Tweet
Tweet

Slide 1

Slide 1 text

ۙ౻Ӊஐ࿕ / GMO Pepabo, Inc. ୈ14ճ ίϯςφٕज़ͷ৘ใަ׵ձ@ΦϯϥΠϯ 2021/04/17 CRIUͱseccompͱ ֨ಆͨ͠࿩ ʙશͯ͸ര଎ىಈͷͨΊͩͬͨʙ *NBHFIUUQTQJYBCBZDPNJNBHFTJECZ"OUSBOJBT

Slide 2

Slide 2 text

γχΞɾϓϦϯγύϧΤϯδχΞ ۙ౻ Ӊஐ࿕ / @udzura https://blog.udzura.jp/ Uchio Kondo ٕज़෦ ٕज़ج൫νʔϜ @ GMOϖύϘ ΤϯδχΞΧϑΣʢ෱Ԭࢢ੺ẂנจԽձؗʣ αϙʔλʔ #Ruby #mruby #Rust #Containers #eBPF #CRIU #Seccomp #RubyKaigi #CloudNativeDays #Zumba #γϨϯ #FitBoxing2 --- ޷͖ͳγεςϜίʔϧʁ ΍ͬͺΓ unshare(2) Ͱ͢Ͷɻ

Slide 3

Slide 3 text

αϙʔλʔͯ͠·͢ !ΤϯδχΞΧϑΣ ෱Ԭࢢ੺ẂנจԽؗ

Slide 4

Slide 4 text

ToC •੿࡞CRIUϥούʔ “Miehistö” ʹ͍ͭͯ •೚ҙͷΞϓϦέʔγϣϯΛ೚ҙͷՕॴͰμϯϓ͢Δٕज़ͷ࣮ݱ •seccomp + SCMP_ACT_TRACE ʹΑΔख๏ •seccomp + SCMP_ACT_NOTIFY ʹΑΔख๏ wͦͯ͠఻આ΁

Slide 5

Slide 5 text

ɹɹ(Caveats) •Seccomp ͕ςʔϚͳͷʹ൒෼͙Β͍CRIUͷ࢖͍ํͷ࿩Λ͠·͢ •·ͱΊͯൃද͢Δػձ͕ͣͬͱͳ͔ͬͨͷͰ... •ॻ͍ͯ͋Δ͜ͱࣗମ͸ɺ ͍͍ͩͨ͜ͷϒϩάͷ಺༰Ͱ͢ • CRIUʹؔ͢Δ࣮૷಺༰ͷίΞ͸2019೥ʹ ॻ͍͓ͯΓɺ΋͔ͨ͠͠Β࠷৽ͷ࠷৽͸ มԽ͋Δ͔΋ɻ

Slide 6

Slide 6 text

CRIU

Slide 7

Slide 7 text

CRIUͬͯ •Linuxʹ͓͍ͯɺϓϩηεͷνΣοΫϙΠϯτɾϦετΞΛ࡞੒͢Δͨ ΊͷϢʔβϥϯυͰͷπʔϧ (Checkpoint-Restore In Userspace) •ίϯςφ͸ϓϩηεͳͷͰɺίϯςφͷνΣοΫϙΠϯτɾϦετΞ Λ࣮ݱ͢ΔͨΊओʹ࢖͏Α͏ʹͳͬͨ https://criu.org/Main_Page

Slide 8

Slide 8 text

۩ମతʹ •͜͏͍͏༻్Λ૝ఆͯ͠ΔΒ͍͠ɻ (https://criu.org/Usage_scenarios) •ίϯςφͷϥΠϒϚΠάϨʔγϣϯ •ىಈ͕஗͍ΞϓϦέʔγϣϯͷߴ଎Խ •σεΫτοϓ؀ڥͷαεϖϯυɾϨδϡʔϜ •ແఀࢭʢʹݟ͔͚ͤΔʣΧʔωϧΞοϓάϨʔυ •ͳͲͳͲ...

Slide 9

Slide 9 text

࠷ۙͷCRIU •3.13(Sep 11, 2019) ... libcriu.a ͕ϏϧυͰ͖ΔΑ͏ʹͳͬͨ by @udzura •3.14(π, Apr 29, 2020) ... clone3(2)ͱTime NS support, ଞ •3.15(Nov 04, 2020) ... MIPS support, cgroup v2 support, PID NS಺෦ ΁ͷϦετΞ, ... ଞ •Still developing... ຊൃදͷ$3*6ͷόʔδϣϯ͸Ͱ͢

Slide 10

Slide 10 text

CRIU͍͍Ͷʂ •ૣ଎࢖ͬͯΈΑ͏ʂ... ❓ ❓❓ $3*6Ͱ͸ҰԠ ͜ΕͰ0,ɻ͔͠͠ ଓ

Slide 11

Slide 11 text

CRIUͬͯͲ͏࢖͏ͷ...ʁ •CRIUɺͦ΋ͦ΋ʮͪΌΜͱಈ͔͢ʯͷ͕೉͍͠ •ϝϞϦͷଞʹ΋ɺFile Descriptor/tty/socket ͦͷଞͷѻ͍... •ϦετΞޙʹPID͕ॏෳͯ͠Δͱ࠶ੜͰ͖ͳ͍ •͜ͷʮΠϝʔδʯతͳ΍ͭͬͯͲ͏؅ཧ͢Ε͹͍͍Μͩʁ

Slide 12

Slide 12 text

طʹ૊Έࠐ·ΕͨCRIUΛ࢖͏ʁ •ίϯςφϥϯλΠϜʹ૊Έࠐ·Εͨcheckpoint/retoreΛ࢖͏ख΋͋Δ ͕ɺϥϯλΠϜʹΑΓૢ࡞͕ҧ͏֮͑͠ΒΕͳ͍... •ͦ΋ͦ΋طଘͷ σʔϞϯ͕ ίϯςφ͡Όͳ͍ɺͱ͔ IUUQTTQFBLFSEFDLDPNVE[VSBNJFIJTUPBSFDPNNFOEFETUBDLUPJOUFHSBUFDSJVJOUPFYJTUJOHTZTUFNT TMJEF

Slide 13

Slide 13 text

ͳͷͰॻ͍ͨ

Slide 14

Slide 14 text

Miehistö (Έ͑ͻͯ͢) • (ex. Grenadine) • Miehistö = “CREW” in Finnish NJF 㷺IJTU”

Slide 15

Slide 15 text

Miehistö ͱ͸ •CRIUΛͳΔ΂͘ී௨ͷϓϩηεʹରͯ͠ద༻͠΍͘͢͢ΔɺҰ࿈ͷ πʔϧϥούʔ •miehistod: αʔϏε΍ΠϝʔδΛ ؅ཧ͢ΔதԝσʔϞϯ •mhctl: ΫϥΠΞϯτ •runmh: CRIU͠΍͍͢ϓϩηεΛ ࡞ΔҰछͷϥϯλΠϜ Έ͑ͻͯ͢Ͱ͌ʔ Ήʔ͜ΜͱΖʔΔ ΒΜΉʔ

Slide 16

Slide 16 text

runmh ͕͍ͯ͠Δ͜ͱ •ͳΔ΂͘ʮී௨ʹVMʹ্ཱͪ͛ͨϓϩηεʯͱಉ͡؀ڥͰ্ཱͪ ͕͍ͬͯΔঢ়ଶͷϓϩηεΛ࡞Δ •ͦͷ্ͰɺCRIUͰͷμϯϓ/ϦετΞͷোนʹͳΔΑ͏ͳ৚݅Λ֎ ͠ɺCRIU-readyͳঢ়ଶʹ͢ΔҰ࿈ͷૢ࡞Λߦ͏

Slide 17

Slide 17 text

۩ମతʹ͸... •·ͣɺPID Namespace Λ෼཭͠ɺPIDΛ1͔Β࢝ΊΔඞཁ͕͋Δ •→ clone(2) ʹΑΓִ཭͠ɺ /proc ϑΝΠϧγεςϜΛࣗ෼ͰϚ΢ϯτ •→ ͦͷͨΊɺMount namespace΋ִ཭

Slide 18

Slide 18 text

Mount namespace/root ͷ෼཭ •/proc ΛϚ΢ϯτ͠௚͢ͷͰMount NS΋unshared •ಠཱͨ͠ɺ͔ͭϗετͱେମಉ͡root filesystem͕ඞཁ •࡞Γํ: •ԾͷσΟϨΫτϦʹ / Λbind mountɺ/devͳͲ΋ݸผʹbind mount •ͦ͜ʹpivot_root͢Δ(chroot ͸μϝɺͦͷMount NSͰೝࣝ͞ΕΔ rootΛૠ͛ସ͑Δඞཁ͕͋ΔͨΊ)

Slide 19

Slide 19 text

ͦͷଞ •tty΍ɺrootͷ֎ʹ͋ΔϑΝΠϧΛࢀর͍ͯ͠Δͱμϝ: •stderr/out͸root಺ͷϑΝΠϧΛ։͖௚͢ •ʢϩάϑΝΠϧ͸ O_WRONLY|O_APPEND Ͱ։͍͍ͯͳ͍ͱμϝʣ •setsid() ΛݺΜͩηογϣϯϦʔμʔ͕process treeͷrootͰ͋Δඞཁ ͕͋ΔͷͰݺͿ

Slide 20

Slide 20 text

࣮૷ͷΠϝʔδ /&8/4 /&81*%ͷϑϥάΛ༩͑ͯDMPOF )PTUSPPU ΛผͷՕॴʹCJOENPVOU TFUTJE QJWPU@SPPU GEΛEFWOVMM GE ΛݱࡏͷSPPU಺෦ͷϑΝΠϧʹ͠ 0@830/-:c0@"11&/%Ͱ։͘ ର৅ϓϩάϥϜʹFYFD

Slide 21

Slide 21 text

͜ΕͰμϯϓ͸࣮֬ʹ੒ޭ™͢Δɻ •ߟྀͰ͖͍ͯͳ͍͜ͱ͸·ͩ࢒͍ͬͯΔ͔΋ɻ

Slide 22

Slide 22 text

μϯϓ·Ͱ͸҆ఆ͚ͨ͠Ͳ... •ϦετΞɺͲ͏͠·͠ΐ͏ͱ͍͏࿩ •ૉ௚ʹ͸ɺͰ͖ͨΠϝʔδΛ༻͍ͯCRIUίϚϯυΛୟ͚͹ݩͷϓϩη ε͕ϦετΞ͞ΕΔ͕... •miehistodαʔϏεͰϦετΞલ/ϦετΞޙͷϓϩηεΛ౷Ұతʹ؅ ཧ͍ͨ͠ɻͳͷͰɺϦετΞޙͷϓϩηεΛmiehistodͷԼʹͿΒԼ ͍͛ͨɻͲ͏͢Ε͹͑͑ͶΜɻ

Slide 23

Slide 23 text

ϦετΞʹ͍ͭͯ •Miehistöͷཁ্݅ɺϦετΞ͞Εͨϓϩηε΋miehistod(runmh)Ͱ؅ ཧ͍ͨ͠ɻͳͷͰ೚ҙͷϓϩηεͷࢠϓϩηεͱͯ͠ϦετΞ͢Δඞ ཁ͕͋Δ... ͦΜͳͷͰ͖Δʁ •ӈͷΑ͏ͳ͜ͱΛ͢Δࡍɺ runmh -> criu -> ruby criu͕ফ͑ͨΒ... μϝ ໨ࢦ͍ͯ͠ΔϓϩηεπϦʔ

Slide 24

Slide 24 text

miehistö ͰͷϦετΞ࣮૷ •miehistod ͷԼͰ criu restore ΛݺͿ •ͦͷࡍʹɺ --exec-cmd ͱ͍͏ΦϓγϣϯΛར༻͠ɺ ϦετΞޙʹcriuίϚϯυࣗ਎ΛrunmhϓϩάϥϜʹexec͢Δ • ਌ΛrunmhɺࢠΛϦετΞޙͷίϚϯυͱ͍͏ϓϩηεπϦʔΛ࡞੒͍ͨͨ͠Ί •·ͨɺbind mountͷѻ͍ʹ͍ͭͯcriu restoreʹ౉͢ඞཁ͕͋Δ •--external Φϓγϣϯʹ͍ͭͯ

Slide 25

Slide 25 text

͜͏͍͏criuίϚϯυΛੜ੒࣮ͯ͠ߦ͢Δ •ͪͳΈʹCRIUʹ͸ΫϥΠΞϯταʔόಈ࡞(libcriuܦ༝)ͱɺίϚϯυ ௚઀ىಈʹΑΔಈ࡞ͷϞʔυ͕ଘࡏ͢Δɻࠓճͷέʔε͸ɺϓϩηε μϯϓ͸ΫϥαόͰOKɺϓϩηε࠶ੜ͸ίϚϯυͰͳ͍ͱෆՄɻ

Slide 26

Slide 26 text

--exec-cmd •criuίϚϯυͰɺϓϩηεΛϦετΞ͠spwanͨ͠ޙʹɺݩͷcriuίϚ ϯυࣗମΛผͷϓϩάϥϜʹexecͯ͠͠·͏͜ͱ͕Ͱ͖Δɻ •ͦ͏͢ΔͱʮϦετΞޙͷϓϩηεΛ௚઀wait͢ΔϓϩάϥϜʯΛࠩ ͠ସ͑ΒΕΔͷͰɺࠓճͷΑ͏ʹεʔύόΠβʔతͳϓϩάϥϜΛ࡞ ੒͢Δ্Ͱศརɻ •miehistod -> runmh -> (ϦετΞޙϓϩηε) ͷπϦʔ͕׬੒

Slide 27

Slide 27 text

਌ͷ͛͢ସ͑ͷΠϝʔδਤ IUUQTTQFBLFSEFDLDPNVE[VSBNZDSJVMJGFJOQSPHSFTT TMJEFɹ

Slide 28

Slide 28 text

External bind mounts •root͔Βݟͯ֎෦σΟϨΫτϦΛBind mount͍ͯ͠Δ৘ใ͸ɺdump/ restore࣌ʹࣗಈݕ஌͞Εͳ͍ͷͰɺ໌ࣔతʹࢦఆ͢Δඞཁ͕͋Δɻ •dump࣌ʹˠ ֎෦Bind mountઌΛن໿ͰܾΊ͍ͯΔͷͰɺͦΕΒͷ ৘ใΛ --external ૬౰ͷΦϓγϣϯͱͯ͠criuαʔϏεʹ౉͢ •restore࣌ʹˠ ҎԼͷΑ͏ͳܗࣜͰίϚϯυʹ౉͢ --external mnt[__pids-d05739ddd0a12dd5040494c20461a197]:/sys/fs/cgroup/pids IUUQTDSJVPSH&YUFSOBM@CJOE@NPVOUT

Slide 29

Slide 29 text

͜ΕͰϦετΞ΋Ͱ͖ΔΑ͏ʹɻ

Slide 30

Slide 30 text

ࠓ೔CRIUͰ࿩͍ͯ͠ͳ͍͜ͱ •MiehistöͰະ࢖༻ͷΦϓγϣϯ: --cgroup-root, --action-script ͳͲ •swrkϞʔυͷ࿩ ͍͔ͭ࿩͢ػձ͕དྷΔΜͰ͠ΐ͏͔ Ϣʔεέʔε͕ͲΕ΋χονͳΜͰ͚͢Ͳ Ұ෦͸ʮ$3*6ΛϗεςΟϯάͰࢼ͍ͯ͘͠IPTUJOHDBTVBMʯ Ͱ΋࿩͍ͯ͠·͢IUUQTTQFBLFSEFDLDPNVE[VSBNZDSJVMJGFJOQSPHSFTT

Slide 31

Slide 31 text

ΞϓϦέʔγϣϯΛࢭΊΔ

Slide 32

Slide 32 text

΍Γ͍ͨʢ͔ͬͨʣ͜ͱ •ʮΞΫηε࣌ʹॳΊͯىಈ͢ΔʯΞʔΩςΫνϟͰɺॳճىಈͷΦʔ όϔουΛۃݶ·Ͱ௿ݮ͍ͨ͠ •FastContainer (ref: https://rand.pepabo.com/article/2017/06/28/iot38-matsumotory/) •਎ۙͳ΋ͷͰ͸Herokuͱ͔Cloud Runͱ͔

Slide 33

Slide 33 text

ϓϩηεͷࣄલμϯϓͱ͍͏ख๏ •ࣄલʹίϯςφͷϝϞϦμϯϓΛ࡞ͬͯɺ͔ͦ͜Βىಈ͢Ε͹ɺ ྫ͑͹εΫϦϓτݴޠʹΑΔϑϧελοΫϑϨʔϜϫʔΫͷΑ͏ʹɺ ىಈϓϩηεʹ͕͔͔࣌ؒΔΞϓϦέʔγϣϯͰ΋ ىಈͷΦʔόϔουΛ௿ݮͰ͖ΔͷͰ͸ͳ͍͔ɺͱߟ͑ͨɻ •ʢϗεςΟϯάαʔϏε಺෦Ͱ࢖͍͔ͨͬͨͷͰɺͳΔ΂͘ΞϓϦͷ ੑ࣭ʹΑΒͳ͍൚༻తͳํ๏ʹ͔ͨͬͨ͠എܠ΋͋Δʣ

Slide 34

Slide 34 text

cf. strace -c rails s •rails newͯ͠΄΅CRUDͻͱͭ௥Ճ͚ͨͩ͠ͷΞϓϦɺͷىಈ RAILS_ENV=production •΄΅openͱstat ϑΝΠϧૢ࡞ •͜ΕΒͷopenΛશ෦ εΩοϓͰ͖Ε͹଎ͦ͏

Slide 35

Slide 35 text

͍ͭࢭΊΔʁ •ͳΔ΂͘ʮঢ়ଶ͕ͳ͍ʯλΠϛϯάͰࢭΊ͍ͨ •ͨ͘͞ΜޙΖͷDBͱestablishͯ͠ɺ઀ଓ΋ΊͬͪΌड͚ࢭΊͯͯ... ͳঢ়ଶͰ΋ɺCRIUͰνΣοΫϙΠϯτͰ͖ΔͩΖ͏͕ɺෆཁͳτϥ ϒϧͱͦͷγϡʔτ͕ى͜Γͦ͏ɻ •͋Δఔ౓ػցతʹࢭΊΔλΠϛϯάΛܾఆ͍ͨ͠ •ྫ͑͹ɺॳճͷ listen(2) ͳͲͷλΠϛϯάͰఀࢭ͢Δͷ͸Ͳ͏͔ɻ

Slide 36

Slide 36 text

seccomp (SCMP_ACT_TRACE)

Slide 37

Slide 37 text

listen(2) ʹϑοΫͯ͠ͳΜ͔͍ͨ͠ •͍ͭʹseccomp͕ग़ͯ͘Δ... •seccomp͸ɺ୯७ͳallowlist/denylistͷ΄͔ɺࢦఆͨ͠γεςϜίʔϧ ݺͼग़͠ͷࡍʹptrace(2)ܦ༝Ͱ௨஌ΛૹΔΦϓγϣϯ͕͋Δ (SCMP_ACT_TRACE) •ʢͪͳΈʹݺͼग़͢γεςϜίʔϧ൪߸ࣗମΛมߋͰ͖ΔΦϓγϣϯ Ͱɺ͔֬gVisorͳͲͰ࢖ΘΕ͍ͯΔɺΜͰ͢ΑͶ??ʣ

Slide 38

Slide 38 text

SCMP_ACT_TRACE ࢖͍ํ • fork͢Δ • [਌] ptrace(PTRACE_ATTACH); ptrace(PTRACE_O_TRACESECCOMP) ͢Δ • [਌] ptrace(PTRACE_CONT) ͢Δ • [਌] waitpid(-1, &status, WUNTRACED | WCONTINUED | __WALL) ͢Δ (-1 ͳͷ͸traceͯ͠Δ͞ΒʹࢠϓϩηεɾεϨουΛ௥͏ͨΊ) • [ࢠ] SCMP_ACT_TRACE ͳseccomp ctxΛϩʔυ͢Δ • [਌] ࢠͰ౰֘γεςϜίʔϧ͕ݺ͹ΕΔͱɺ౰֘ϓϩηεͷ৘ใ͕waitpidͷ໭Γ஋ɺ ptrace(PTRACE_GETEVENTMSG)ɺptrace(PTRACE_GETREGS)ͳͲͰऔಘͰ͖Δ

Slide 39

Slide 39 text

΍΍͍͜͠ͷͰmrubyͰϥοϓͨ͠ •https://github.com/haconiwa/mruby-seccomp/blob/master/examples/ tracing.rb

Slide 40

Slide 40 text

seccomp + ptrace •SCMP_ACT_TRACE͸γεςϜίʔϧΛݺͼग़͢௚લʹτϨʔεݩϓ ϩηεΛఀࢭ͠ɺτϨʔεઌͷϓϩηεʹ௨஌ΛૹΓɺͦͷ಺༰ʹԠ ͡೚ҙͷॲཧΛͤ͞Δ͜ͱ͕Ͱ͖Δɻ •͕ͨͬͯ͠ɺlisten(2)ͳͲͷγεςϜίʔϧͷݺͼग़͠௚લʹϑοΫɺ criuʹΑΔϓϩηεμϯϓΛ࣮ࢪ͢Ε͹ɺͦͷϓϩηεͷ listen(2)௚લͷঢ়ଶͷμϯϓΛػցతʹऔಘͰ͖Δ... ͸ͣʁ •ʢ͜ͷลΓͷΞΠσΞͷݩ͸ @matsumotory ͞ΜͰ͢ʣ

Slide 41

Slide 41 text

΍ͬͯΈ·͠ΐ͏ •؆୯ͳϥούʔΛט·ͤɺmiehistöͰىಈɺseccompͰఀࢭ •μϯϓʹ੒ޭ͠ͳ͍

Slide 42

Slide 42 text

ptrace ͷΦϓγϣϯ͕όοςΟϯά͢Δʁ •seccompͰͷτϨʔε͸ϓϩηεΛ ptrace(PTRACE_ATTACH) ͯ͠Ξ λονঢ়ଶʹ͠ɺఀࢭঢ়ଶΛݕ஌͢Δ •Ұํɺcriuͷ಺෦Ͱ͸ɺ ptrace(PTRACE_SEIZE) ͰΞλονঢ়ଶʹͯ͠ ptrace(PTRACE_INTERRUPT) Ͱ໌ࣔతʹࢭΊ͍ͯΔɻ •ผʑͷΦϓγϣϯͰࢭΊ͍ͯΔͷ͸໰୊ʹͳ͍ͬͯΔՄೳੑ͕͋Δ •͜ͷลΓͷύονΛແཧʹcriuʹ౰ͯͯ΋... • ݁ہseccomp ctx͕ϓϩηε͔Βൈ͚ͳ͍ͨΊɺ2ճ໨ͷ listen() ͕ptrace tracee͕ଘࡏ͠ͳ͍ѻ͍ʹͳΓENOSYS ʹͳΔ?

Slide 43

Slide 43 text

ͪΐͬͱݟ௨͕͠ѱͦ͏ͩ... •ͱ͔ݴ͍ͬͯΔ͏ͪʹผ݅Ͱ๩͘͠ͳͬͨΓ͠ɺSwap outɻ •͜͜·Ͱ͸ɺ ࣮͸2018೥ʹݕূͨ͠࿩ɻ IUUQTICNBUTVNPUPSKQFOUSZɹ

Slide 44

Slide 44 text

(΍ͬͱ) seccomp notification

Slide 45

Slide 45 text

Seccompʹ৽Φϓγϣϯ͕དྷͨ •SCMP_ACT_NOTIFY (seccomp notification) •Կऀͳͷ͔͸ɺ͜͜·ͰͷτʔΫͰօ׬શཧղͨ͠͸ͣ... ຊൃදͷMJCTFDDPNQͷόʔδϣϯ͸Ͱ͢ Χʔωϧ͸HFOFSJD6CVOUV(SPPWZ

Slide 46

Slide 46 text

Seccomp notificationͷ৔߹͸ʁ •ࢦఆͨ͠γεςϜίʔϧݺͼग़͠Λͨ͠ࡍʹɺผͷϓϩηεʹͲ͏ॲ ཧ͢Δ͔ΛҠৡ͢Δ͜ͱ͕Ͱ͖Δɻ •ͦͷؒɺݩͷϓϩηε͸ϒϩοΫ͍ͯ͠Δ •ͭ·Γɺಉ͡Α͏ʹɺʮ೚ҙͷγεςϜίʔϧݺͼग़͠ʯͰఀࢭ͢Δ ͜ͱ͕Մೳʹ...ʁ

Slide 47

Slide 47 text

࣮ݧ͢Δ •ӈͷΑ͏ͳ seccomp notif receiver Λ࣮૷͢Δ

Slide 48

Slide 48 text

ϥούܦ༝Ͱىಈ͢Δ •ϥού͸ࠨ •͜ΕΛט·ͤͯىಈ •ͪΌΜͱlistenલͰ ࢭ·Δ 3VMFOPUJGZͱ͍͏"1*Λ࣮૷ ɹ6/*9υϝΠϯιέοτΛ։͍ͯ ɹ4FDDPNQOPUJGZGEΛ ɹ4FOEP⒎Ͱ͖ΔΑ͏ʹ͍ͯ͠Δ

Slide 49

Slide 49 text

͜ͷͱ͖ࢭ·͍ͬͯΔϓϩηεͷstack͸ •seccomp_do_user_notification ͱ͍͏Ṗͷؔ਺Ͱఀࢭ͍ͯ͠Δ •௨ৗͷΧʔωϧؔ਺ͷҰ෦ͰϒϩοΫ͍ͯ͠Δ •γάφϧɺptraceͳͲͰࢭ·͍ͬͯΔঢ়ଶͰ͸ͳ͍

Slide 50

Slide 50 text

͜ΕΛμϯϓϦετΞͯ͠΋... •μϯϓ͸ແࣄ੒ޭ͢Δɻ •ϦετΞͯ͠΋ɺENOSYS ͕ग़ͯ͠·͏ɻ

Slide 51

Slide 51 text

ਖ਼ৗʹμϯϓ͸Ͱ͖Δ͕… •ϦετΞͨ͠λΠϛϯάͰɺ৽͍͠ϓϩηε͸ Seccomp Context ͕ ਖ਼ৗʹϋϯυϧ͞Ε͍ͯͳ͍ঢ়ଶʹͳͬͯ͠·͏ •͜͏ͳΔͱɺSCMP_ACT_NOTIFYͰ௨஌͢Δ௨஌ઌ͕ͳ͍ͱ͍͏ঢ়ଶ ʹͳͬͯ͠·͏Α͏Ͱɺͦ͏͍͏৔߹ͷ࢓༷Ͱ͋Δ ʮγεςϜίʔϧ͕ errno=ENOSYS Ͱࣦഊ͢Δʯ ͱ͍͏݁Ռʹͳͬͨɻlisten(2)Λਖ਼ৗ࠶։͢Δํ๏͕ͳ͍ɻ

Slide 52

Slide 52 text

Ͱ͸Ͳ͏͢Δ͔ʁ •<ద੾ͳ͍Β͢ͱ΍ΛҾ༻͢Δ>

Slide 53

Slide 53 text

Ͱ͸Ͳ͏͢Δ͔ʁ •ʮ੒ޭͯ͠΋ࣦഊͯ͠΋Կ΋Өڹ͕ͳ͍ʯγεςϜίʔϧΛߟ͑Δ •ྫ͑͹ɺϦΞϧλΠϜγάφϧΛҰͭબΜͰ signal(s, SIG_IGN) •ͦͷγάφϧΛࣗ෼ʹૹΔͱɺԿ΋͠ͳ͍͕ɺ γάφϧ൪߸ͰಉఆՄೳͳ γεςϜίʔϧݺͼग़͠Λ࡞ΕΔ

Slide 54

Slide 54 text

ͦͷϚʔΧʔతγεςϜίʔϧΛ •libcͷlisten(3)ͷݺͼग़͠ͷ௚લʹϑοΫͤ͞Δ •LD_PRELOADΛ༻͍ɺϥούؔ਺Λఆٛ͢Δɻ •͜ΕͰɺ࣮࣭తʹ listen(2) ͷ௚લʹ ϓϩάϥϜΛఀࢭͤ͞ɺ·ͨ࠶ੜ࣌΋ Өڹͳ͘ॲཧΛܧଓͰ͖Δ͸ͣɻ

Slide 55

Slide 55 text

࠷ޙͷ࣮ݧ •ϥούʔΛ͞Βʹࠨʹมߋ •ىಈˠ Notification receiver ܦ༝Ͱμϯϓ LJMM BOZ ͷݺͼग़͠Λτϥοϓ ͸4*(35."9 -%@13&-0"%ΛFYFD࣌ʹࢦఆ

Slide 56

Slide 56 text

ࠓճͷμϯϓ͸ɺϓϩηε࠶ੜʹ੒ޭ͢Δ

Slide 57

Slide 57 text

No content

Slide 58

Slide 58 text

ͪͳΈʹ... •LD_PRELOADΛ࣋ͪग़ͨ࣌͠఺ͰͳΜͰ΋ΞϦ͸..... •ͱࢥͬͯɺͨͱ͑͹ӈͷΑ͏ʹίʔυΛม͑ͯΈͨɻ •݁Ռ →ίϯςφԽ(PID unshared)͍ͯ͠ΔͷͰɺ ࣗ෼ࣗ਎͕PID=1ʹͳͬͯSIGSTOPΛແࢹɻ • ݁ہίϯςφ಺ͷinit processΛ࣮֬ʹࢭΊΔʹ͸seccomp͔͠ͳ͍Α͏ʹࢥΘΕͨɻ ߟྀ࿙Ε͕͋Ε͹ڭ͍͑ͯͩ͘͞ɻ

Slide 59

Slide 59 text

·ͩݕ౼͍ͯ͠ͳ͍͜ͱ •ϚϧνεϨουΞϓϦέʔγϣϯ... ͸Ͳ͏͍͏;͏ʹࢭ·Δͷ͔ •ͱݴͬͯ΋࠷ॳͷݺͼग़͠Ͱࢭ·Δʁ ͷ͔ͳʁ •LD_PRELOAD ͕Կ͔ͷཧ༝Ͱ࢖͑ͳ͍࣌ •libcΛͦ΋ͦ΋࢖ͬͯͳ͍࣌ʢಛʹGoʣ •syscall͕௚઀ݺͼग़͞ΕΔ࣌ ....

Slide 60

Slide 60 text

͓͜ͱΘΓ •ߥ౜ແܤͳ͜ͱΛ͍ͯ͠Δ͜ͱ͸ঝ஌͍ͯ͠·͢ɻ •໘നLinuxωλͱͯ͠ফඅ͍͚ͨͩΕ͹޾͍Ͱ͢ •ࣅͨΑ͏ͳ͜ͱΛ΋ͬͱ͏·͘΍͍ͬͯΔྫ͕஌ΕͨΒخ͍͠ •ͱΓ͋͑ͣɺ2018೥ͷ಄͔Βஅଓతʹपลͷ࣮૷Λଓ͚͖ͯͨҰ࿈ͷ ݚڀΛɺ͜ͷػձʹڙཆͰ͖Ε͹ͱࢥ͍ɺ͓࣌ؒΛ͍͖ͨͩ·ͨ͠ɻ ͝ਗ਼ௌʹײँ

Slide 61

Slide 61 text

ࢀߟهࣄͳͲ •அଓతʹॻ͍ͯΔseccompͱMiehistöͷϒϩά • ʮmrubyͱseccompͱptraceͰγεςϜίʔϧΛͱʹ͔͘௥͍͔͚Δʯ(2017/04) • ʮGrenadine: ʮී௨ͷΞϓϦέʔγϣϯʯ͕νΣοΫϙΠϯτ/ϦετΞͷԸܙΛڗड͢Δʯ (2019/03) • ʮWSAݚڀձ ୈ7ճ ͰCRIUͱMiehistöͷൃදΛ͠·ͨ͠ #WSAݚʯ(2020/11) • ʮ೚ҙͷϥΠϒϥϦίʔϧͰϓϩάϥϜΛఀࢭ͠ɺىಈ༻ͷCRIUΠϝʔδΛ࡞੒͢ΔΞϓ ϩʔνʹ͍ͭͯʯ(2020/12) IUUQTVE[VSBIBUFOBCMPHKQ