Slide 1
Slide 1 text
%PDLFSɺ)BDPOJXBɺͦΕ͔Β1FSM
ۙ౻͏͓ͪ(.01FQBCP
*OD
:"1$'VLVPLB
ίϯςφΛʮकΔʯΈ͔Βɺ
தΛཧղ͠Α͏
Slide 2
Slide 2 text
ΤϯδχΞ
ۙ౻͏͓ͪ!VE[VSB
(.0ϖύϘٕज़ج൫νʔϜ
5XJUUFS(JU)VC!VE[VSB
'BDFCPPLVDIJPLPOEP
Slide 3
Slide 3 text
!VE[VSBʹ͍ͭͯ
ɾ3VCZJTUɻʁ
ɾύʔϑΣΫτ3VCZ3P3ڞஶ
ɾ'VLVPLBSC
ɾ3VCZ,BJHJTQFBLFS
ɾNSVCZίϯςφ)BDPOJXB
Slide 4
Slide 4 text
!VE[VSBʹ͍ͭͯ
ɾ3VCZJTUɻʁ
ɾύʔϑΣΫτ3VCZ3P3ڞஶ
ɾ'VLVPLBSC
ɾ3VCZ,BJHJTQFBLFS
ɾNSVCZίϯςφ)BDPOJXB
Slide 5
Slide 5 text
3VCZJTU
Slide 6
Slide 6 text
Ԭ3VCZձٞ!
IUUQSFHJPOBMSVCZLBJHJPSHGVLVPLB
Slide 7
Slide 7 text
ίϯςφ
Slide 8
Slide 8 text
TFDVSJUZ
Slide 9
Slide 9 text
6/*9
-JOVY
Slide 10
Slide 10 text
ίϯςφͱ
w༷ʑͳ6/*9γεςϜʹ͓͍ͯɺ༷ʑͳίϯςφ࣮͕͋Δ
w'SFF#4%ܥͷKBJMɺ4PMBSJT$POUBJOFSɺ
w-JOVYʹ͓͍ͯɺ-9$ɺ%PDLFSɺTZTUFNEOTQBXOͳͲ
w-JOVYͷίϯςφجຊతʹʮಛघͳϓϩηεʯͱ࣮ͯ͠
Slide 11
Slide 11 text
ϓϩηεͬͯʁ
Slide 12
Slide 12 text
ϓϩηεͷ࡞Γํ
ϓϩηε
ࢠϓϩηε
৽͍͠
ϓϩάϥϜ
GPSL
FYFDWF
XBJU
Slide 13
Slide 13 text
ϓϩηεͷ࡞Γํ
ϓϩηε
ࢠϓϩηε
৽͍͠
ϓϩάϥϜ
ϓϩηεΛ
ʮෳʯ͢Δ
ݹ͍ϓϩηεΛࣺͯɺ
৽͍͠ϓϩάϥϜʹʮมʯ͢Δ
͕ࢠڙͷ
ऴྃΛࢹ
Slide 14
Slide 14 text
ϓϩηεͷଐੑ
wͱ͜ΖͰɺϓϩηεʹ༷ʑͳଐੑ͕͋Δ
wQSPDͷԼ͔Β֬ೝͰ͖Δ
wDXE
SPPU
OTGT
QQJE
QJE
DBQBCJMJUZ
DHSPVQ
Slide 15
Slide 15 text
ྫQSPD1*%TUBUVT
1*%ɺͷ1*%
࣮ߦϢʔβɺάϧʔϓ
ϓϩηεάϧʔϓͳͲͷ*%
ϝϞϦͷར༻ঢ়گ
γάφϧͷઃఆʢϚεΫͳͲʣ
$BQBCJMJUZ4FU
Slide 16
Slide 16 text
GPSL
ͱFYFD
ͷؒ
ϓϩηε
ࢠϓϩηε
৽͍͠
ϓϩάϥϜ
GPSL
FYFDWF
XBJU
GPSL
ͱFYFDͷ࣮ߦͷؒʹɺ
ϓϩηεͷଐੑΛมߋ͢Δ͜ͱ͕Ͱ͖Δ
Slide 17
Slide 17 text
GPSL
ͱFYFD
ͷؒ
wGPSL
͢ΔͱɺϓϩάϥϜͱͯ͠GPSL
ݩͷίϐʔͱͳΔ͕ɺͦͷ
࣌Ͱಠཱͨ͠ଐੑΛ࣋ͭ
wಠཱ͍ͯ͠ΔͷͰɺͦͷޙͰ༷ʑͳଐੑΛมߋ͢ΔγεςϜίʔϧΛ
ݺΔ
wͦͷଐੑͷ͏ͪଟ͘FYFD
ͯ͠৽͍͠ͷΛܧঝ͢ΔͷͰɺͦͷ
৽͍͠ϓϩηε͕ίϯςφతͳଐੑΛ͍࣋ͬͯΔͱɺίϯςφͱͯ͠
ѻ͑Δ
Slide 18
Slide 18 text
GPSL
ͱFYFD
ͷؒ
wGPSL
͢ΔͱɺϓϩάϥϜͱͯ͠GPSL
ݩͷίϐʔͱͳΔ͕ɺͦͷ
࣌Ͱಠཱͨ͠ଐੑΛ࣋ͭ
wಠཱ͍ͯ͠ΔͷͰɺͦͷޙͰ༷ʑͳଐੑΛมߋ͢ΔγεςϜίʔϧΛ
ݺΔ
wͦͷଐੑͷ͏ͪଟ͘FYFD
ͯ͠৽͍͠ͷΛܧঝ͢ΔͷͰɺͦͷ
৽͍͠ϓϩηε͕ίϯςφతͳଐੑΛ͍࣋ͬͯΔͱɺίϯςφͱͯ͠
ѻ͑Δ
VOTIBSF
DISPPU
QSDUM
ࠓɺ͜Ε͔Βઆ໌͢Δ֤߲Ͱ͢
Slide 19
Slide 19 text
ຊൃදͰͷ͍ํ
wޙड़͢ΔΑ͏ͳγεςϜίʔϧΛ༻͍ͯɺԿ͔͠Βͷ04Ϧιʔεͷ
ִɺػೳ੍ݶɺ·ͨݖݶΛߦͬͨϓϩηεΛɺ
ʮίϯςφʢ·ͨίϯςφతϓϩηεʣʯͱݺͼ·͢ɻ
Slide 20
Slide 20 text
ίϯςφͷத
Slide 21
Slide 21 text
%PDLFS.PCZMJCDPOUBJOFS
w%PDLFSͷίϯςφϓϩηε࡞ͷίΞ࣮ʮ3VO$ʯͱ͍͏໊લͰ
ಠཱ͍ͯ͠ΔɻͦͷதͰ͍ͬͯΔͷ͕MJCDPOUBJOFS
wMJCDPOUBJOFSࣗମଞͷ
(Pݴޠͷ࣮͔Βར༻Մೳ
wίϯςφपΓͷ༷ʑͳ
ੜͷΦϓγϣϯΛࢦఆ
IUUQTNFEJVNDPN!UJ⒎BOZGBZKEPDLFSFUQMVTFOHJOFJTOPXCVJMUPOSVODBOEDPOUBJOFSEBEEFFG
Slide 22
Slide 22 text
-9$
w-JOVYίϯςφͷϦϑΝϨϯεత࣮
wதɺ$ݴޠ
γεςϜίʔϧΛඇৗʹ
ૉʹར༻
wίϯςφܥγεςϜίʔϧͷݺͼํͷษڧʹͳΔ
Slide 23
Slide 23 text
)BDPOJXB
w!VE[VSBͱ͍͏ਓ͕NSVCZͰ࡞ͬͨίϯςφ࣮
wγεςϜίʔϧͱͷΞΫηεΛ$CJOEJOHͰɺϓϩηε࡞%4-ධ
ՁͳͲͷॲཧΛNSVCZͰॻ͍͍ͯΔ
w෭࢈ͱͯ͠ίϯςφܥγεςϜίʔϧʹ؆୯ʹΞΫηεͰ͖Δ
NSVCZJSCόΠφϦ͕ೖΔʢύοέʔδΠϯετʔϧͷ߹ʣ
Slide 24
Slide 24 text
ͦͷଞͷ࣮
w1FSMͷ࣮KBJMJOH
BRS
wIUUQTHJUIVCDPNLB[VIPKBJMJOH
wIUUQTHJUIVCDPNIBZBKPBRS
w3VTUʹWBHHBͱ͍͏ͷ͕͋ΔΒ͍͠
wIUUQTHJUIVCDPNUBJMIPPLWBHHB
Slide 25
Slide 25 text
ίϯςφͷ
ػೳͱ
ηΩϡϦςΟ
Slide 26
Slide 26 text
ࠓ͢͜ͱ
wDISPPUQJWPU@SPPU
w-JOVYOBNFTQBDF
w$(SPVQ
w,FSOFM$BQBCJMJUZ
wTFDDPNQ
w."$BQQBSNPS
Slide 27
Slide 27 text
ࠓ͢͜ͱ
wDISPPUQJWPU@SPPU
w-JOVYOBNFTQBDF
w$(SPVQ
w,FSOFM$BQBCJMJUZ
wTFDDPNQ
w."$BQQBSNPS
04Ϧιʔεͷ
ݖݶɾػೳͷ੍ݶ
ΞΫηείϯτϩʔϧ
04Ϧιʔεͷར༻੍ݶ
Slide 28
Slide 28 text
DISPPU
Slide 29
Slide 29 text
DISPPU
ίϚϯυ
wDISPPU
γεςϜίʔϧͷϥούʔ
wͬͱ୯७ͳʮίϯςφʯ
wผͷͱ͜Ζʹ࡞ͬͨ04ͷSPPUϑΝΠϧγεςϜͷதʹʮೖΓʯɺ
ϓϩηεͱผͷڥΛ࡞Δ
wDISPPUޙͷڥ͔ΒɺผͷSPPUɺͷϑΝΠϧγεςϜɺ
ݪଇͱͯ͠ݟ͑ͳ͍
Slide 30
Slide 30 text
୯७ͳ͚ͩʹ͕݀͋Δ
wDISPPU
ͨ͠ڥ෦ͰɺDISPPU
Մೳͩͱ؆୯ʹൈ͚ΒΕΔ
# mkdir .tmp
# mount --bind . .tmp
# mount devtmpfs -t devtmpfs .tmp/dev
# perl -e 'chroot ".tmp";
chdir "..";chdir "..";chdir "..";
chdir "..";chdir "..";chdir "..";
chroot ".";exec "/bin/sh"'
# ls /vagrant
...... (ͷσΟϨΫτϦ͕ݟ͑Δʂ)
Slide 31
Slide 31 text
VODISPPUΛ͙ʹ
wDISPPUͰ͖ͳ͘͢Δͱ͍͏ํ๏͕Ұൠత
wݖݶΛམͱ͢DBQBCJMJUZ
wγεςϜίʔϧ୯ҐͰݺͳ͘͢ΔTFDDPNQ
wͦͷଞɺ6TFSOBNFTQBDFΛ͚ͯ͠·࣮࣭͑ࠈෆՄ
w͍ͣΕʹͤΑɺ΄͔ͷίϯςφػೳͱΈ߹Θͤͯ҆શੑΛ֬อ͢Δ
Slide 32
Slide 32 text
DGQJWPU@SPPU
wSPPUϑΝΠϧγεςϜΛʮೖΕସ͑ΔʯɻDISPPUΑΓڧྗ
w04ͷϒʔτϓϩηεɺOFUCPPUͷࡍʹ͍ͬͯΔ
wDISPPUΑΓ੍ݶ͕͋Δ
wlOFX@SPPUͱQVU@PMEݱࡏͷSPPUͱಉ͡ϑΝΠϧγεςϜʹ͋ͬͯͳ
Βͳ͍zͳͲ
wDISPPU΄Ͳखܰʹ͑ͳ͍͕ɺҰํࠈͷͳ͘ͳΔ
IUUQTMJOVYKNPTEOKQIUNM-%1@NBOQBHFTNBOQJWPU@SPPUIUNM
Slide 33
Slide 33 text
-JOVY
OBNFTQBDF
Slide 34
Slide 34 text
-JOVYOBNFTQBDF͕ͳ͍ͱ
wDISPPU͢ΔͱϑΝΠϧγεςϜ͕͞ΕΔɻ
wͱ͍͏͜ͱͰɺ/procΛվΊͯϚϯτ͢Δඞཁ͕͋Δɻ
wϚϯτ͢Δͱ
ݟ͍͚͑ͯͳ͍ͷ͕
ݟ͑ΔΑ͏ͳ
Slide 35
Slide 35 text
04ͷϦιʔεଞʹʮͰ͖Δʯ
wϓϩηεΛ͠ͳ͍ͱɺίϯςφͷத͔Β֎ͷϓϩηεΛ͍͡ΕΔ
wϗετ໊Λ͠ͳ͍ͱɺίϯςφͰผ్ϗετ໊ΛઃఆͰ͖ͳ͍
wͦͷଞʹɺͰ͖Δͷ
wϚϯτϙΠϯτͷใ
w*1$ϦιʔεTINHFU
ͱ͔NR@PQFO
తͳͷ
wωοτϫʔΫɺϢʔβ*%ɺ$(SPVQ
Slide 36
Slide 36 text
Πϝʔδ
wάϩʔόϧOBNFTQBDFͷ
தʹɺ͍͔ͭ͘
OBNFTQBDFΛ࡞ΕΔ
IUUQTTQFBLFSEFDLDPNVE[VSBDSFBUJOHDPOUBJOFSTXJUIHPMBOH
Slide 37
Slide 37 text
Ұ෦͚ͩͷҠಈՄೳ
wྫip nets exec
wOFUXPSLOBNFTQBDFʢʴЋʣ
͚ͩΛ͢Δ
ίϯςφͱݴ͑Δ
wҰൠతʹɺηοτͰ͢Δํ͕ศརͰ͋Δ
$ sudo ip netns add test001
$ sudo ip netns exec test001 /bin/bash
root@test-1:/home/ubuntu# ip a
1: lo: mtu 65536 qdisc noop
state DOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd
00:00:00:00:00:00
Slide 38
Slide 38 text
ͱ͍͏͜ͱͰɺ1*%Λ͢Δ
w࣮ͷํ
w1*%/proc͔Βݟ͑Δͷ
wͳͷͰผͷ/procΛ҆શʹϚϯτͰ͖ΔΑ͏ɺ
.PVOUOBNFTQBDFҰॹʹ͢Δ
wGPSLͷΘΓʹDMPOF
γεςϜίʔϧΛݺͼɺ࠷ޙʹFYFD
͢Δ
݅Λࡉ͔͘ࢦఆͰ͖Δ
GPSL
ͱߟ͍͑ͯͩ͘͞
Slide 39
Slide 39 text
1FSMΛษڧͯ͠ॻ͍ͯΈ·ͨ͠
#!/usr/bin/env perl
use strict;
use POSIX;
use Linux::Clone;
my $flg = POSIX::SIGCHLD | Linux::Clone::NEWNS | Linux::Clone::NEWPID;
my $pid = Linux::Clone::clone sub {
system "mount --make-rslave /";
chroot "/var/lib/rootfs/yapc"; chdir "/";
exec "/bin/sh"; 127 }, 0, $flg;
print "PID=", $pid, "\n";
waitpid $pid, 0 if($pid);
print "Container exited\n";
Slide 40
Slide 40 text
ಈ࡞֬ೝ
w͜ͷล·ͰɺͲΜͳίϯςφͰಉ͡Α͏ʹ࣮͍ͯ͠Δ
Slide 41
Slide 41 text
ٳܜ
Slide 42
Slide 42 text
<13>
Slide 43
Slide 43 text
(.0ϖύϘԬࢧࣾ
ΤϯδχΞΛืू͍ͯ͠·͢
࠷৽ͷ࠾༻ใΛνΣοΫˠ !QC@SFDSVJU
Slide 44
Slide 44 text
ࣄͰɺίϯςφΛ
ΨοπϦ͍͍ͨʂ
͋Δ͍։ൃ͍ͨ͠ํ
Λֻ͓͚͍ͩ͘͞
Slide 45
Slide 45 text
SFTVNF
Slide 46
Slide 46 text
DHSPVQ
Slide 47
Slide 47 text
$POUSPM(SPVQ DHSPVQ
w-JOVYʹɺϓϩηεΛάϧʔϐϯάͯ͠ɺͦͷάϧʔϓ͝ͱʹ
ϋʔυΣΞϦιʔε04ϦιʔεͳͲͷར༻ঢ়گΛ֬ೝͨ͠Γɺ
͋Δ੍͍ޚΛ͢Δػೳ͕͋ΔɻͦΕ͕DHSPVQ
wMJCDHSPVQͷΑ͏ͳϥΠϒϥϦɺDHSPVQGT͔ΒΞΫηεՄೳ
w·ͨɺTZTUFNE͕෦Ͱར༻͢ΔʢϓϩηεͷάϧʔϐϯάɺϦιʔ
ε੍ݶͳͲʣ
wDGTZTUFNEOTQBXO
TZTUFNEʹಉࠝͷίϯςφ
Slide 48
Slide 48 text
DHSPVQTVCTZTUFN
w੍ޚͰ͖Δର͝ͱʹαϒγεςϜ͕͋Δ
wαϒγεςϜͨ͘͞Μ͋Δ
wDQV
wNFNPSZ
wCMLJP
OFU@DMT
GSFF[FS
wͦͷதͰQJETαϒγεςϜΛհ
Slide 49
Slide 49 text
ίϯςφͰͷGPSLCPNC߈ܸ
wવͰ͋Δ͕ɺ؋04શମͰͷϓϩηεͷ࠷େ༗ݶͰ͋Δ
w͕ͨͬͯ͠ɺίϯςφڥͷத͔ΒେͳϓϩηεΛ࡞͢Δͱɺ
݁Ռతʹ؋04ͷϓϩηεͷ্ݶʹୡ͢Δ͜ͱى͜Γ͏Δ
w౷తʹɺSMJNJUͰϓϩηεπϦʔ͝ͱͷϓϩηεΛ੍ݶ
wίϯςφͷ߹BUUBDIͳͲʹΑΓɺίϯςφͷશͯͷϓϩηε͕ɺ
ಉ͡ϓϩηεπϦʔʹॴଐ͍ͯ͠ͳ͍߹͋Γ͏Δ
Slide 50
Slide 50 text
QJETTVCTZTUFN
w-JOVYҎ߱Ͱಋೖ͞ΕͨαϒγεςϜ
wҎԼͷΛར༻Ͱ͖Δ
wQJETDVSSFOUάϧʔϓͷݱࡏͷϓϩηε
wQJETNBYͦͷάϧʔϓͰڐՄ͢Δ࠷େϓϩηε
SPPUάϧʔϓͰར༻Ͱ͖ͳ͍ͷͰҙ
ࢀߟʮ-9$ͰֶͿίϯςφೖʯ
IUUQHJIZPKQBENJOTFSJBMMJOVY@DPOUBJOFST
Slide 51
Slide 51 text
͖ͬ͞ͷ1FSMίϯςφʹύον
--- chroot2.pl 2017-06-20 10:47:02.780313607 +0900
+++ bomber.pl 2017-06-20 12:55:41.572399620 +0900
@@ -2,11 +2,19 @@
use strict;
use POSIX;
use Linux::Clone;
+system "mkdir -p /sys/fs/cgroup/pids/yapc-fukuoka";
my $flg = POSIX::SIGCHLD | Linux::Clone::NEWNS | Linux::Clone::NEWPID;
my $pid = Linux::Clone::clone sub {
system "mount --make-rslave /";
chroot "/var/lib/haconiwa/rootfs/php"; chdir "/";
- exec "/bin/sh"; 127 }, 0, $flg;
+ exec "/bin/bash"; 127 }, 0, $flg;
+open TASKS, ">> /sys/fs/cgroup/pids/yapc-fukuoka/tasks";
+print TASKS "$pid";
+close TASKS;
+open MAX, ">> /sys/fs/cgroup/pids/yapc-fukuoka/pids.max";
+print MAX "32";
+close MAX;
+
print "PID=", $pid, "\n";
waitpid $pid, 0 if($pid);
QJETDHSPVQΛՃ
ίϯςφͷQJEΛॴଐͤ͞ɺ
NBYΛ੍ݶ
Slide 52
Slide 52 text
GPSLCPNCΛ͛Δ͜ͱ͕Θ͔Δ
wQJETNBY੍ݶͳͩ͠ͱ؋͝ͱ͠·͢
Slide 53
Slide 53 text
,FSOFM
$BQBCJMJUZ
Slide 54
Slide 54 text
-JOVY,FSOFM$BQBCJMJUZ
w-JOVYͰɺSPPU͕͍࣋ͬͯΔ༷ʑͳݖݶΛɺࡉׂ͔ͯ͘͠ɺ
Ұ෦͚ͩ༩ɺ·ͨҰ෦੍͚ͩݶ͢Δ͜ͱ͕Ͱ͖Δ
w͜ΕΒͷݖݶͷू߹ΛέʔύϏϦςΟηοτɺҰͭҰͭΛέʔύϏϦ
ςΟͱݺͿɻ
wྫ͑ɺ࣌ؒΛઃఆ͢Δݖݶ CAP_SYS_TIME
ɺLJMMΛͲΜͳϓϩηε
ʹૹΔݖݶ CAP_KILL
ɺ࠶ىಈ͢Δݖݶ CAP_SYS_BOOT
Slide 55
Slide 55 text
6CVOUV9FOJBM -JOVY
Ͱ
wdͷͷ
έʔύϏϦςΟ
Slide 56
Slide 56 text
έʔύϏϦςΟͷܧঝϧʔϧ
wϓϩηεϑΝΠϧͷͭͷηοτ 1FSNJUUFE*OIFSJUBCMF&⒎FDUJWF
ɺ
όϯσΟϯάηοτɺΞϯϏΤϯτηοτ -JOVYҎ߱
Ͱܾ·Δ
wৄࡉNBODBQBCJMJUJFT
wྫTFUVTFSJESPPUͰɺଞ͕
σϑΥϧτͷ߹ɺ
όϯσΟϯάηοτͰམͱͯ͠
FYFDWF
͢Δͱ৽͍͠ϓϩάϥϜ
Ͱͦͷݖݶ͕མ͍ͪͯΔ
Slide 57
Slide 57 text
ྫҰൠϢʔβͰ൪ΛϦεϯ͍ͨ͠
wҰൠతʹɺ൪ҎԼͷϙʔτҰൠϢʔβ͑ͳ͍
w͜͏͍͏(Pͷ)5514FSWFSΛ࡞ͬͨΒɺҰൠϢʔβىಈͰ͖ͳ͍
Slide 58
Slide 58 text
TFUDBQ
ͰpMFDBQBCJMJUJFTΛ༩͢Δ
w൪ҎԼΛϦεϯ͢Δݖݶʹ CAP_NET_BIND_SERVICE
ubuntu@compute-1:~$ sudo setcap cap_net_bind_service+ep ./listen80
ubuntu@compute-1:~$ ./listen80 &
[1] 5915
ubuntu@compute-1:~$ curl localhost
Hello, World
ubuntu@compute-1:~$ sudo getcap ./listen80
./listen80 = cap_net_bind_service+ep
VCVOUVϢʔβͰ
αʔόΛىಈͰ͖Δ
Slide 59
Slide 59 text
ྫ੍ݶ͖ͷίϯςφSPPU
wίϯςφ෦ͰɺSPPUΛ͢ͱศརͳ͜ͱଟ͍
wͱݴ͑ͳΜͰͤͨ͘͞ͳ͍ɻͰ͖Δ͜ͱ͚ͩ
wCAP_SYS_TIMEͱCAP_SYS_CHROOTݖݶΛୣͬͯΈΔ
Slide 60
Slide 60 text
࠷ॳͷ1FSMίϯςφʹύον
--- chroot2.pl 2017-06-20 10:47:02.780313607 +0900
+++ dropcap.pl 2017-06-20 14:38:31.335190235 +0900
@@ -2,10 +2,14 @@
use strict;
use POSIX;
use Linux::Clone;
+use Linux::Prctl;
+
my $flg = POSIX::SIGCHLD | Linux::Clone::NEWNS | ...;
my $pid = Linux::Clone::clone sub {
system "mount --make-rslave /";
chroot "/var/lib/haconiwa/rootfs/php"; chdir "/";
+ $Linux::Prctl::capbset{"sys_time"} = 0;
+ $Linux::Prctl::capbset{"sys_chroot"} = 0;
exec "/bin/sh"; 127 }, 0, $flg;
print "PID=", $pid, "\n";
waitpid $pid, 0 if($pid); CPVOEJOHTFU͔Βআ
Slide 61
Slide 61 text
EBUFͰͷηοτ͕Ͱ͖ͳ͘ͳΔ
w0QFSBUJPOOPUQFSNJUUFEѻ͍ʹͳΔ
root@compute-1:~# perl dropcap.pl
PID=5962
# date
Tue Jun 20 06:34:50 UTC 2017
# date -s 00:00:00
date: cannot set date: Operation not permitted
Tue Jun 20 00:00:00 UTC 2017
# date
Tue Jun 20 06:34:59 UTC 2017
Slide 62
Slide 62 text
DISPPUͰίϯςφΛൈ͚ΒΕͳ͘ͳΔʂ
Slide 63
Slide 63 text
%PDLFS.PCZͰ
wEPDLFSNPCZSVOͷΦϓγϣϯɺDBQBEE
DBQESPQ
ΦϓγϣϯͰίϯτϩʔϧՄೳ
wσϑΥϧτͷ$BQBCJMJUZιʔεʹϋʔυίʔυ͞Ε͍ͯΔ
wIUUQTHJUIVCDPNNPCZNPCZCMPCNBTUFSPDJ
EFGBVMUTHP--
Slide 64
Slide 64 text
ͱ͜ΖͰօ͞Μ
Slide 65
Slide 65 text
QSJWJMFHFEΛ҆қʹ͍ͬͯ·ͤΜ͔ʁ
wจࣈͲ͓Γɺਫ਼ࠪͤͣʹɺͯ͢ͷ$BQBCJMJUZΛ༩͢ΔΦϓγϣϯ
wͦͷଞͷɺTFDDPNQBQQBSNPSͳͲͷઃఆʹΑΓɺίϯςφͷ
ݖݶߜΓࠐ·ΕΔɻͱ͍͑
wྫ͑ɺΧʔωϧʹΑͬͯTFDDPNQ͕༗ޮͰͳ͍͜ͱ͋Δ
w TFDDPNQ
BQQBSNPSΛແޮʹ͢ΔΦϓγϣϯ͋Δ
w ҆શੑ͕ઈର֬อͰ͖ΔΑ͏ͳ໘ $*Ͱར༻ΠϝʔδΛݶఆ͢Δ
Ͱ·ͨผ͕ͩ
w࠷খݖݶͷݪଇʹै͍ɺਫ਼ࠪͯ͠DBQBEEͰ໌ࣔతՃ͢Δ͖
Slide 66
Slide 66 text
ٳܜ
Slide 67
Slide 67 text
͓ർΕͰ͠ΐ͏ͷͰ
Ԭͷඒຯ͍͠ͷͷը૾Λ
ோΊ·͠ΐ͏
Slide 68
Slide 68 text
No content
Slide 69
Slide 69 text
No content
Slide 70
Slide 70 text
No content
Slide 71
Slide 71 text
SFTUPSF
Slide 72
Slide 72 text
TFDDPNQ
Slide 73
Slide 73 text
TFDDPNQ TFDDPNQCQG
w-JOVYͰɺαϯυϘοΫεΛ࣮ݱ͢ΔͨΊʹɺ
ϓϩηεͷγεςϜίʔϧݺͼग़͠ΛϑΟϧλϦϯά͠ɺ
੍ݶɾτϥοϓɾτϥοΩϯάͳͲΛ࣮ݱ͢Δػೳ
wࠓճɺ-JOVYҎ߱ͷTFDDNPQNPEFͷ
w#FSLFMFZ1BDLFU'JMUFS #1'
Λ༻͍ͯߴʹݺͼग़͠ΛϑΟϧλϦ
ϯά͢Δ
Slide 74
Slide 74 text
Կ͕Ͱ͖Δ͔
wಛఆͷγεςϜίʔϧͷڐՄ
wಛఆͷγεςϜίʔϧͷېࢭ 4*(4:4ͷૹ
wಛఆͷγεςϜίʔϧͷݺͼग़͠ΛҙͷFSSOPͰฦ͢
wಛఆͷγεςϜίʔϧΛɺQUSBDF
ͰτϥοΫՄೳʹ͢Δ
w࠷ॳʹσϑΥϧτͷڍಈΛࢦఆ͠ɺݸผͷγεςϜίʔϧͷ߹Λఆ
ٛ͢Δ
Slide 75
Slide 75 text
͔͜͜ΒNSVCZ͕ग़ͯ͘Δ
w1FSMྗ͕͘ɺ͍͢·ͤΜ ҰԠϞδϡʔϧ͋ΔΑ͏Ͱ͕͢ɻ
wIBDPOJXBNSVCZTFDDPNQ
Slide 76
Slide 76 text
NSVCZTDSJQU
#!/usr/bin/env hacorb
context = Seccomp.new(default: :allow) do |rule|
rule.kill :mkdir
rule.kill :fchownat
end
pid = Process.fork do
context.load
puts "==== It will be jailed. Please try to mkdir/chown"
exec "/bin/sh"
end
p(Process.waitpid2 pid)
Slide 77
Slide 77 text
࣮ߦ͢ΔͱɺαϯυϘοΫε্ཱ͕͕ͪΔ
w·͝͏ࣄͳ͖SPPUͰ͋Δ͕ɺϑΝΠϧͷॴ༗ऀΛม͑ͨΓɺ
σΟϨΫτϦΛ࡞Εͳ͍ɻ͜ΕҰछͷʮίϯςφʯ
wʢIBDPOJXBQBDLBHFʹಉࠝ͞ΕΔIBDPSCόΠφϦΛ͏ʣ
4:(4:4ͷΤϥʔϝοηʔδ
Slide 78
Slide 78 text
ৄࡉϒϩάʹॻ͖·ͨ͠ʜ
wNSCHFNͷ֓ཁʮTFDDPNQΛNSVCZͰࢼ͢ʯ
wIUUQVE[VSBIBUFOBCMPHKQFOUSZ
wTFDDPNQʹΑΔγεςϜίʔϧτϥοΩϯά
ʮNSVCZͱTFDDPNQͱQUSBDFͰγεςϜίʔϧΛͱʹ͔͍͔͚͘Δʯ
wIUUQVE[VSBIBUFOBCMPHKQFOUSZ
ಛఆͷγεςϜίʔϧݺͼग़͠ΛϩΪϯά͢Δ
γΣϧͷྫͪ͜Βͷهࣄ͔Β
Slide 79
Slide 79 text
%PDLFSͷதͰʁ
wݺͼग़ͤΔγεςϜίʔϧͷʮϗϫΠτϦετʯ͕ଘࡏ͢Δ
wυΩϡϝϯτʹ͋Δ௨Γɻ
wΦϓγϣϯͰҙͷϑΟϧλʔΛద༻Ͱ͖Δͦ͏
4FDDPNQTFDVSJUZQSPpMFTGPS%PDLFS
IUUQTEPDTEPDLFSDPNFOHJOFTFDVSJUZTFDDPNQ
Slide 80
Slide 80 text
."$
"QQ"SNPS
Slide 81
Slide 81 text
ίϯςφػೳઆ໌ͱͯ͠ɺ
͜ΕͰ࠷ޙͳΜͰ
ؤு͓ͬͯฉ͖͍ͩ͘͞
Slide 82
Slide 82 text
༤େͳେͷࣗવΛݟͯٳܜ
CZ!NBUTVNPUPSZ͞Μ
Slide 83
Slide 83 text
."$ͱ
w͜͜Ͱ.BOEBUPSZ"DDFTT$POUSPMڧ੍ΞΫηε੍ޚͷ͜ͱ
wҰൠతͳɺϑΝΠϧΦφʔ͝ͱʹΞΫηε͢ΔݖݶΛߜΔํࣜɺ
ҙΞΫηε੍ޚ %JTDSFUJPOBSZ"DDFTT$POUSPM
ͱݺΕΔɻ
wࣄނͳͲʹΑΓݖݶΛඞཁҎ্ʹΏΔ͘Ͱ͖ͯ͠·͏
ʢσΟϨΫτϦΛύʔϛογϣϯͰެ։Ͱ͖Δʣ͜ͱ͕͋Δ
Slide 84
Slide 84 text
."$ͱ
w%"$ͷݖݶݕࠪΛͨ͠ޙͰɺཧऀͷઃఆͨ͠."$ͷϙϦγʔ͕ద
༻͞ΕɺϦιʔεͷΞΫηε͕ڧ੍ίϯτϩʔϧ͞ΕΔ
wʮࣗͷݖݶͰ͋ͬͯɺࣗͰίϯτϩʔϧͰ͖ͳ͍ʯ͜ͱ
wྫ͑ࣗͰ࡞ͬͨϑΝΠϧʹɺࣗͰΞΫηεͰ͖ͳ͘ͳΔɺͱ͍
͏ઃఆՄೳͰ͋Δ
w·ͨɺ%"$ΑΓࡉ͔͍ΞΫηε੍ޚՄೳʹ
Slide 85
Slide 85 text
"QQ"SNPSͱ
w."$Λ࣮ݱ͢ΔϛυϧΣΞͷҰͭ
wϓϩάϥϜͷύε୯Ґϓϩηε୯ҐͰϓϩϑΝΠϧͷద༻͕Ͱ͖Δ
ͷ͕ಛ
w6CVOUVͷ$BOPOJDBMࣾʹΑΓ։ൃ͕͞Ε͍ͯΔ
wFOGPSDFNPEFͱDPNQMBJONPEFʢهͷΈʣ͕͋Δ
Slide 86
Slide 86 text
%PDLFSͰͷར༻
wίϯςφσϑΥϧτɺEPDLFSEFGBVMUͱ͍͏ϓϩϑΝΠϧ͕ͨΔ
ίϯςφΛͭ࡞ͬͨͷͰɺ
ͭͷϓϩηεʹద༻͞Ε͍ͯΔ
-9$ͬͯ·͢Ͷ
Slide 87
Slide 87 text
ϓϩϑΝΠϧͷྫ
IUUQTEPDTEPDLFSDPNFOHJOFTFDVSJUZBQQBSNPSOHJOYFYBNQMFQSPpMF
wಠࣗͷݴޠΛ༻͍ͯهड़͢Δ
Slide 88
Slide 88 text
ΧελϜϓϩϑΝΠϧΛͯΔʹ
wdeny /usr/bin/top mrwklxͱ͍͏ϧʔϧΛՃ͑ͨϓϩϑΝΠϧ
Λ࡞ɺొ͢Δ
wEPDLFSSVOίϚϯυͰ--security-opt apparmor=exampleͷ
Α͏ʹࢦఆͯ͠ىಈ
wͦͷίϯςφͰɺUPQίϚϯυΛ࣮ߦ͢Δ͜ͱ͕Ͱ͖ͳ͍ɻ
wBVEJUͷΈɺͳͲՄೳ
ৄࡉϒϩάͰ
ʮ"QQ"SNPSͱ%PDLFSͱͦͷଞίϯςφతϓϩηεʹ͍ͭͯʯ
IUUQVE[VSBIBUFOBCMPHKQFOUSZ
Slide 89
Slide 89 text
ΑΓৄࡉͳத
wMJCBQQBSNPSͱ͍͏ϥΠϒϥϦͰϓϩάϥϜ͔ΒΞΫηεͰ͖Δ
wݱࡏͷϓϩηεͷϓϩϑΝΠϧΛมߋ͢ΔBB@DIBOHF@QSPpMF
ͱ
FYFDWF
ͷλΠϛϯάͰมߋ͢ΔBB@DIBOHF@POFYFD
͕͋Δ
wʢ6CVOUVͷNBOͰηΫγϣϯ͕ͳͷͰʣ
wNSVCZͷCJOEJOH࡞ࡁʢ͔͠͠·ͩ)BDPOJXBʹΈࠐΜͰͳ͍ʣ
IUUQNBOQBHFTVCVOUVDPNNBOQBHFTYFOJBMNBOBB@DIBOHF@QSPpMFIUNM
Slide 90
Slide 90 text
͓ർΕ༷
Ͱͨ͠
Slide 91
Slide 91 text
·ͱΊ
Slide 92
Slide 92 text
ίϯςφ
ಛผͳϓϩηεʹա͗ͳ͍ɻ
ˠͦͷϓϩηεΛ҆શʹɺಠཱͨ͠ܗͰɺ
ޮతʹར༻༷͘͢ʑͳγεςϜίʔϧػೳ͕͋Δ
Slide 93
Slide 93 text
%PDLFSσϑΥϧτͰ
͍Ζ͍Ζ͍͍ײ͡ʹ͍ͯ͠Δ
ˠ͔͠͠ɺཧղ͕ෆेͩͱൈ͚ಓΛ࡞ͬͯ͠·͏͜ͱɻ
ɹQSJWJMFHFEΦϓγϣϯɺؒҧͬͨઃఆɺ
ɹΧʔωϧόʔδϣϯͰ͑ͳ͍ػೳͳͲ
Slide 94
Slide 94 text
ࢀߟεΠενʔζϞσϧ
ˠҰͭҰͭʹ͕ۭ͍͍݀ͯͨͱͯ͠ɺ
ɹͨ͘͞ΜॏͶΔ͜ͱͰɺશͯͷ݀Λൈ͚Δ͜ͱ
ɹඇৗʹ͘͠ͳΔ
*NBHF$$IUUQTQJYBCBZDPNQ
Slide 95
Slide 95 text
͔ͬ͠ΓͱதʹڵຯΛ࣋ͪ
ཧղͯ͠͏͜ͱͰ
ϋϚΓͲ͜ΖΛճආͰ͖Δ
ˠIBDPSC͕ศར͔͠Εͳ͍ɻ
ɹ1FSMͰɺίϯςφػೳͰ༡ΔΑʂ
Slide 96
Slide 96 text
ָ҆͘͠શʹ
ίϯςφΛ͓͏ʂ
Slide 97
Slide 97 text
ࢀߟࢿྉͷօ͞Μ
wVE[VSBͷϒϩάʢTFDDPNQBQQBSNPSIBDPOJXBଞʣ
wMYDKQ!5FO'PSXBSE͞Μͷࢿྉ
w IUUQTTQFBLFSEFDLDPNUFOGPSXBSE
wաڈͷ:"1$ :"1B$
ൃදͳͲ
w 1FSMͰθϩ͔Β࡞Δίϯςφ
w ֶͭͬͯ͘Ϳ-JOVYίϯςφͷཪଆ
w%PDLFSTFDVSJUZ
w IUUQTEPDTEPDLFSDPNFOHJOFTFDVSJUZTFDVSJUZ
Slide 98
Slide 98 text
4QFDJBM5IBOLT
w!5FO'PSXBSE͞ΜʹຊεϥΠυͷϨϏϡʔΛ͓ئ͍͠·ͨ͠ɻ
͋Γ͕ͱ͏͍͟͝·ͨ͠ɻ·ͨຊொͰҿΈ·͠ΐ͏ɻ