Linux Mode 2 Seccomp Tutorial

by bachi/yuzuhara

Slide 1

Slide 1 text

H25.08.11 ஧ു ༸ี Linux Seccomp Tutorial ηΩϡϦςΟΩϟϯϓ2013 γεςϜιϑτ΢ΣΞθϛิॿࢿྉ 1 13೥8݄12೔݄༵೔

Slide 2

Slide 2 text

Seccompͱ͸ • ਖ਼ࣜʹ͸Secure computing mode ͱ͍͏ɺϓϩηεͷα ϯυϘοΫεԽΛࢧԉ͢ΔΧʔωϧͷ࢓૊Έ • ϓϩηε͕ࣗൃతʹγεςϜίʔϧͷൃߦݖݶΛ์غ ͢Δ • Ͳ͏͍͏ͱ͖ʹ࢖͏ͷ͔ʁ • ͜ͷϓϩηε͸͜Ε͔Βո͍͠σʔλΛѻ͍·͢Αɺͱ͍ ͏ͱ͖ʹઃఆ͢Δ • ͦͷޙɺϓϩηε͕ൃߦͰ͖ΔγεςϜίʔϧ͕ஶ੍͘͠ ݶ͞ΕΔͨΊɺϓϩηε͕৐ͬऔΒΕͯ΋΄ͱΜͲԿ΋Ͱ ͖ͳ͘ͳΔ 2 13೥8݄12೔݄༵೔

Slide 3

Slide 3 text

Mode 1 Seccomp • Linux kernel 2.6.12͔ΒϚʔδ͞ΕͨɺγεςϜίʔϧͷ ϑΟϧλ • ϓϩηε͕prctl_set_seccomp()ΛݺͿͱɺ͔ͦ͜ΒҎԼͷγ εςϜίʔϧ͔͠ൃߦͰ͖ͳ͘ͳΔ • read,() write(), exit(), sigreturn() • fork()ͱ͔execve()͕࢖͑ͳ͍→߈ܸ͞Εͨͱ͖ɺ΄ͱΜͲԿ ΋ग़དྷͳ͍ʂ process secure computing mode fork() read() 3 13೥8݄12೔݄༵೔

Slide 4

Slide 4 text

Mode 2 Seccomp • Linux Kernel 3.5͔ΒϚʔδ͞ΕͨɺMode 2 seccompΛஔ ͖׵͑Δ࢓૊Έ • Mode 1ͱҧ͍ɺ೚ҙͷγεςϜίʔϧΛڐՄ͢Δ͜ͱ ͕Ͱ͖Δ • Berkley Packet FilterΛϕʔεʹɺߴ଎ʹγεςϜίʔϧ ΛϑΟϧλϦϯά͢Δ͜ͱ͕ग़དྷΔ • ͜ͷͨΊɺseccomp-bpfͱݺ͹ΕΔ͜ͱ͕ଟ͍ • ͪͳΈʹFedoraͰ͸syscall ﬁlterͱݺͿ • seccomp 2ͱ͔seccomp mode 2ͱ͔දه༳Ε͕ଟ͍ ( ꒪⌓꒪) 4 13೥8݄12೔݄༵೔

Slide 5

Slide 5 text

Berkley Packet Filter(bpf)Λϕʔεʹɾɾɾ • bpfͷྺ࢙΍࢓૊Έ͸লུ • ಛ௃ • ύέοτΛޮ཰Α͘ϑΟϧλϦϯά͢ΔͨΊɺϑΟϧλϦ ϯάϧʔϧʹಛԽͨ͠ॲཧܥ͕ಈ͍ͯΔʢVMͱ͍͍͍ͬͯ Ϩϕϧʣ • ڪΔ΂͖͸ɺJITΛαϙʔτ͍ͯ͠ΔʢΧʔωϧ಺Ͱʂʣ • ͜ͷͨΊɺ͔ͳΓෳࡶ mode 2 seccomp͸͜ͷbpfΛ࢖ͬͯγεςϜί ʔϧΛϑΟϧλϦϯά͍ͯ͠ΔͨΊɺbpfͷ஌ ͕ࣝແ͍ͱ࢖͑ͳ͍ 5 13೥8݄12೔݄༵೔

Slide 6

Slide 6 text

Mode 2 seccompͷԠ༻ྫ • Google Chromium • Ubuntu 12.04͔Βར༻ՄೳʢKernel͸3.2͕ͩɺbackport͞Ε ͍ͯΔʣ • vsftpd3.0.0͔ΒMode 2 seccompΛ࢖͍ͬͯΔΒ͍͠ ※ͲͪΒ΋ϓϩηεΛαϯυϘοΫεԽ͢ΔͨΊɺ ݩʑ໾ׂ΍ϢʔβʔʹΑͬͯϓϩηε෼ׂ͞Ε͍ͯΔ 6 13೥8݄12೔݄༵೔

Slide 7

Slide 7 text

ϓϩηε෼ׂ ʴ mode 2 seccomp = ࠷ڧʂ 7 13೥8݄12೔݄༵೔

Slide 8

Slide 8 text

Using simple seccomp ﬁlters • ͔͠͠ɺݱঢ়͸͔ͳΓ࢖͍͜ͳ͢ͷ͕೉͍͠ • bpfΛ൒͹ڧҾʹୟ͍͍ͯΔͨΊ • ґଘؔ܎͕ෳࡶɺݩʑbpf͸͜Μͳ༻్૝ఆͯ͠ͳ͍ • ԼهURLΛࢀরɻʢશવsimple͡Όͳ͍ɾɾʣ http://outﬂux.net/teach-seccomp/ 8 13೥8݄12೔݄༵೔

Slide 9

Slide 9 text

libseccomp Tutorial 9 13೥8݄12೔݄༵೔

Slide 10

Slide 10 text

αϯυϘοΫεԽͷ४උ • ո͍͠σʔλ΍εΫϦϓτΛ”࣮ߦ”ͨ͠Γ”ղऍ”͢Δ ෦෼͕Ұ൪੬ऑ • σʔλΛόΠτྻͱͯ͠ಡΈऔΔ͚ͩͳΒͦΜͳʹةݥ͡ Όͳ͍ • ͜ͷ෦෼Λ্ख͘αϯυϘοΫεԽ͢ΔΑ͏ʹϓϩάϥϜ Λઃܭ 10 13೥8݄12೔݄༵೔

Slide 11

Slide 11 text

Main mission: Securing mruby • mrubyΛηΩϡΞʹ࣮ߦͰ͖ΔϑϨʔϜϫʔΫΛ࡞ͬͯ ΈΑ͏ • ͜ͷϑϨʔϜϫʔΫΛ࢖ͬͯɺ”۠ըԽ”ͨ͠΄͏͕ྑ͞ ͦ͏ͳΦϦδφϧΞϓϦέʔγϣϯΛઃܭɺ࣮૷͠Α͏ Master process mruby process IPC Sandboxing by Mode 2 seccomp mruby code(string) result(char[]) 11 13೥8݄12೔݄༵೔

Slide 12

Slide 12 text

ϓϩηε෼ׂ • σʔλͷ΍ΓऔΓ͸pipeΛ࢖͏ • mruby࣮ߦ෦෼Λfork()͢Δ • ͜ΕͰͻͱ·ͣɺmruby͕๫૸ͯ͠΋େৎ෉✌('ω'✌ )ࡾ ✌('ω')✌ࡾ( ✌'ω')✌ • ࢠϓϩηε͕๫૸ͨ͠Γམͪͯ΋ɺ਌͸ੜ͖࢒Δ 12 13೥8݄12೔݄༵೔

Slide 13

Slide 13 text

αϯυϘοΫεԽ • fork() ͨ͠ޙʹɺࣗ෼ࣗ਎ΛαϯυϘοΫεԽ͢Δ • seccomp_init(SCMP_ACT_KILL);ͰॳظԽ • seccomp_rule_add();ͰڐՄ͢ΔγεςϜίʔϧΛࢦఆ͍ͯ͠ ͘ • seccomp_load();Ͱ४උ׬ྃ • seccomp_release();ͰෆཁͳݖݶΛશ෦ख์͢→αϯυϘο ΫεԽʂ 13 13೥8݄12೔݄༵೔

Slide 14

Slide 14 text

sample • seccamp2013_sandbox/samples/libseccomp_base.c • γεςϜίʔϧ͕ݺ΂ͳ͘ͳΔྫ • seccamp2013_sandbox/ samples/ libseccomp_sample.c • ͍͔ͭ͘ͷγεςϜίʔϧΛڐՄͨ͠ྫ • read, write͸ﬁle descriptorΛࢦఆͯ͠ڐՄ͢Δ ͜ͱ΋Մೳ 14 13೥8݄12೔݄༵೔

Slide 15

Slide 15 text

͓ΘΓ • αϯυϘοΫεপʹΑ͏ͦ͜ʂ 15 13೥8݄12೔݄༵೔