Device access filtering in cgroup v2

Transcript

1. ͳΜͰ΋#1'Ͱ΍Δ࣌୅ͳΜͩͳΝ 6DIJP
   ,POEP
   
   (.0
   1FQBCP
   *OD DHSPVQ
   W
   ͷ
   σόΠεΞΫηεϑΟϧλ

2. γχΞɾϓϦϯγύϧΤϯδχΞ ۙ౻ Ӊஐ࿕ / @udzura https://blog.udzura.jp/ Uchio Kondo ٕज़෦ ٕज़ج൫νʔϜ/σʔλج൫νʔϜ

   @ GMOϖύϘ ΤϯδχΞΧϑΣʢ෱Ԭࢢ੺ẂנจԽձؗʣ αϙʔλʔ Duolingo Diamond Leaguer 💎 * ޷͖ͳγεςϜίʔϧ: open_by_handle_at(2) * ޷͖ͳLinux Namespace: Time Namespace * ࠷ۙ͸ݴޠ࣮૷ʼOSࣗ࡞ʼBPFɺίϯςφɺͱ͍͏ײ͡...

3. ͜Ε·Ͱͷ͋Β͢͡ wF#1'ͱ͍͏ٕज़͕͋Δ
   w<F#1'
   DIJLVXBJU>
   ·ͨ͸
   <F#1'
   JENNJ>
   Ͱݕࡧ
   wͳΜ΍ΧʔωϧͰ҆શߴ଎ʹϑΟϧλ͢Δٕज़

4. F#1'ͷϓϩάϥϜλΠϓ wW
   
   w ଟ͗ͯ͢೺ѲͰ͖ͳ͍ͷͰ
   ୭͔෩དྷͷγϨϯʹྫ͑ͯ؆ܿʹڭ͑ͯཉ͍͠

5. BPF_PROG_TYPE_CGROUP_DEVICE

6. DHSPVQ
   W
   ͷσόΠεΞΫηε੍ݶ wEFWJDFT
   ͱ͍͏αϒγεςϜ͕͋ͬͨ
   wಛఆͷϑΥʔϚοτͰ
   EFWJDFTBMMPX΍EFWJDFTEFOZʹॻ͖ࠐΉ IUUQTXXXLFSOFMPSHEPD%PDVNFOUBUJPODHSPVQWEFWJDFTUYU
   

7. DHSPVQ
   W
   ͰͷσόΠεΞΫηε੍ݶ wJOUFSGBDF
   pMF
   ͕ͳ͘ͳΔʢʂʣ
   w#1'@$(3061@%&7*$&
   ͳϓϩάϥϜΛDHSPVQʹΞλον͢Δͱͷ͜ͱ
   wϓϩάϥϜͰΑΓࡉ੍͔͘ޚՄೳԿͳΒྫ͑͹ϩάΛ࢒ͨ͠Γ΋Ͱ͖Δ IUUQTXXXLFSOFMPSHEPD%PDVNFOUBUJPODHSPVQWUYUɹ

8. σϞϓϩάϥϜ

9. ϑΟϧλ͢ΔϓϩάϥϜʢ$Ͱॻ͘ʣ

10. ϑΟϧλ͢ΔϓϩάϥϜʢ$Ͱॻ͘ʣ ηΫγϣϯ໊ͷࢦఆ EFWVSBOEPN
    Ͱ͋Ε͹Λฦ͢ σϑΥϧτΛฦ͢

11. Ϗϧυ͢Δ ͖ͬ͞ͷ$ίʔυ͕͜͏͍͏
    #1'ϓϩάϥϜʹίϯύΠϧ͞Ε͍ͯΔ

12. Ξλον͢Δ w΄΅Χʔωϧಉࠝͷ αϯϓϧίʔυͦͷ ··Ͱ͕͢

13. None

14. ΧϨϯτϓϩηε͕
    UFTUCQG
    ʹॴଐ͍ͯ͠Δ
    WͳͷͰ
    
    ͷߦͷΈݟΔ EFWVSBOEPN
    ʹΞΫηεͰ͖ͳ͍
    ʢͪͳΈʹSPPUͰ΋Ͱ͖·ͤΜʣ ଞͷσόΠε͸0,

15. ͔͜͜Β༨ஊ

16. 3VDZͱ͍͏ϓϩάϥϜΛ࡞ͬͨ w3VCZͷεΫϦϓτΛ௚઀#1'ʹ͠·͢ SVDZ
    ίϚϯυͰΦϒδΣΫτϑΝΠϧΛ
    ੜ੒͠ɺಉ༷ʹϩʔυ͢Δͱ༗ޮʹͳΔ

17. ࢓૊Έ Ruby Script mruby OpCodes BPF OpCodes BPF Object (ELF

    format) mruby Rucy transpiler wNSVCZͷ0Q$PEFΛ࡞ΓɺͦΕΛ#1'
    0Q$PEFʹ຋༁͢Δ

18. ໋ྩηοτͷൺֱʢҰ෦ʣ wNSVCZ
    wϨδελϚγϯ7.ɺϨδελ͸ݸʢݸΛਪ঑ʣ
    w໋ྩ͸Մม௕ɺҾ਺͸3
    3ɺ೚ҙͷϨδελΛฦ٫Մ
    w#1'
    wϨδελϚγϯ7.ɺϨδελ͸ݸ
    w໋ྩ͸ݪଇݻఆ௕ʢCJUɺඞཁͳ৔߹CJUʣ
    wҾ਺͸3
    3ɺฦ٫஋͸ඞͣ3
    

19. ม׵ͷྫ

20. ·ͱΊʁ

21. ॴײͱ͔ w#1'ϓϩάϥϜͷதͰ΋ɺσόΠεΞΫηεϑΟϧλ͸
    খ͍࣮͞૷Ͱࢼ͢͜ͱ͕Ͱ͖ΔͷͰɺ
    3VDZ
    ͷ࣮૷Λ͢Δࡍʹςετઌͱͯ͠ศརͩͬͨɻ
    wΈͳ͞Μ΋σόΠεΞΫηεϑΟϧλ͔Β#1'࢝Ί·ͤΜ͔ʁ