コンテナを「守る」仕組みから中身を理解しよう!!1; /how-to-be-a-container

コンテナを「守る」仕組みから中身を理解しよう!!1; /how-to-be-a-container

@YAPC::Fukuoka 2017

2cf373725ded741824c50fd571eda6e1?s=128

KONDO Uchio

July 01, 2017
Tweet

Transcript

  1. 16.

    GPSL ͱFYFD ͷؒ ਌ϓϩηε ࢠϓϩηε ৽͍͠ ϓϩάϥϜ GPSL  FYFDWF

     XBJU  GPSL ͱFYFD଒ͷ࣮ߦͷؒʹɺ ϓϩηεͷଐੑΛมߋ͢Δ͜ͱ͕Ͱ͖Δ
  2. 18.

    GPSL ͱFYFD ͷؒ wGPSL ͢ΔͱɺϓϩάϥϜͱͯ͠͸GPSL ݩͷίϐʔͱͳΔ͕ɺͦͷ ࣌఺Ͱಠཱͨ͠ଐੑΛ࣋ͭ wಠཱ͍ͯ͠ΔͷͰɺͦͷޙͰ༷ʑͳଐੑΛมߋ͢ΔγεςϜίʔϧΛ ݺ΂Δ wͦͷଐੑͷ͏ͪଟ͘͸FYFD

    ͯ͠৽͍͠΋ͷΛܧঝ͢ΔͷͰɺͦͷ ৽͍͠ϓϩηε͕ίϯςφతͳଐੑΛ͍࣋ͬͯΔͱɺίϯςφͱͯ͠ ѻ͑Δ VOTIBSF  DISPPU  QSDUM   ࠓ೔ɺ͜Ε͔Βઆ໌͢Δ֤߲໨Ͱ͢
  3. 28.
  4. 30.

    ୯७ͳ͚ͩʹ͕݀͋Δ wDISPPU ͨ͠؀ڥ಺෦ͰɺDISPPU Մೳͩͱ؆୯ʹൈ͚ΒΕΔ # mkdir .tmp # mount --bind

    . .tmp # mount devtmpfs -t devtmpfs .tmp/dev # perl -e 'chroot ".tmp"; chdir "..";chdir "..";chdir ".."; chdir "..";chdir "..";chdir ".."; chroot ".";exec "/bin/sh"' # ls /vagrant ...... (਌ͷσΟϨΫτϦ͕ݟ͑Δʂ)
  5. 37.

    Ұ෦͚ͩͷҠಈ΋Մೳ wྫip nets exec wOFUXPSLOBNFTQBDFʢʴЋʣ
 ͚ͩΛ෼཭͢Δ
 ίϯςφͱݴ͑Δ wҰൠతʹ͸ɺηοτͰ෼཭͢Δํ͕ศརͰ͸͋Δ $ sudo

    ip netns add test001 $ sudo ip netns exec test001 /bin/bash root@test-1:/home/ubuntu# ip a 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  6. 39.

    1FSMΛษڧͯ͠ॻ͍ͯΈ·ͨ͠ #!/usr/bin/env perl use strict; use POSIX; use Linux::Clone; my

    $flg = POSIX::SIGCHLD | Linux::Clone::NEWNS | Linux::Clone::NEWPID; my $pid = Linux::Clone::clone sub { system "mount --make-rslave /"; chroot "/var/lib/rootfs/yapc"; chdir "/"; exec "/bin/sh"; 127 }, 0, $flg; print "PID=", $pid, "\n"; waitpid $pid, 0 if($pid); print "Container exited\n";
  7. 41.
  8. 42.
  9. 45.
  10. 46.
  11. 51.

    ͖ͬ͞ͷ1FSMίϯςφʹύον --- chroot2.pl 2017-06-20 10:47:02.780313607 +0900 +++ bomber.pl 2017-06-20 12:55:41.572399620

    +0900 @@ -2,11 +2,19 @@ use strict; use POSIX; use Linux::Clone; +system "mkdir -p /sys/fs/cgroup/pids/yapc-fukuoka"; my $flg = POSIX::SIGCHLD | Linux::Clone::NEWNS | Linux::Clone::NEWPID; my $pid = Linux::Clone::clone sub { system "mount --make-rslave /"; chroot "/var/lib/haconiwa/rootfs/php"; chdir "/"; - exec "/bin/sh"; 127 }, 0, $flg; + exec "/bin/bash"; 127 }, 0, $flg; +open TASKS, ">> /sys/fs/cgroup/pids/yapc-fukuoka/tasks"; +print TASKS "$pid"; +close TASKS; +open MAX, ">> /sys/fs/cgroup/pids/yapc-fukuoka/pids.max"; +print MAX "32"; +close MAX; + print "PID=", $pid, "\n"; waitpid $pid, 0 if($pid); QJETDHSPVQΛ௥Ճ ίϯςφͷQJEΛॴଐͤ͞ɺ NBYΛ੍ݶ
  12. 58.

    TFUDBQ  ͰpMFDBQBCJMJUJFTΛ෇༩͢Δ w൪ҎԼΛϦεϯ͢Δݖݶʹ CAP_NET_BIND_SERVICE ubuntu@compute-1:~$ sudo setcap cap_net_bind_service+ep ./listen80

    ubuntu@compute-1:~$ ./listen80 & [1] 5915 ubuntu@compute-1:~$ curl localhost Hello, World ubuntu@compute-1:~$ sudo getcap ./listen80 ./listen80 = cap_net_bind_service+ep VCVOUVϢʔβͰ αʔόΛىಈͰ͖Δ
  13. 60.

    ࠷ॳͷ1FSMίϯςφʹύον --- chroot2.pl 2017-06-20 10:47:02.780313607 +0900 +++ dropcap.pl 2017-06-20 14:38:31.335190235

    +0900 @@ -2,10 +2,14 @@ use strict; use POSIX; use Linux::Clone; +use Linux::Prctl; + my $flg = POSIX::SIGCHLD | Linux::Clone::NEWNS | ...; my $pid = Linux::Clone::clone sub { system "mount --make-rslave /"; chroot "/var/lib/haconiwa/rootfs/php"; chdir "/"; + $Linux::Prctl::capbset{"sys_time"} = 0; + $Linux::Prctl::capbset{"sys_chroot"} = 0; exec "/bin/sh"; 127 }, 0, $flg; print "PID=", $pid, "\n"; waitpid $pid, 0 if($pid); CPVOEJOHTFU͔Β࡟আ
  14. 61.

    EBUFͰ೔෇ͷηοτ͕Ͱ͖ͳ͘ͳΔ w0QFSBUJPOOPUQFSNJUUFEѻ͍ʹͳΔ root@compute-1:~# perl dropcap.pl PID=5962 # date Tue Jun

    20 06:34:50 UTC 2017 # date -s 00:00:00 date: cannot set date: Operation not permitted Tue Jun 20 00:00:00 UTC 2017 # date Tue Jun 20 06:34:59 UTC 2017
  15. 66.
  16. 68.
  17. 69.
  18. 70.
  19. 71.
  20. 72.
  21. 76.

    NSVCZTDSJQU #!/usr/bin/env hacorb context = Seccomp.new(default: :allow) do |rule| rule.kill

    :mkdir rule.kill :fchownat end pid = Process.fork do context.load puts "==== It will be jailed. Please try to mkdir/chown" exec "/bin/sh" end p(Process.waitpid2 pid)
  22. 91.