Linux NamespaceͱηΩϡϦςΟ OWASP Kansai ϩʔΧϧνϟϓλʔϛʔςΟϯά 6th Ճ౻ହจ 2015-10-02 Ճ౻ହจ OWASP Kansai ϩʔΧϧνϟϓλʔϛʔςΟϯά 6th 2015-10-02 1 / 19

ࣗݾ঺հ Ճ౻ହจ http://www.ten-forward.ws/ @ten forward http://gplus.to/tenforward https://github.com/tenforward http://d.hatena.ne.jp/defiant/ (ٕज़ϒϩά) Ճ౻ହจ OWASP Kansai ϩʔΧϧνϟϓλʔϛʔςΟϯά 6th 2015-10-02 2 / 19

ࣗݾ঺հ Plamo Linux ϝϯςφ LXC ͰֶͿίϯςφೖ໳ɹʔܰྔԾ૝Խ؀ڥΛ࣮ݱ͢Δٕज़ gihyo.jp Ͱ࿈ࡌ Ճ౻ହจ OWASP Kansai ϩʔΧϧνϟϓλʔϛʔςΟϯά 6th 2015-10-02 3 / 19

ίϯςφͬͯ͝ଘ஌Ͱ͔͢? Ճ౻ହจ OWASP Kansai ϩʔΧϧνϟϓλʔϛʔςΟϯά 6th 2015-10-02 4 / 19

͓͜ͱΘΓ Web ηΩϡϦςΟͷ࿩͋Γ·ͤΜ ຊ೔͸ηΩϡϦςΟͷࢹ఺͔Βʮίϯςφʯʹ͍ͭ ͯ࿩͢ͷͰɺίϯςφʹؔͯ͠͸͔ͳΓׂΓ੾ͬͨ આ໌ʹͳ͍ͬͯ·͢ɻ ৄ͘͠͸࿈ࡌͱ͔աڈͷࢲͷߨԋࢿྉͱ͔͝ཡ͍ͩ͘͞ɻ Ճ౻ହจ OWASP Kansai ϩʔΧϧνϟϓλʔϛʔςΟϯά 6th 2015-10-02 5 / 19

ίϯςφͱNamespaceͷ֓ཁ Ճ౻ହจ OWASP Kansai ϩʔΧϧνϟϓλʔϛʔςΟϯά 6th 2015-10-02 6 / 19

ίϯςφͱ͸ Χʔωϧ͔ΒݟΔͱී௨ʹϓϩηε͕ىಈ͢Δ͚ͩ ΧʔωϧͷػೳͰ OS Ϧιʔε͕ଞ͔Βಠཱ͍ͯ͠ΔۭؒΛ ࡞Γग़͢ Ծ૝Խͱ͍͏ΑΓʮִ཭Խʯͱݴͬͨ΄͏͕Θ͔Γ΍͍͔͢΋ Ճ౻ହจ OWASP Kansai ϩʔΧϧνϟϓλʔϛʔςΟϯά 6th 2015-10-02 7 / 19

Namespace(໊લۭؒ) OS ͕؅ཧ͢ΔϦιʔε ωοτϫʔΫ (ΞυϨεɺιέοτɺϧʔςΟϯάςʔϒϧɺ ϑΟϧλϦϯάςʔϒϧ) Ϛ΢ϯτ PID UTS(uname(2) ͕ฦࣝ͢ผࢠͷू߹ɻυϝΠϯ໊ɺϗετ໊) IPC(System V IPC ΦϒδΣΫτɺPOSIX ϝοηʔδΩϡʔ) Ϣʔβ (UID,GID) ͳͲͳͲ Λอ࣋͢Δ ී௨͸ OS ্ͷϓϩηε͸શͯͷ Namespace Λڞ༗͢Δ clone(2) Ͱ৽͍͠ϓϩηεΛ࡞੒͢ΔࡍʹϑϥάΛࢦఆͯ͠ ಠཱͨ͠ Namespace Λ࡞Δ Ճ౻ହจ OWASP Kansai ϩʔΧϧνϟϓλʔϛʔςΟϯά 6th 2015-10-02 8 / 19

Namespaceͷྫ PID Λ؅ཧ͢Δ Namespace Λ৽͘͠࡞Δ $ sudo unshare --fork --pid --mount-proc -- ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.1 8172 1768 pts/0 R+ 01:54 0:00 ps aux ৽ͨʹ࡞ͬͨ Namespace Ͱ ps ίϚϯυΛ࣮ߦͨ͠ͷͰɺ ps ίϚϯυ͕ PID:1 Ͱଞʹϓϩηε͸ͳ͍ Ճ౻ହจ OWASP Kansai ϩʔΧϧνϟϓλʔϛʔςΟϯά 6th 2015-10-02 9 / 19

Namespaceͷ࣮ྫ ͦͷҰ Ճ౻ହจ OWASP Kansai ϩʔΧϧνϟϓλʔϛʔςΟϯά 6th 2015-10-02 10 / 19

NamespaceʹΑΔSandbox ηΩϡϦςΟΛߟ͑ͯɺݖݶͷݶΒΕͨࡉ෼Խͨ͠ϓϩάϥ Ϝ΍ϓϩηεʹ෼ׂͯ͠ಈ࡞ͤ͞Δ͜ͱ͸ྑ͋͘Δ ࡉ෼Խͨ͠ϓϩάϥϜ΍ϓϩηεΛ৽ͨʹ࡞ͬͨ Namespace ಺Ͱىಈͤ͞ΔͱΑΓηΩϡΞʹͳΔ͔΋ Ճ౻ହจ OWASP Kansai ϩʔΧϧνϟϓλʔϛʔςΟϯά 6th 2015-10-02 11 / 19

NamespaceʹΑΔSandbox ࣮ྫ Chrome/Chromium ͷ Linux Sandboxing https://chromium.googlesource.com/chromium/src/+/ master/docs/linux_sandboxing.md $ pstree -p :(snip) |-chrome(29616)-+-chrome-sandbox(29618)---chrome(29620)-+-chrome(29630)-+-c | | | | :(snip) | | ‘-chrome-sandbox(29 :(snip) Ճ౻ହจ OWASP Kansai ϩʔΧϧνϟϓλʔϛʔςΟϯά 6th 2015-10-02 12 / 19

NamespaceʹΑΔSandbox ֬ೝͯ͠ΈΔ 1 λʔήοτͱͳΔϓϩηε͕ଐ͢Δ Namespace ʹೖΔ $ sudo nsenter --target 29620 --net --pid 2 ωοτϫʔΫΠϯλʔϑΣʔεΛ֬ೝͯ͠ΈΔ # ip a (ˣϧʔϓόοΫΠϯλʔϑΣʔε͔͠ͳ͍) 1: lo: mtu 65536 qdisc noop state DOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 3 Namespace ಺ͷ PID:1 Ͱ࣮ߦ͞Ε͍ͯΔίϚϯυΛݟͯΈΔ # mount -t proc proc /mnt # cat /mnt/1/cmdline /opt/google/chrome/chrome --type=zygote Ճ౻ହจ OWASP Kansai ϩʔΧϧνϟϓλʔϛʔςΟϯά 6th 2015-10-02 13 / 19

Namespaceͷ࣮ྫ ͦͷೋ Ճ౻ହจ OWASP Kansai ϩʔΧϧνϟϓλʔϛʔςΟϯά 6th 2015-10-02 14 / 19

User Namespace Ұ൪࠷ۙΧʔωϧʹ࣮૷͞Εͨ Namespace (linux 3.8) ௨ৗɺNamespace(=ίϯςφɾԾ૝؀ڥ) Λ࡞Δʹ͸ಛݖ (root ݖݶ) ͕ඞཁɻͭ·Γɺ࡞੒ͨ͠ Namespace ಺ͷಛݖ Ϣʔβ͸ϗετ্Ͱ΋ಛݖΛ࣋ͭ ΋͠੬ऑੑ͕ଘࡏͨ͠Βʜ ͦ͜Ͱ User Namespace ϗετ্Ͱ͸ҰൠϢʔβ User Namespace ্Ͱ͸ಛݖϢʔβ ϗετ্ͷ UID/GID ͱ Namespace ಺ͷ UID/GID ͷϚοϐ ϯάΛ࡞੒Ͱ͖Δ ϗετ্ͷಛݖϢʔβͱશ͘ಉ͡ݖݶ͕ Namespace ಺ͷಛ ݖϢʔβʹ༩͑ΒΕ͍ͯΔΘ͚Ͱ͸ͳ͍ Ճ౻ହจ OWASP Kansai ϩʔΧϧνϟϓλʔϛʔςΟϯά 6th 2015-10-02 15 / 19

User Namespace $ lxc-start -n ct01 (ίϯςφͷىಈ) $ lxc-info -n ct01 -p (ىಈͨ͠ίϯςφͷ PID) PID: 10443 $ ps -u -p 10443 (10443 ͸ UID:100000 Ͱ࣮ߦ͞Ε͍ͯΔ) USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND 100000 10443 0.0 0.0 33380 4004 ? Ss 23:15 0:00 /sbin/init $ lxc-attach -n ct01 (ίϯςφͷதʹೖΔ) root@ct01:/# id (root ϢʔβͰ͋Δ͜ͱΛ֬ೝ) uid=0(root) gid=0(root) groups=0(root) root@ct01:/# touch testfile (ϑΝΠϧΛ࡞Δ) root@ct01:/# ls -l testfile (ॴ༗ݖ͸ root:root) -rw-r--r-- 1 root root 0 Oct 1 11:12 testfile root@ct01:/# exit (ίϯςφ͔Βൈ͚Δ) $ sudo ls -l .local/share/lxc/ct01/rootfs/testfile (ί ϯ ς φ ͷ ֎ ͔ Β ݟ Δ ͱ uid/gid=100000) -rw-r--r-- 1 100000 100000 0 10 ݄ 1 20:12 .local/share/lxc/ct01/rootfs/testfile Ճ౻ହจ OWASP Kansai ϩʔΧϧνϟϓλʔϛʔςΟϯά 6th 2015-10-02 16 / 19

·ͱΊ ηΩϡϦςΟͷ؍఺͔Β Namespace Λ঺հͯ͠Έ·ͨ͠ ίϯςφΛ࡞ΔͨΊͷ Namespace ΛηΩϡϦςΟ֬อͷͨ Ίʹ࢖͑Δ Namespace ಺Ͱ͸ಛݖϢʔβͳͷʹϗετ্Ͱ͸ඇಛݖϢʔ βͰ͋ΔϢʔβΛར༻Ͱ͖Δ Ճ౻ହจ OWASP Kansai ϩʔΧϧνϟϓλʔϛʔςΟϯά 6th 2015-10-02 17 / 19

ڵຯΛ࣋ͬͨਓ͸ https://speakerdeck.com/tenforward LXC ͰֶͿίϯςφೖ໳ɹʔܰྔԾ૝Խ؀ڥΛ࣮ݱ͢Δٕज़ Ճ౻ହจ OWASP Kansai ϩʔΧϧνϟϓλʔϛʔςΟϯά 6th 2015-10-02 18 / 19

͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ɻ Ճ౻ହจ OWASP Kansai ϩʔΧϧνϟϓλʔϛʔςΟϯά 6th 2015-10-02 19 / 19