઃఆ͞ΕΔ
    w HSPVQT͸൪ͷHSPVQೖΓ͢Δ
    w

    ଞͷOBNFTQBDFͱҧ͍ɺಠཱ͍ͯ͠ͳ͍
    w ଞͷOBNFTQBDFۭؒ͸ݸʑʹVTFS
    OBNFTQBDFΛ͍࣋ͬͯΔ
    w ֤OBNFTQBDFͷίϐʔॲཧؔ਺͸VTFS
    OTΛड͚औΔͷͰ HFU@VTFS@OT ͰࢀরΧ΢ϯτΛ૿΍͍ͯ͠Δ

15. VJEHJE
    NBQQJOH w ϚοϐϯάΛߦ͏γεςϜίʔϧ͸ແ͍
    w ҎԼͷϑΝΠϧΛ༻͍ͯϚοϐϯάΛ࣮ࢪ
    w QSPDQJEVJE@NBQ
    w QSPDQJEHJE@NBQ

16. VJEHJE
    NBQQJOH w ήετͷVJEΛϗετͷVJEʹϚοϐϯά
    w HJE΋ಉ༷ʹ
    masami@miko:~$ ./a.out -U -M '0

    1000 1' -G '0 1000 1' bash root@miko:~# id uid=0(root) gid=0(root) groups=0(root),65534 root@miko:~# cat /proc/self/uid_map /proc/self/gid_map 0 1000 1 0 1000 1 root@miko:~# touch test.txt root@miko:~# ls -la test.txt -rw-r--r-- 1 root root 0 Aug 31 12:00 test.txt root@miko:~# """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" masami@miko:~$ ls -la test.txt -rw-r--r-- 1 masami masami 0 Aug 31 12:00 test.txt masami@miko:~$

17. *O
    BO
    VTFS
    OBNFTQBDF wϚοϐϯάͳ͠ͰVTFS
    OBNFTQBDFΛVOTIBSF
    I have no name!@miko:/proc/640$ ls -la /usr/bin/sudo -rwsr-xr-x

    1 65534 65534 142792 May 9 15:58 /usr/bin/sudo ! w௨ৗͷঢ়ଶ
    I have no name!@miko:/proc/640$ exit logout masami@miko:~$ ls -la /usr/bin/sudo -rwsr-xr-x 1 root root 142792 May 9 15:58 /usr/bin/sudo

18. IPX
    UP
    VJEHJE
    NBQQJOH  DMPOF  ΛݺͿ
     $-0/&@/&864&3ΛqBHTʹηοτ
     FYFD ܥͷγεςϜίʔϧΛݺͿલʹϚοϐϯάΛߦ͏
    

     QSPDDIJME
    QSPDFTT
    QJEVJE@NBQ
     QSPDDIJME
    QSPDFTT
    QJEHJE@NBQ
     FYFD ܥͷؔ਺ΛݺΜͰ৽ͨͳϓϩάϥϜΛ࣮ߦ

19. TZTUFN
    DBMMT

20. TZTUFN
    DBMMT w DMPOF 
    w VOTIBSF 
    w

    TFUOT 

21. DMPOF 
    w DMPOF  ͰQJE
    OBNFTQBDFΛ෼཭ͨ͠৔
    w ࢠϓϩηε͔ΒݟΔͱࣗ෼ͷQJE͸ͱͯ͠ݟ͑Δ
    w

    ਌ϓϩηε͔Β͸਌ϓϩηεͷQJE
    OBNFTQBDFͰͷ QJE͕ৼΒΕͨΑ͏ʹݟ͑Δ
    w DMPOF  ͷ໭Γ஋Λ࢖ͬͯXBJUQJE  Ͱ଴ͭ͜ͱ ͕Ͱ͖Δ
    

22. DMPOF  $-0/&@/&8654 VUT
    OBNFTQBDF $-0/&@/&81*% QJE
    OBNFDQBDF $-0/&@/&8/4 NOU
    OBNFTQBDF $-0/&@/&8/&5 OFU
    OBNFTQBDF

    $-0/&@/&8*1$ JQD
    OBNFTQBDF $-0/&@/&864&3 VTFS
    OBNFTQBDF DMPOF  Ͱ࢖༻͢Δϑϥά͸TDIFEIΛJODMVEFͯ͠࢖༻Ͱ͖Δ͕ɺ
    $-0/&@/&864&3͸@(/6@4063$&ΛEFpOF͢Δඞཁ͋Γ

23. VOTIBSF  w ࣗ෼Λ਌ϓϩηεͷ໊લۭ͔ؒΒ෼཭ͤ͞Δ
    w QJE
    OBNFTQBDF͸෼཭Ͱ͖ͳ͍
    w Ұ࣌ظαϙʔτ͞Ε͍͕͔ͯͨΒର৅֎ʹͳͬͨ
    w QJEOT
    %POU
    IBWF
    VOTIBSF

    $-0/&@/&81*%
    JNQMZ
    $-0/&@5)3&"%
    w IUUQTHJUIVCDPNUPSWBMETMJOVYDPNNJU FDFCECGDCGEEF
    w VOTIBSF  ͷ৔߹ΤϥʔʹͳΒͳ͍͕Կ΋͓͖ͳ͍

24. TFUOT  w طଘͷ໊લۭؒʹࣗ਎ΛࢀՃͤ͞Δ
    w DMPOF  ɺVOTIBSF  ͸਌ͷ໊લۭ͔ؒΒ෼཭ͯ͠৽نͷ

    ໊લۭؒΛ࣋ͭΑ͏ʹͳΔ
    w ໊લۭؒ΁ͷࢀՃʹ͸ର৅ͷ໊લۭؒͷϑΝΠϧσΟεΫϦϓ λΛ࢖༻͢Δ
    w ผͷQJE
    OBNFTQBDFʹࢀՃ͢Δ৔߹ɺϓϩηεࣗ਎ͷQJE͸ มΘΒͳ͍
    w ࢠϓϩηε͔ΒQJE͕มΘΔ

25. LFSOFM
    JNQMFNFOUBUJPO

26. LFSOFMOTQSPYZD w OBNFTQBDFڞ௨ͷॲཧΛߦ͏
    w OBNFTQBDFͷ࡞੒ɺίϐʔͳͲ
    w ݸʑͷOBNFTQBDFʹ͍ͭͯ͸ͦΕͧΕ͕࣮ࢪ

27. LFSOFMOTQSPYZD w લεϥΠυͰOBNFTQBDFڞ௨ͱઆ໌͚ͨ͠Ͳ
    w VTFS
    OBNFTQBDF͸ѻ͍ͬͯͳ͍
    w VTFS
    OBNFTQBDF͸DSFED΍ݸʑͷ OBNFTQBDF͕؅ཧ

28. TUSVDU
    OTQSPYZ w ֤OBNFTQBDFͷσʔλΛอ࣋͢Δߏ଄ମ
    ! struct nsproxy { atomic_t count; struct

    uts_namespace *uts_ns; struct ipc_namespace *ipc_ns; struct mnt_namespace *mnt_ns; struct pid_namespace *pid_ns_for_children; struct net *net_ns; }; wVTFS
    OBNFTQBDF͸TUSVDU
    DSFEʹͯ؅ཧ
    wTUSVDU
    UBTL@TUSVDUͷSFBM@DSFBE͔ΒVTFS
    OBNFTQBDFΛࢀর

29. DPNNPO
    OBNFTQBDF
    TUSVDUVSF w ֤OBNFTQBDF͸ҎԼͷม਺Λඞͣ࣋ͭ
    w ࢀরΧ΢ϯλ
    w QSPDGTͷJOPEF൪߸
    w
    VTFS
    OBNFTQBDF
    

    w VTFS
    OBNFTQBDFͷ৔߹͸਌ϓϩηε΁ͷϙΠϯλ
    

30. JOJU@OTQSPYZ w ࠷ॳͷϓϩηεʹઃఆ͞ΕΔOTQSPYZߏ଄ମ
    w ͜ΕҎ߱͸GPSLܥؔ਺ͷݺͼग़࣌͠ʹ͜ͷߏ ଄ମͷࢀরΧ΢ϯλΛΠϯΫϦϝϯτ
    w OBNFTQBDFΛ෼͚ͳ͍৔߹ɿʣ

31. TUSVDU
    OTQSPYZ w NPVOU
    OBNFTQBDFҎ֎͸Ϗϧυ࣌ʹઃఆ
    struct nsproxy init_nsproxy = { .count =

    ATOMIC_INIT(1), .uts_ns = &init_uts_ns, #if defined(CONFIG_POSIX_MQUEUE) || defined(CONFIG_SYSVIPC) .ipc_ns = &init_ipc_ns, #endif .mnt_ns = NULL, .pid_ns_for_children = &init_pid_ns, #ifdef CONFIG_NET .net_ns = &init_net, #endif };

32. *OJUJBMJ[F
    NOU@OT wJOJU@NPVOU@USFF ͔Β͕࣮ࡍͷॲཧ
    start_kernel() @init/main.c --> vfs_caches_init() @fs/dcache.c --> mnt_init()

    @fs/namespace.c --> init_mount_tree() @fs/namespace.c --> create_mnt_ns() @fs/namespace.c

33. *OJUJBMJ[F
    VTFS@OT w VTFS@OT͸TUSVDU
    DSFEͷσʔλॳظԽ࣌ʹઃఆ
    struct cred init_cred = { .usage =

    ATOMIC_INIT(4), ~ུ~ .cap_bset = CAP_FULL_SET, .user = INIT_USER, .user_ns = &init_user_ns,

34. DPQZ@OBNFTQBDF w JOU
    DPQZ@OBNFTQBDFT VOTJHOFE
    MPOH
    qBHT
    TUSVDU
    UBTL@TUSVDU
    UTL
    w DPQZ@QSPDFTT

    ΑΓݺ͹ΕΔ
    w qBHʹ$-0/&@/&8999͕ηοτ͞Ε͍ͯͳ͚Ε͹Χ ϨϯτϓϩηεͷOTQSPYZߏ଄ମͷࢀরΧ΢ϯλΛ 
    w ͦ͏Ͱͳ͚Ε͹DSFBUF@OFX@OBNFTQBDF Ͱ֘౰͢Δ OBNFTQBDFΛ࡞੒͢Δ

35. TXJUDI@UBTL@OBNFTQBDF w WPJE
    TXJUDI@UBTL@OBNFTQBDFT TUSVDU
    UBTL@TUSVDU
    UTL
    TUSVDU
    OTQSPYZ
    OFX
    w

    ΧϨϯτϓϩηεͷ໊લۭؒ੾Γସ͑Λߦ͏
    w VOTIBSF  Ͱ࢖༻
    w ϓϩηεͷFYJU ࣌ʹ΋࢖༻
    w ੾Γସ͑ઌͷOBNFTQBDFʹ/6--Λઃఆ

36. TXJUDI@UBTL@OBNFTQBDF w OBNFTQBDFΛ੾Γସ͑ͨ݁Ռɺ੾Γସ͑લͷ OBNFTQBDFΛࢀর͢Δϓϩηε͕͍ͳ͘ͳͬͨ ৔߹
    w GSFF@OTQSPYZ ΛݺΜͰOBNFTQBDFΛղ์

37. GSFF@OTQSPYZ w WPJE
    GSFF@OTQSPYZ TUSVDU
    OTQSPYZ
    OT
    w OBNFTQBDFͷղ์
    w ֤OBNFTQBDFͷࢀরΧ΢ϯλΛσΫϦϝϯτ
    

    w OTQSPYZߏ଄ମͷΠϯελϯεղ์
    w ௨ৗ͸ϓϩηεͷFYJU࣌ʹ࣮ߦ͞ΕΔ

38. VOTIBSF@OTQSPYZ@OBNFTQBDF w JOU
    VOTIBSF@OTQSPYZ@OBNFTQBDFT VOTJHOFE
    MPOH
    VOTIBSF@qBHT
    TUSVDU
    OTQSPYZ
    OFX@OTQ
    TUSVDU
    DSFE
    OFX@DSFE
    TUSVDU
    

    GT@TUSVDU
    OFX@GT
    w VOTIBSF  ͷ࣮ߦ࣌ʹݺ͹ΕΔ
    w DSFBUF@OFX@OBNFTQBDF Ͱ໊લۭؒΛ৽نʹ ࡞੒

39. QSPDGT
    PQFSBUJPOT w OBNBTQBDF͸QSPDGTͰදݱ͞ΕΔͷͰ͜ΕΒΛૢ࡞͢Δؔ਺ Λొ࿥
    w TFUOT  ͕࢖͏ͷ͕͜ΕΒ
    w ֤OBNFTQBDFຖʹొ࿥
    

    struct proc_ns_operations { const char *name; int type; void *(*get)(struct task_struct *task); void (*put)(void *ns); int (*install)(struct nsproxy *nsproxy, void *ns); unsigned int (*inum)(void *ns); };

40. QSPDGT
    PQFSBUJPOT w HFU
    w ର৅OBNFTQBDFͷࢀরΧ΢ϯλΛ 
    w QVU
    

    w ର৅OBNFTQBDFͷࢀরΧ΢ϯλΛ
    w JOTUBMM
    w ݱࡏͷOBNFTQBDFͷࢀরΧ΢ϯλΛ͠ɺ৽͍͠OBNFTQBDFΛOTQSPYZߏ ଄ମʹηοτ
    w JOVN
    w OBNFTQBDFͷJOPEF൪߸Λฦ͢

41. DMPOF w OBNFTQBDFͷૢ࡞ͱݴͬͯ΋DMPOF ݻ༗ͰԿ͔͕͋ΔΘ ͚Ͱ͸ແ͍
    w DPQZ@QSPDFTT ͔ΒҎԼͷؔ਺ΛݺͿ
    w DPQZ@DSFET

    
    w VTFS@OTͷίϐʔ৽ن࡞੒
    w DPQZ@OBNFTQBDF
    w طଘͷ֤OBNFTQBDFͷίϐʔ৽ن࡞੒

42. TFUOT ೖΓ͍ͨOBNFTQBDFͷpMFߏ଄ମ͔ΒJOPEFΛऔಘ͠ɺ֘౰ OBNFTQBDFͷQSPD@OT@PQFSBUJPOTߏ଄ମऔಘ
    DSFBUF@OFX@OBNFTQBDF ͰOTQSPYZͷ࡞੒
    w ɹqBHTʹ͸Λ౉͢ͷͰطଘͷOBNFTQBDFͷࢀরΧ΢ϯλ ͕૿͑Δ͚ͩ
    QSPD@OT@PQFSBUJPOTߏ଄ମͷJOTUBMM ΛݺΜͰOTQSPYZʹର

    ৅ͷOBNFTQBDFΛઃఆ
    TXJUDI@UBTL@OBNFTQBDFT ͰOBNFTQBDFͷ੾Γସ͑Λ࣮ࢪ

43. VOTIBSF VOTIBSF͢ΔOBNFTQBDFͷऔಘ
    ϑΝΠϧγεςϜͷVOTIBSF
    
    DVSSFOUλεΫͷGT@TUSVDUߏ଄ମ͕ίϐʔ͞ΕΔ
    ϑΝΠϧσΟεΫϦϓλͷίϐʔ
    w ։͍͍ͯΔϑΝΠϧσΟεΫϦϓλΛEVQ@GE Ͱίϐʔ
    VTFS
    OBNFTQBDFͷ෼཭
    w

    $-0/&@/&864&3͕ηοτ͞Ε͍ͯͳ͚Ε͹Կ΋͠ͳ͍

44. VOTIBSF ! VOTIBSF@OTQSPYZ@OBNFTQBDFT ͰͦͷଞOBNFTQBDFͷ෼཭
    w ࣮ࡍͷॲཧ͸DSFBUF@OFX@OBNFTQBDFT Ͱ࣮ࢪ
    ্ه·Ͱͷૢ࡞ͰԿ͔͠Β࣮ߦ͕ߦΘΕͨ৔߹͸ҎԼͷॲཧΛ࣮ࢪ
    w OBNFQBDF

    OTQSPYZ ͷมߋ͕͋ͬͨ৔߹͸TXJUDI@UBTL@OBNFTQBDFT Ͱ੾ Γସ͑
    w GT@TUSVDUΛίϐʔͨ͠৔߹͸DVSSFOUλεΫͷGT@TUSVDUߏ଄ମ੾Γସ͑
    ɹϑΝΠϧσΟεΫϦϓλΛίϐʔͨ͠৔߹͸DVSSFOUλεΫͷϑΝΠϧσΟεΫϦ ϓλ੾Γସ͑
    ɹVTFS@OTͷVOTIBSFΛͨ͠৔߹͸TUSVDU
    DSFEͷ੾Γସ͑

45. /BNFTQBDF
    &YBNQMF w /BNFTQBDFػೳͰͲͷΑ͏ʹมΘ͔ͬͨ

46. HFUQJE
    
     w UBTL@TUSVDUߏ଄ମͷϝϯόม਺ QJE Λͦͷ·· ฦ٫Մೳ
    #define getpid() (current->pid)

47. HFUQJE
    
     wϓϩηε͕ॴଐ͍ͯ͠ΔQJE
    OBNFTQBDFͷQJEΛ ฦ͢ඞཁ͕͋Δ
    getpid() -> task_tgid_vnr() -> task_tgid() ->

    pid_vnr() -> task_active_pid_ns() -> task_pid() -> ns_of_pid() -> pid_nr_ns()

48. DIPXO
    
     static int chown_common(struct dentry * dentry, uid_t user,

    gid_t group) { ~தུʙ if (user == (uid_t) -1) user = inode->i_uid; if (group == (gid_t) -1) group = inode->i_gid; newattrs.ia_mode = inode->i_mode; newattrs.ia_uid = user; newattrs.ia_gid = group;

49. DIPXO
    
     static int chown_common(struct path *path, uid_t user, gid_t

    group) { ~தུʙ uid = make_kuid(current_user_ns(), user); gid = make_kgid(current_user_ns(), group); ! newattrs.ia_valid = ATTR_CTIME; if (user != (uid_t) -1) { if (!uid_valid(uid)) return -EINVAL; newattrs.ia_valid |= ATTR_UID; newattrs.ia_uid = uid; } if (group != (gid_t) -1) { if (!gid_valid(gid)) return -EINVAL; newattrs.ia_valid |= ATTR_GID; newattrs.ia_gid = gid; }

50. 3FGFSFODF w -9$ͰֶͿίϯςφೖ໳
    ʵܰྔԾ૝Խ؀ڥΛ࣮ݱ͢Δٕज़
    w IUUQHJIZPKQBENJOTFSJBMMJOVY@DPOUBJOFST
    w /BNFTQBDFT
    JO
    0QFSBUJPO
    TFSJFT
    w IUUQMXOOFU"SUJDMFTTFSJFT@JOEFY
    w

    1SPGFTTJPOBM
    -JOVY
    ,FSOFM
    "SDIJUFDUVSF
    w IUUQXXXBNB[PODPKQEQ#5*$;