Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CRIUとSeccomp / criu-and-seccomp-and-me

CRIUとSeccomp / criu-and-seccomp-and-me

第14回 コンテナ技術の情報交換会@オンライン
https://ct-study.connpass.com/event/205571

KONDO Uchio

April 17, 2021
Tweet

More Decks by KONDO Uchio

Other Decks in Technology

Transcript

  1. ۙ౻Ӊஐ࿕ / GMO Pepabo, Inc.
    ୈ14ճ ίϯςφٕज़ͷ৘ใަ׵ձ@ΦϯϥΠϯ 2021/04/17
    CRIUͱseccompͱ
    ֨ಆͨ͠࿩
    ʙશͯ͸ര଎ىಈͷͨΊͩͬͨʙ
    *NBHFIUUQTQJYBCBZDPNJNBHFTJECZ"OUSBOJBT

    View Slide

  2. γχΞɾϓϦϯγύϧΤϯδχΞ
    ۙ౻ Ӊஐ࿕ / @udzura
    https://blog.udzura.jp/
    Uchio Kondo
    ٕज़෦ ٕज़ج൫νʔϜ @ GMOϖύϘ
    ΤϯδχΞΧϑΣʢ෱Ԭࢢ੺ẂנจԽձؗʣ αϙʔλʔ
    #Ruby #mruby #Rust #Containers #eBPF #CRIU #Seccomp
    #RubyKaigi #CloudNativeDays #Zumba #γϨϯ #FitBoxing2
    --- ޷͖ͳγεςϜίʔϧʁ ΍ͬͺΓ unshare(2) Ͱ͢Ͷɻ

    View Slide

  3. αϙʔλʔͯ͠·͢
    !ΤϯδχΞΧϑΣ ෱Ԭࢢ੺ẂנจԽؗ

    View Slide

  4. ToC
    •੿࡞CRIUϥούʔ “Miehistö” ʹ͍ͭͯ
    •೚ҙͷΞϓϦέʔγϣϯΛ೚ҙͷՕॴͰμϯϓ͢Δٕज़ͷ࣮ݱ
    •seccomp + SCMP_ACT_TRACE ʹΑΔख๏
    •seccomp + SCMP_ACT_NOTIFY ʹΑΔख๏
    wͦͯ͠఻આ΁

    View Slide

  5. ɹɹ(Caveats)
    •Seccomp ͕ςʔϚͳͷʹ൒෼͙Β͍CRIUͷ࢖͍ํͷ࿩Λ͠·͢
    •·ͱΊͯൃද͢Δػձ͕ͣͬͱͳ͔ͬͨͷͰ...
    •ॻ͍ͯ͋Δ͜ͱࣗମ͸ɺ
    ͍͍ͩͨ͜ͷϒϩάͷ಺༰Ͱ͢
    • CRIUʹؔ͢Δ࣮૷಺༰ͷίΞ͸2019೥ʹ
    ॻ͍͓ͯΓɺ΋͔ͨ͠͠Β࠷৽ͷ࠷৽͸
    มԽ͋Δ͔΋ɻ

    View Slide

  6. CRIU

    View Slide

  7. CRIUͬͯ
    •Linuxʹ͓͍ͯɺϓϩηεͷνΣοΫϙΠϯτɾϦετΞΛ࡞੒͢Δͨ
    ΊͷϢʔβϥϯυͰͷπʔϧ (Checkpoint-Restore In Userspace)
    •ίϯςφ͸ϓϩηεͳͷͰɺίϯςφͷνΣοΫϙΠϯτɾϦετΞ
    Λ࣮ݱ͢ΔͨΊओʹ࢖͏Α͏ʹͳͬͨ
    https://criu.org/Main_Page

    View Slide

  8. ۩ମతʹ
    •͜͏͍͏༻్Λ૝ఆͯ͠ΔΒ͍͠ɻ (https://criu.org/Usage_scenarios)
    •ίϯςφͷϥΠϒϚΠάϨʔγϣϯ
    •ىಈ͕஗͍ΞϓϦέʔγϣϯͷߴ଎Խ
    •σεΫτοϓ؀ڥͷαεϖϯυɾϨδϡʔϜ
    •ແఀࢭʢʹݟ͔͚ͤΔʣΧʔωϧΞοϓάϨʔυ
    •ͳͲͳͲ...

    View Slide

  9. ࠷ۙͷCRIU
    •3.13(Sep 11, 2019)
    ... libcriu.a ͕ϏϧυͰ͖ΔΑ͏ʹͳͬͨ by @udzura
    •3.14(π, Apr 29, 2020) ... clone3(2)ͱTime NS support, ଞ
    •3.15(Nov 04, 2020) ... MIPS support, cgroup v2 support, PID NS಺෦
    ΁ͷϦετΞ, ... ଞ
    •Still developing...
    ຊൃදͷ$3*6ͷόʔδϣϯ͸Ͱ͢

    View Slide

  10. CRIU͍͍Ͷʂ
    •ૣ଎࢖ͬͯΈΑ͏ʂ...

    ❓❓
    $3*6Ͱ͸ҰԠ
    ͜ΕͰ0,ɻ͔͠͠ ଓ

    View Slide

  11. CRIUͬͯͲ͏࢖͏ͷ...ʁ
    •CRIUɺͦ΋ͦ΋ʮͪΌΜͱಈ͔͢ʯͷ͕೉͍͠
    •ϝϞϦͷଞʹ΋ɺFile Descriptor/tty/socket ͦͷଞͷѻ͍...
    •ϦετΞޙʹPID͕ॏෳͯ͠Δͱ࠶ੜͰ͖ͳ͍
    •͜ͷʮΠϝʔδʯతͳ΍ͭͬͯͲ͏؅ཧ͢Ε͹͍͍Μͩʁ

    View Slide

  12. طʹ૊Έࠐ·ΕͨCRIUΛ࢖͏ʁ
    •ίϯςφϥϯλΠϜʹ૊Έࠐ·Εͨcheckpoint/retoreΛ࢖͏ख΋͋Δ
    ͕ɺϥϯλΠϜʹΑΓૢ࡞͕ҧ͏֮͑͠ΒΕͳ͍...
    •ͦ΋ͦ΋طଘͷ
    σʔϞϯ͕
    ίϯςφ͡Όͳ͍ɺͱ͔
    IUUQTTQFBLFSEFDLDPNVE[VSBNJFIJTUPBSFDPNNFOEFETUBDLUPJOUFHSBUFDSJVJOUPFYJTUJOHTZTUFNT TMJEF

    View Slide

  13. ͳͷͰॻ͍ͨ

    View Slide

  14. Miehistö (Έ͑ͻͯ͢)
    • (ex. Grenadine)
    • Miehistö =
    “CREW” in Finnish
    NJF
    㷺IJTU”

    View Slide

  15. Miehistö ͱ͸
    •CRIUΛͳΔ΂͘ී௨ͷϓϩηεʹରͯ͠ద༻͠΍͘͢͢ΔɺҰ࿈ͷ
    πʔϧϥούʔ
    •miehistod: αʔϏε΍ΠϝʔδΛ
    ؅ཧ͢ΔதԝσʔϞϯ
    •mhctl: ΫϥΠΞϯτ
    •runmh: CRIU͠΍͍͢ϓϩηεΛ
    ࡞ΔҰछͷϥϯλΠϜ
    Έ͑ͻͯ͢Ͱ͌ʔ
    Ήʔ͜ΜͱΖʔΔ
    ΒΜΉʔ

    View Slide

  16. runmh ͕͍ͯ͠Δ͜ͱ
    •ͳΔ΂͘ʮී௨ʹVMʹ্ཱͪ͛ͨϓϩηεʯͱಉ͡؀ڥͰ্ཱͪ
    ͕͍ͬͯΔঢ়ଶͷϓϩηεΛ࡞Δ
    •ͦͷ্ͰɺCRIUͰͷμϯϓ/ϦετΞͷোนʹͳΔΑ͏ͳ৚݅Λ֎
    ͠ɺCRIU-readyͳঢ়ଶʹ͢ΔҰ࿈ͷૢ࡞Λߦ͏

    View Slide

  17. ۩ମతʹ͸...
    •·ͣɺPID Namespace Λ෼཭͠ɺPIDΛ1͔Β࢝ΊΔඞཁ͕͋Δ
    •→ clone(2) ʹΑΓִ཭͠ɺ /proc ϑΝΠϧγεςϜΛࣗ෼ͰϚ΢ϯτ
    •→ ͦͷͨΊɺMount namespace΋ִ཭

    View Slide

  18. Mount namespace/root ͷ෼཭
    •/proc ΛϚ΢ϯτ͠௚͢ͷͰMount NS΋unshared
    •ಠཱͨ͠ɺ͔ͭϗετͱେମಉ͡root filesystem͕ඞཁ
    •࡞Γํ:
    •ԾͷσΟϨΫτϦʹ / Λbind mountɺ/devͳͲ΋ݸผʹbind mount
    •ͦ͜ʹpivot_root͢Δ(chroot ͸μϝɺͦͷMount NSͰೝࣝ͞ΕΔ
    rootΛૠ͛ସ͑Δඞཁ͕͋ΔͨΊ)

    View Slide

  19. ͦͷଞ
    •tty΍ɺrootͷ֎ʹ͋ΔϑΝΠϧΛࢀর͍ͯ͠Δͱμϝ:
    •stderr/out͸root಺ͷϑΝΠϧΛ։͖௚͢
    •ʢϩάϑΝΠϧ͸ O_WRONLY|O_APPEND Ͱ։͍͍ͯͳ͍ͱμϝʣ
    •setsid() ΛݺΜͩηογϣϯϦʔμʔ͕process treeͷrootͰ͋Δඞཁ
    ͕͋ΔͷͰݺͿ

    View Slide

  20. ࣮૷ͷΠϝʔδ
    /&8/4 /&81*%ͷϑϥάΛ༩͑ͯDMPOF

    )PTUSPPU
    ΛผͷՕॴʹCJOENPVOU
    TFUTJE

    [email protected]

    GEΛEFWOVMM GE ΛݱࡏͷSPPU಺෦ͷϑΝΠϧʹ͠
    [email protected]/-:[email protected]"11&/%Ͱ։͘
    ର৅ϓϩάϥϜʹFYFD

    View Slide

  21. ͜ΕͰμϯϓ͸࣮֬ʹ੒ޭ™͢Δɻ
    •ߟྀͰ͖͍ͯͳ͍͜ͱ͸·ͩ࢒͍ͬͯΔ͔΋ɻ

    View Slide

  22. μϯϓ·Ͱ͸҆ఆ͚ͨ͠Ͳ...
    •ϦετΞɺͲ͏͠·͠ΐ͏ͱ͍͏࿩
    •ૉ௚ʹ͸ɺͰ͖ͨΠϝʔδΛ༻͍ͯCRIUίϚϯυΛୟ͚͹ݩͷϓϩη
    ε͕ϦετΞ͞ΕΔ͕...
    •miehistodαʔϏεͰϦετΞલ/ϦετΞޙͷϓϩηεΛ౷Ұతʹ؅
    ཧ͍ͨ͠ɻͳͷͰɺϦετΞޙͷϓϩηεΛmiehistodͷԼʹͿΒԼ
    ͍͛ͨɻͲ͏͢Ε͹͑͑ͶΜɻ

    View Slide

  23. ϦετΞʹ͍ͭͯ
    •Miehistöͷཁ্݅ɺϦετΞ͞Εͨϓϩηε΋miehistod(runmh)Ͱ؅
    ཧ͍ͨ͠ɻͳͷͰ೚ҙͷϓϩηεͷࢠϓϩηεͱͯ͠ϦετΞ͢Δඞ
    ཁ͕͋Δ... ͦΜͳͷͰ͖Δʁ
    •ӈͷΑ͏ͳ͜ͱΛ͢Δࡍɺ
    runmh -> criu -> ruby
    criu͕ফ͑ͨΒ... μϝ
    ໨ࢦ͍ͯ͠ΔϓϩηεπϦʔ

    View Slide

  24. miehistö ͰͷϦετΞ࣮૷
    •miehistod ͷԼͰ criu restore ΛݺͿ
    •ͦͷࡍʹɺ --exec-cmd ͱ͍͏ΦϓγϣϯΛར༻͠ɺ
    ϦετΞޙʹcriuίϚϯυࣗ਎ΛrunmhϓϩάϥϜʹexec͢Δ
    • ਌ΛrunmhɺࢠΛϦετΞޙͷίϚϯυͱ͍͏ϓϩηεπϦʔΛ࡞੒͍ͨͨ͠Ί
    •·ͨɺbind mountͷѻ͍ʹ͍ͭͯcriu restoreʹ౉͢ඞཁ͕͋Δ
    •--external Φϓγϣϯʹ͍ͭͯ

    View Slide

  25. ͜͏͍͏criuίϚϯυΛੜ੒࣮ͯ͠ߦ͢Δ
    •ͪͳΈʹCRIUʹ͸ΫϥΠΞϯταʔόಈ࡞(libcriuܦ༝)ͱɺίϚϯυ
    ௚઀ىಈʹΑΔಈ࡞ͷϞʔυ͕ଘࡏ͢Δɻࠓճͷέʔε͸ɺϓϩηε
    μϯϓ͸ΫϥαόͰOKɺϓϩηε࠶ੜ͸ίϚϯυͰͳ͍ͱෆՄɻ

    View Slide

  26. --exec-cmd
    •criuίϚϯυͰɺϓϩηεΛϦετΞ͠spwanͨ͠ޙʹɺݩͷcriuίϚ
    ϯυࣗମΛผͷϓϩάϥϜʹexecͯ͠͠·͏͜ͱ͕Ͱ͖Δɻ
    •ͦ͏͢ΔͱʮϦετΞޙͷϓϩηεΛ௚઀wait͢ΔϓϩάϥϜʯΛࠩ
    ͠ସ͑ΒΕΔͷͰɺࠓճͷΑ͏ʹεʔύόΠβʔతͳϓϩάϥϜΛ࡞
    ੒͢Δ্Ͱศརɻ
    •miehistod -> runmh -> (ϦετΞޙϓϩηε) ͷπϦʔ͕׬੒

    View Slide

  27. ਌ͷ͛͢ସ͑ͷΠϝʔδਤ
    IUUQTTQFBLFSEFDLDPNVE[VSBNZDSJVMJGFJOQSPHSFTT TMJEFɹ

    View Slide

  28. External bind mounts
    •root͔Βݟͯ֎෦σΟϨΫτϦΛBind mount͍ͯ͠Δ৘ใ͸ɺdump/
    restore࣌ʹࣗಈݕ஌͞Εͳ͍ͷͰɺ໌ࣔతʹࢦఆ͢Δඞཁ͕͋Δɻ
    •dump࣌ʹˠ ֎෦Bind mountઌΛن໿ͰܾΊ͍ͯΔͷͰɺͦΕΒͷ
    ৘ใΛ --external ૬౰ͷΦϓγϣϯͱͯ͠criuαʔϏεʹ౉͢
    •restore࣌ʹˠ ҎԼͷΑ͏ͳܗࣜͰίϚϯυʹ౉͢
    --external mnt[__pids-d05739ddd0a12dd5040494c20461a197]:/sys/fs/cgroup/pids
    IUUQTDSJVPSH&[email protected]@NPVOUT

    View Slide

  29. ͜ΕͰϦετΞ΋Ͱ͖ΔΑ͏ʹɻ

    View Slide

  30. ࠓ೔CRIUͰ࿩͍ͯ͠ͳ͍͜ͱ
    •MiehistöͰະ࢖༻ͷΦϓγϣϯ: --cgroup-root, --action-script ͳͲ
    •swrkϞʔυͷ࿩
    ͍͔ͭ࿩͢ػձ͕དྷΔΜͰ͠ΐ͏͔
    Ϣʔεέʔε͕ͲΕ΋χονͳΜͰ͚͢Ͳ
    Ұ෦͸ʮ$3*6ΛϗεςΟϯάͰࢼ͍ͯ͘͠IPTUJOHDBTVBMʯ
    Ͱ΋࿩͍ͯ͠·͢IUUQTTQFBLFSEFDLDPNVE[VSBNZDSJVMJGFJOQSPHSFTT

    View Slide

  31. ΞϓϦέʔγϣϯΛࢭΊΔ

    View Slide

  32. ΍Γ͍ͨʢ͔ͬͨʣ͜ͱ
    •ʮΞΫηε࣌ʹॳΊͯىಈ͢ΔʯΞʔΩςΫνϟͰɺॳճىಈͷΦʔ
    όϔουΛۃݶ·Ͱ௿ݮ͍ͨ͠
    •FastContainer (ref: https://rand.pepabo.com/article/2017/06/28/iot38-matsumotory/)
    •਎ۙͳ΋ͷͰ͸Herokuͱ͔Cloud Runͱ͔

    View Slide

  33. ϓϩηεͷࣄલμϯϓͱ͍͏ख๏
    •ࣄલʹίϯςφͷϝϞϦμϯϓΛ࡞ͬͯɺ͔ͦ͜Βىಈ͢Ε͹ɺ
    ྫ͑͹εΫϦϓτݴޠʹΑΔϑϧελοΫϑϨʔϜϫʔΫͷΑ͏ʹɺ
    ىಈϓϩηεʹ͕͔͔࣌ؒΔΞϓϦέʔγϣϯͰ΋
    ىಈͷΦʔόϔουΛ௿ݮͰ͖ΔͷͰ͸ͳ͍͔ɺͱߟ͑ͨɻ
    •ʢϗεςΟϯάαʔϏε಺෦Ͱ࢖͍͔ͨͬͨͷͰɺͳΔ΂͘ΞϓϦͷ
    ੑ࣭ʹΑΒͳ͍൚༻తͳํ๏ʹ͔ͨͬͨ͠എܠ΋͋Δʣ

    View Slide

  34. cf. strace -c rails s
    •rails newͯ͠΄΅CRUDͻͱͭ௥Ճ͚ͨͩ͠ͷΞϓϦɺͷىಈ
    RAILS_ENV=production
    •΄΅openͱstat
    ϑΝΠϧૢ࡞
    •͜ΕΒͷopenΛશ෦
    εΩοϓͰ͖Ε͹଎ͦ͏

    View Slide

  35. ͍ͭࢭΊΔʁ
    •ͳΔ΂͘ʮঢ়ଶ͕ͳ͍ʯλΠϛϯάͰࢭΊ͍ͨ
    •ͨ͘͞ΜޙΖͷDBͱestablishͯ͠ɺ઀ଓ΋ΊͬͪΌड͚ࢭΊͯͯ...
    ͳঢ়ଶͰ΋ɺCRIUͰνΣοΫϙΠϯτͰ͖ΔͩΖ͏͕ɺෆཁͳτϥ
    ϒϧͱͦͷγϡʔτ͕ى͜Γͦ͏ɻ
    •͋Δఔ౓ػցతʹࢭΊΔλΠϛϯάΛܾఆ͍ͨ͠
    •ྫ͑͹ɺॳճͷ listen(2) ͳͲͷλΠϛϯάͰఀࢭ͢Δͷ͸Ͳ͏͔ɻ

    View Slide

  36. seccomp (SCMP_ACT_TRACE)

    View Slide

  37. listen(2) ʹϑοΫͯ͠ͳΜ͔͍ͨ͠
    •͍ͭʹseccomp͕ग़ͯ͘Δ...
    •seccomp͸ɺ୯७ͳallowlist/denylistͷ΄͔ɺࢦఆͨ͠γεςϜίʔϧ
    ݺͼग़͠ͷࡍʹptrace(2)ܦ༝Ͱ௨஌ΛૹΔΦϓγϣϯ͕͋Δ
    (SCMP_ACT_TRACE)
    •ʢͪͳΈʹݺͼग़͢γεςϜίʔϧ൪߸ࣗମΛมߋͰ͖ΔΦϓγϣϯ
    Ͱɺ͔֬gVisorͳͲͰ࢖ΘΕ͍ͯΔɺΜͰ͢ΑͶ??ʣ

    View Slide

  38. SCMP_ACT_TRACE ࢖͍ํ
    • fork͢Δ
    • [਌] ptrace(PTRACE_ATTACH); ptrace(PTRACE_O_TRACESECCOMP) ͢Δ
    • [਌] ptrace(PTRACE_CONT) ͢Δ
    • [਌] waitpid(-1, &status, WUNTRACED | WCONTINUED | __WALL) ͢Δ
    (-1 ͳͷ͸traceͯ͠Δ͞ΒʹࢠϓϩηεɾεϨουΛ௥͏ͨΊ)
    • [ࢠ] SCMP_ACT_TRACE ͳseccomp ctxΛϩʔυ͢Δ
    • [਌] ࢠͰ౰֘γεςϜίʔϧ͕ݺ͹ΕΔͱɺ౰֘ϓϩηεͷ৘ใ͕waitpidͷ໭Γ஋ɺ
    ptrace(PTRACE_GETEVENTMSG)ɺptrace(PTRACE_GETREGS)ͳͲͰऔಘͰ͖Δ

    View Slide

  39. ΍΍͍͜͠ͷͰmrubyͰϥοϓͨ͠
    •https://github.com/haconiwa/mruby-seccomp/blob/master/examples/
    tracing.rb

    View Slide

  40. seccomp + ptrace
    •SCMP_ACT_TRACE͸γεςϜίʔϧΛݺͼग़͢௚લʹτϨʔεݩϓ
    ϩηεΛఀࢭ͠ɺτϨʔεઌͷϓϩηεʹ௨஌ΛૹΓɺͦͷ಺༰ʹԠ
    ͡೚ҙͷॲཧΛͤ͞Δ͜ͱ͕Ͱ͖Δɻ
    •͕ͨͬͯ͠ɺlisten(2)ͳͲͷγεςϜίʔϧͷݺͼग़͠௚લʹϑοΫɺ
    criuʹΑΔϓϩηεμϯϓΛ࣮ࢪ͢Ε͹ɺͦͷϓϩηεͷ
    listen(2)௚લͷঢ়ଶͷμϯϓΛػցతʹऔಘͰ͖Δ... ͸ͣʁ
    •ʢ͜ͷลΓͷΞΠσΞͷݩ͸ @matsumotory ͞ΜͰ͢ʣ

    View Slide

  41. ΍ͬͯΈ·͠ΐ͏
    •؆୯ͳϥούʔΛט·ͤɺmiehistöͰىಈɺseccompͰఀࢭ
    •μϯϓʹ੒ޭ͠ͳ͍

    View Slide

  42. ptrace ͷΦϓγϣϯ͕όοςΟϯά͢Δʁ
    •seccompͰͷτϨʔε͸ϓϩηεΛ ptrace(PTRACE_ATTACH) ͯ͠Ξ
    λονঢ়ଶʹ͠ɺఀࢭঢ়ଶΛݕ஌͢Δ
    •Ұํɺcriuͷ಺෦Ͱ͸ɺ ptrace(PTRACE_SEIZE) ͰΞλονঢ়ଶʹͯ͠
    ptrace(PTRACE_INTERRUPT) Ͱ໌ࣔతʹࢭΊ͍ͯΔɻ
    •ผʑͷΦϓγϣϯͰࢭΊ͍ͯΔͷ͸໰୊ʹͳ͍ͬͯΔՄೳੑ͕͋Δ
    •͜ͷลΓͷύονΛແཧʹcriuʹ౰ͯͯ΋...
    • ݁ہseccomp ctx͕ϓϩηε͔Βൈ͚ͳ͍ͨΊɺ2ճ໨ͷ listen() ͕ptrace tracee͕ଘࡏ͠ͳ͍ѻ͍ʹͳΓENOSYS ʹͳΔ?

    View Slide

  43. ͪΐͬͱݟ௨͕͠ѱͦ͏ͩ...
    •ͱ͔ݴ͍ͬͯΔ͏ͪʹผ݅Ͱ๩͘͠ͳͬͨΓ͠ɺSwap outɻ
    •͜͜·Ͱ͸ɺ
    ࣮͸2018೥ʹݕূͨ͠࿩ɻ
    IUUQTICNBUTVNPUPSKQFOUSZɹ

    View Slide

  44. (΍ͬͱ) seccomp notification

    View Slide

  45. Seccompʹ৽Φϓγϣϯ͕དྷͨ
    •SCMP_ACT_NOTIFY (seccomp notification)
    •Կऀͳͷ͔͸ɺ͜͜·ͰͷτʔΫͰօ׬શཧղͨ͠͸ͣ...
    ຊൃදͷMJCTFDDPNQͷόʔδϣϯ͸Ͱ͢
    Χʔωϧ͸HFOFSJD6CVOUV(SPPWZ

    View Slide

  46. Seccomp notificationͷ৔߹͸ʁ
    •ࢦఆͨ͠γεςϜίʔϧݺͼग़͠Λͨ͠ࡍʹɺผͷϓϩηεʹͲ͏ॲ
    ཧ͢Δ͔ΛҠৡ͢Δ͜ͱ͕Ͱ͖Δɻ
    •ͦͷؒɺݩͷϓϩηε͸ϒϩοΫ͍ͯ͠Δ
    •ͭ·Γɺಉ͡Α͏ʹɺʮ೚ҙͷγεςϜίʔϧݺͼग़͠ʯͰఀࢭ͢Δ
    ͜ͱ͕Մೳʹ...ʁ

    View Slide

  47. ࣮ݧ͢Δ
    •ӈͷΑ͏ͳ
    seccomp notif
    receiver Λ࣮૷͢Δ

    View Slide

  48. ϥούܦ༝Ͱىಈ͢Δ
    •ϥού͸ࠨ
    •͜ΕΛט·ͤͯىಈ
    •ͪΌΜͱlistenલͰ
    ࢭ·Δ
    3VMFOPUJGZͱ͍͏"1*Λ࣮૷
    ɹ6/*9υϝΠϯιέοτΛ։͍ͯ
    ɹ4FDDPNQOPUJGZGEΛ
    ɹ4FOEP⒎Ͱ͖ΔΑ͏ʹ͍ͯ͠Δ

    View Slide

  49. ͜ͷͱ͖ࢭ·͍ͬͯΔϓϩηεͷstack͸
    •seccomp_do_user_notification ͱ͍͏Ṗͷؔ਺Ͱఀࢭ͍ͯ͠Δ
    •௨ৗͷΧʔωϧؔ਺ͷҰ෦ͰϒϩοΫ͍ͯ͠Δ
    •γάφϧɺptraceͳͲͰࢭ·͍ͬͯΔঢ়ଶͰ͸ͳ͍

    View Slide

  50. ͜ΕΛμϯϓϦετΞͯ͠΋...
    •μϯϓ͸ແࣄ੒ޭ͢Δɻ
    •ϦετΞͯ͠΋ɺENOSYS ͕ग़ͯ͠·͏ɻ

    View Slide

  51. ਖ਼ৗʹμϯϓ͸Ͱ͖Δ͕…
    •ϦετΞͨ͠λΠϛϯάͰɺ৽͍͠ϓϩηε͸ Seccomp Context ͕
    ਖ਼ৗʹϋϯυϧ͞Ε͍ͯͳ͍ঢ়ଶʹͳͬͯ͠·͏
    •͜͏ͳΔͱɺSCMP_ACT_NOTIFYͰ௨஌͢Δ௨஌ઌ͕ͳ͍ͱ͍͏ঢ়ଶ
    ʹͳͬͯ͠·͏Α͏Ͱɺͦ͏͍͏৔߹ͷ࢓༷Ͱ͋Δ
    ʮγεςϜίʔϧ͕ errno=ENOSYS Ͱࣦഊ͢Δʯ
    ͱ͍͏݁Ռʹͳͬͨɻlisten(2)Λਖ਼ৗ࠶։͢Δํ๏͕ͳ͍ɻ

    View Slide

  52. Ͱ͸Ͳ͏͢Δ͔ʁ

    View Slide

  53. Ͱ͸Ͳ͏͢Δ͔ʁ
    •ʮ੒ޭͯ͠΋ࣦഊͯ͠΋Կ΋Өڹ͕ͳ͍ʯγεςϜίʔϧΛߟ͑Δ
    •ྫ͑͹ɺϦΞϧλΠϜγάφϧΛҰͭબΜͰ signal(s, SIG_IGN)
    •ͦͷγάφϧΛࣗ෼ʹૹΔͱɺԿ΋͠ͳ͍͕ɺ
    γάφϧ൪߸ͰಉఆՄೳͳ
    γεςϜίʔϧݺͼग़͠Λ࡞ΕΔ

    View Slide

  54. ͦͷϚʔΧʔతγεςϜίʔϧΛ
    •libcͷlisten(3)ͷݺͼग़͠ͷ௚લʹϑοΫͤ͞Δ
    •LD_PRELOADΛ༻͍ɺϥούؔ਺Λఆٛ͢Δɻ
    •͜ΕͰɺ࣮࣭తʹ listen(2) ͷ௚લʹ
    ϓϩάϥϜΛఀࢭͤ͞ɺ·ͨ࠶ੜ࣌΋
    Өڹͳ͘ॲཧΛܧଓͰ͖Δ͸ͣɻ

    View Slide

  55. ࠷ޙͷ࣮ݧ
    •ϥούʔΛ͞Βʹࠨʹมߋ
    •ىಈˠ
    Notification receiver
    ܦ༝Ͱμϯϓ
    LJMM BOZ
    ͷݺͼग़͠Λτϥοϓ
    ͸4*(35."9
    -%@13&-0"%ΛFYFD࣌ʹࢦఆ

    View Slide

  56. ࠓճͷμϯϓ͸ɺϓϩηε࠶ੜʹ੒ޭ͢Δ

    View Slide

  57. View Slide

  58. ͪͳΈʹ...
    •LD_PRELOADΛ࣋ͪग़ͨ࣌͠఺ͰͳΜͰ΋ΞϦ͸.....
    •ͱࢥͬͯɺͨͱ͑͹ӈͷΑ͏ʹίʔυΛม͑ͯΈͨɻ
    •݁Ռ
    →ίϯςφԽ(PID unshared)͍ͯ͠ΔͷͰɺ
    ࣗ෼ࣗ਎͕PID=1ʹͳͬͯSIGSTOPΛແࢹɻ
    • ݁ہίϯςφ಺ͷinit processΛ࣮֬ʹࢭΊΔʹ͸seccomp͔͠ͳ͍Α͏ʹࢥΘΕͨɻ
    ߟྀ࿙Ε͕͋Ε͹ڭ͍͑ͯͩ͘͞ɻ

    View Slide

  59. ·ͩݕ౼͍ͯ͠ͳ͍͜ͱ
    •ϚϧνεϨουΞϓϦέʔγϣϯ... ͸Ͳ͏͍͏;͏ʹࢭ·Δͷ͔
    •ͱݴͬͯ΋࠷ॳͷݺͼग़͠Ͱࢭ·Δʁ ͷ͔ͳʁ
    •LD_PRELOAD ͕Կ͔ͷཧ༝Ͱ࢖͑ͳ͍࣌
    •libcΛͦ΋ͦ΋࢖ͬͯͳ͍࣌ʢಛʹGoʣ
    •syscall͕௚઀ݺͼग़͞ΕΔ࣌ ....

    View Slide

  60. ͓͜ͱΘΓ
    •ߥ౜ແܤͳ͜ͱΛ͍ͯ͠Δ͜ͱ͸ঝ஌͍ͯ͠·͢ɻ
    •໘നLinuxωλͱͯ͠ফඅ͍͚ͨͩΕ͹޾͍Ͱ͢
    •ࣅͨΑ͏ͳ͜ͱΛ΋ͬͱ͏·͘΍͍ͬͯΔྫ͕஌ΕͨΒخ͍͠
    •ͱΓ͋͑ͣɺ2018೥ͷ಄͔Βஅଓతʹपลͷ࣮૷Λଓ͚͖ͯͨҰ࿈ͷ
    ݚڀΛɺ͜ͷػձʹڙཆͰ͖Ε͹ͱࢥ͍ɺ͓࣌ؒΛ͍͖ͨͩ·ͨ͠ɻ
    ͝ਗ਼ௌʹײँ

    View Slide

  61. ࢀߟهࣄͳͲ
    •அଓతʹॻ͍ͯΔseccompͱMiehistöͷϒϩά
    • ʮmrubyͱseccompͱptraceͰγεςϜίʔϧΛͱʹ͔͘௥͍͔͚Δʯ(2017/04)
    • ʮGrenadine: ʮී௨ͷΞϓϦέʔγϣϯʯ͕νΣοΫϙΠϯτ/ϦετΞͷԸܙΛڗड͢Δʯ
    (2019/03)
    • ʮWSAݚڀձ ୈ7ճ ͰCRIUͱMiehistöͷൃදΛ͠·ͨ͠ #WSAݚʯ(2020/11)
    • ʮ೚ҙͷϥΠϒϥϦίʔϧͰϓϩάϥϜΛఀࢭ͠ɺىಈ༻ͷCRIUΠϝʔδΛ࡞੒͢ΔΞϓ
    ϩʔνʹ͍ͭͯʯ(2020/12)
    IUUQTVE[VSBIBUFOBCMPHKQ

    View Slide