コンテナを「守る」仕組みから中身を理解しよう!!1; /how-to-be-a-container

コンテナを「守る」仕組みから中身を理解しよう!!1; /how-to-be-a-container

@YAPC::Fukuoka 2017

2cf373725ded741824c50fd571eda6e1?s=128

KONDO Uchio

July 01, 2017
Tweet

Transcript

  1. %PDLFSɺ)BDPOJXBɺͦΕ͔Β1FSM ۙ౻͏͓ͪ(.01FQBCP *OD :"1$'VLVPLB ίϯςφΛʮकΔʯ࢓૊Έ͔Βɺ த਎Λཧղ͠Α͏

  2. ΤϯδχΞ ۙ౻͏͓ͪ!VE[VSB (.0ϖύϘٕज़ج൫νʔϜ 5XJUUFS(JU)VC!VE[VSB 'BDFCPPLVDIJPLPOEP

  3. !VE[VSBʹ͍ͭͯ ɾ3VCZJTUɻ೥໨ʁ ɾύʔϑΣΫτ3VCZ3P3ڞஶ ɾ'VLVPLBSC ɾ3VCZ,BJHJTQFBLFS ɾNSVCZίϯςφ)BDPOJXB

  4. !VE[VSBʹ͍ͭͯ ɾ3VCZJTUɻ೥໨ʁ ɾύʔϑΣΫτ3VCZ3P3ڞஶ ɾ'VLVPLBSC ɾ3VCZ,BJHJTQFBLFS ɾNSVCZίϯςφ)BDPOJXB

  5. 3VCZJTU

  6. ෱Ԭ3VCZձٞ! IUUQSFHJPOBMSVCZLBJHJPSHGVLVPLB

  7. ίϯςφ

  8. TFDVSJUZ

  9. 6/*9 -JOVY

  10. ίϯςφͱ͸ w༷ʑͳ6/*9γεςϜʹ͓͍ͯ͸ɺ༷ʑͳίϯςφ࣮૷͕͋Δ w'SFF#4%ܥͷKBJMɺ4PMBSJT$POUBJOFSɺ w-JOVYʹ͓͍ͯ͸ɺ-9$ɺ%PDLFSɺTZTUFNE—OTQBXOͳͲ w-JOVYͷίϯςφ͸جຊతʹʮಛघͳϓϩηεʯͱ࣮ͯ͠૷

  11. ϓϩηεͬͯʁ

  12. ϓϩηεͷ࡞Γํ ਌ϓϩηε ࢠϓϩηε ৽͍͠ ϓϩάϥϜ GPSL  FYFDWF  XBJU

    
  13. ϓϩηεͷ࡞Γํ ਌ϓϩηε ࢠϓϩηε ৽͍͠ ϓϩάϥϜ ϓϩηεΛ ʮෳ੡ʯ͢Δ ݹ͍ϓϩηεΛࣺͯɺ ৽͍͠ϓϩάϥϜʹʮม਎ʯ͢Δ ਌͕ࢠڙͷ

    ऴྃΛ؂ࢹ
  14. ϓϩηεͷଐੑ wͱ͜ΖͰɺϓϩηεʹ͸༷ʑͳଐੑ͕͋Δ wQSPDͷԼ͔Β֬ೝͰ͖Δ wDXE SPPU OTGT QQJE QJE DBQBCJMJUZ DHSPVQ

  15. ྫQSPD1*%TUBUVT 1*%ɺ਌ͷ1*% ࣮ߦϢʔβɺάϧʔϓ ϓϩηεάϧʔϓͳͲͷ*% ϝϞϦͷར༻ঢ়گ γάφϧͷઃఆʢϚεΫͳͲʣ $BQBCJMJUZ4FU

  16. GPSL ͱFYFD ͷؒ ਌ϓϩηε ࢠϓϩηε ৽͍͠ ϓϩάϥϜ GPSL  FYFDWF

     XBJU  GPSL ͱFYFD଒ͷ࣮ߦͷؒʹɺ ϓϩηεͷଐੑΛมߋ͢Δ͜ͱ͕Ͱ͖Δ
  17. GPSL ͱFYFD ͷؒ wGPSL ͢ΔͱɺϓϩάϥϜͱͯ͠͸GPSL ݩͷίϐʔͱͳΔ͕ɺͦͷ ࣌఺Ͱಠཱͨ͠ଐੑΛ࣋ͭ wಠཱ͍ͯ͠ΔͷͰɺͦͷޙͰ༷ʑͳଐੑΛมߋ͢ΔγεςϜίʔϧΛ ݺ΂Δ wͦͷଐੑͷ͏ͪଟ͘͸FYFD

    ͯ͠৽͍͠΋ͷΛܧঝ͢ΔͷͰɺͦͷ ৽͍͠ϓϩηε͕ίϯςφతͳଐੑΛ͍࣋ͬͯΔͱɺίϯςφͱͯ͠ ѻ͑Δ
  18. GPSL ͱFYFD ͷؒ wGPSL ͢ΔͱɺϓϩάϥϜͱͯ͠͸GPSL ݩͷίϐʔͱͳΔ͕ɺͦͷ ࣌఺Ͱಠཱͨ͠ଐੑΛ࣋ͭ wಠཱ͍ͯ͠ΔͷͰɺͦͷޙͰ༷ʑͳଐੑΛมߋ͢ΔγεςϜίʔϧΛ ݺ΂Δ wͦͷଐੑͷ͏ͪଟ͘͸FYFD

    ͯ͠৽͍͠΋ͷΛܧঝ͢ΔͷͰɺͦͷ ৽͍͠ϓϩηε͕ίϯςφతͳଐੑΛ͍࣋ͬͯΔͱɺίϯςφͱͯ͠ ѻ͑Δ VOTIBSF  DISPPU  QSDUM   ࠓ೔ɺ͜Ε͔Βઆ໌͢Δ֤߲໨Ͱ͢
  19. ຊൃදͰͷ࢖͍ํ wޙड़͢ΔΑ͏ͳγεςϜίʔϧ౳Λ༻͍ͯɺԿ͔͠Βͷ04Ϧιʔεͷ ִ཭ɺػೳ੍ݶɺ·ͨݖݶ෼཭ΛߦͬͨϓϩηεΛɺ
 ʮίϯςφʢ·ͨ͸ίϯςφతϓϩηεʣʯͱݺͼ·͢ɻ

  20. ίϯςφͷத਎

  21. %PDLFS.PCZMJCDPOUBJOFS w%PDLFSͷίϯςφϓϩηε࡞੒ͷίΞ࣮૷͸ʮ3VO$ʯͱ͍͏໊લͰ ಠཱ͍ͯ͠Δɻͦͷத਎Ͱ࢖͍ͬͯΔ΋ͷ͕MJCDPOUBJOFS wMJCDPOUBJOFSࣗମ͸ଞͷ
 (Pݴޠͷ࣮૷͔Β΋ར༻Մೳ wίϯςφपΓͷ༷ʑͳ
 ੜͷΦϓγϣϯΛࢦఆ IUUQTNFEJVNDPN!UJ⒎BOZGBZKEPDLFSFUQMVTFOHJOFJTOPXCVJMUPOSVODBOEDPOUBJOFSEBEEFFG

  22. -9$ w-JOVYίϯςφͷϦϑΝϨϯεత࣮૷ wத਎͸ɺ$ݴޠ
 γεςϜίʔϧΛඇৗʹ
 ૉ௚ʹར༻ wίϯςφܥγεςϜίʔϧͷݺͼํͷษڧʹͳΔ

  23. )BDPOJXB w!VE[VSBͱ͍͏ਓ͕NSVCZͰ࡞ͬͨίϯςφ࣮૷ wγεςϜίʔϧͱͷΞΫηεΛ$CJOEJOHͰɺϓϩηε࡞੒΍%4-ධ ՁͳͲͷॲཧΛNSVCZͰॻ͍͍ͯΔ w෭࢈෺ͱͯ͠ίϯςφܥγεςϜίʔϧʹ؆୯ʹΞΫηεͰ͖Δ NSVCZJSCόΠφϦ͕ೖΔʢύοέʔδΠϯετʔϧͷ৔߹ʣ

  24. ͦͷଞͷ࣮૷ w1FSMͷ࣮૷KBJMJOH BRS wIUUQTHJUIVCDPNLB[VIPKBJMJOH wIUUQTHJUIVCDPNIBZBKPBRS w3VTUʹWBHHBͱ͍͏΋ͷ͕͋ΔΒ͍͠ wIUUQTHJUIVCDPNUBJMIPPLWBHHB

  25. ίϯςφͷ ػೳͱ ηΩϡϦςΟ

  26. ࠓ೔࿩͢͜ͱ wDISPPUQJWPU@SPPU w-JOVYOBNFTQBDF w$(SPVQ w,FSOFM$BQBCJMJUZ wTFDDPNQ w."$BQQBSNPS

  27. ࠓ೔࿩͢͜ͱ wDISPPUQJWPU@SPPU w-JOVYOBNFTQBDF w$(SPVQ w,FSOFM$BQBCJMJUZ wTFDDPNQ w."$BQQBSNPS 04Ϧιʔεͷ෼཭ ݖݶɾػೳͷ੍ݶ ΞΫηείϯτϩʔϧ

    04Ϧιʔεͷར༻੍ݶ
  28. DISPPU

  29. DISPPU  ίϚϯυ wDISPPU  γεςϜίʔϧͷϥούʔ w΋ͬͱ΋୯७ͳʮίϯςφʯ wผͷͱ͜Ζʹ࡞ͬͨ04ͷSPPUϑΝΠϧγεςϜͷதʹʮೖΓʯɺ
 ਌ϓϩηεͱ͸ผͷ؀ڥΛ࡞Δ wDISPPUޙͷ؀ڥ͔ΒɺผͷSPPU΍ɺ਌ͷϑΝΠϧγεςϜ͸ɺ


    ݪଇͱͯ͠͸ݟ͑ͳ͍
  30. ୯७ͳ͚ͩʹ͕݀͋Δ wDISPPU ͨ͠؀ڥ಺෦ͰɺDISPPU Մೳͩͱ؆୯ʹൈ͚ΒΕΔ # mkdir .tmp # mount --bind

    . .tmp # mount devtmpfs -t devtmpfs .tmp/dev # perl -e 'chroot ".tmp"; chdir "..";chdir "..";chdir ".."; chdir "..";chdir "..";chdir ".."; chroot ".";exec "/bin/sh"' # ls /vagrant ...... (਌ͷσΟϨΫτϦ͕ݟ͑Δʂ)
  31. VODISPPUΛ๷͙ʹ͸ wDISPPUͰ͖ͳ͘͢Δͱ͍͏ํ๏͕Ұൠత wݖݶΛམͱ͢DBQBCJMJUZ wγεςϜίʔϧ୯ҐͰݺ΂ͳ͘͢ΔTFDDPNQ wͦͷଞɺ6TFSOBNFTQBDFΛ෼͚ͯ͠·͑͹࣮࣭୤ࠈෆՄ w͍ͣΕʹͤΑɺ΄͔ͷίϯςφػೳͱ૊Έ߹Θͤͯ҆શੑΛ֬อ͢Δ

  32. DGQJWPU@SPPU wSPPUϑΝΠϧγεςϜΛʮೖΕସ͑ΔʯɻDISPPUΑΓڧྗ w04ͷϒʔτϓϩηεɺOFUCPPUͷࡍʹ࢖͍ͬͯΔ wDISPPUΑΓ͸੍ݶ͕͋Δ wlOFX@SPPUͱQVU@PME͸ݱࡏͷSPPUͱಉ͡ϑΝΠϧγεςϜʹ͋ͬͯ͸ͳ Βͳ͍zͳͲ wDISPPU΄Ͳखܰʹ͸࢖͑ͳ͍͕ɺҰํ୤ࠈͷ໰୊͸ͳ͘ͳΔ IUUQTMJOVYKNPTEOKQIUNM-%1@NBOQBHFTNBOQJWPU@SPPUIUNM

  33. -JOVY OBNFTQBDF

  34. -JOVYOBNFTQBDF͕ͳ͍ͱ wDISPPU͢ΔͱϑΝΠϧγεςϜ͕෼཭͞ΕΔɻ wͱ͍͏͜ͱͰɺ/procΛվΊͯϚ΢ϯτ͢Δඞཁ͕͋Δɻ wϚ΢ϯτ͢Δͱ
 ݟ͑ͯ͸͍͚ͳ͍΋ͷ͕
 ݟ͑ΔΑ͏ͳ

  35. 04ͷϦιʔε͸ଞʹ΋ʮ෼཭Ͱ͖Δʯ wϓϩηεΛ෼཭͠ͳ͍ͱɺίϯςφͷத͔Β֎ͷϓϩηεΛ͍͡ΕΔ wϗετ໊Λ෼཭͠ͳ͍ͱɺίϯςφ಺Ͱผ్ϗετ໊ΛઃఆͰ͖ͳ͍ wͦͷଞʹɺ෼཭Ͱ͖Δ΋ͷ wϚ΢ϯτϙΠϯτͷ৘ใ w*1$ϦιʔεTINHFU ͱ͔NR@PQFO తͳ΋ͷ wωοτϫʔΫɺϢʔβ*%ɺ$(SPVQ

  36. Πϝʔδ wάϩʔόϧOBNFTQBDFͷ
 தʹɺ͍͔ͭ͘
 OBNFTQBDFΛ࡞ΕΔ IUUQTTQFBLFSEFDLDPNVE[VSBDSFBUJOHDPOUBJOFSTXJUIHPMBOH

  37. Ұ෦͚ͩͷҠಈ΋Մೳ wྫip nets exec wOFUXPSLOBNFTQBDFʢʴЋʣ
 ͚ͩΛ෼཭͢Δ
 ίϯςφͱݴ͑Δ wҰൠతʹ͸ɺηοτͰ෼཭͢Δํ͕ศརͰ͸͋Δ $ sudo

    ip netns add test001 $ sudo ip netns exec test001 /bin/bash root@test-1:/home/ubuntu# ip a 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  38. ͱ͍͏͜ͱͰɺ1*%Λ෼཭͢Δ w࣮૷ͷํ਑ w1*%͸/proc͔Βݟ͑Δ΋ͷ wͳͷͰผͷ/procΛ҆શʹϚ΢ϯτͰ͖ΔΑ͏ɺ
 .PVOUOBNFTQBDF΋Ұॹʹ෼཭͢Δ wGPSLͷ୅ΘΓʹDMPOF  γεςϜίʔϧΛݺͼɺ࠷ޙʹFYFD ͢Δ ৚݅Λࡉ͔͘ࢦఆͰ͖Δ

    GPSL ͱߟ͍͑ͯͩ͘͞
  39. 1FSMΛษڧͯ͠ॻ͍ͯΈ·ͨ͠ #!/usr/bin/env perl use strict; use POSIX; use Linux::Clone; my

    $flg = POSIX::SIGCHLD | Linux::Clone::NEWNS | Linux::Clone::NEWPID; my $pid = Linux::Clone::clone sub { system "mount --make-rslave /"; chroot "/var/lib/rootfs/yapc"; chdir "/"; exec "/bin/sh"; 127 }, 0, $flg; print "PID=", $pid, "\n"; waitpid $pid, 0 if($pid); print "Container exited\n";
  40. ಈ࡞֬ೝ w͜ͷล·Ͱ͸ɺͲΜͳίϯςφͰ΋ಉ͡Α͏ʹ࣮૷͍ͯ͠Δ

  41. ٳܜ

  42. <13>

  43. (.0ϖύϘ෱Ԭࢧࣾ͸ ΤϯδχΞΛืू͍ͯ͠·͢ ࠷৽ͷ࠾༻৘ใΛνΣοΫˠ !QC@SFDSVJU

  44. ࢓ࣄͰɺίϯςφΛ
 ΨοπϦ࢖͍͍ͨʂ
 ͋Δ͍͸։ൃ͍ͨ͠ํ
 ੠Λֻ͓͚͍ͩ͘͞

  45. SFTVNF

  46. DHSPVQ

  47. $POUSPM(SPVQ DHSPVQ w-JOVYʹ͸ɺϓϩηεΛάϧʔϐϯάͯ͠ɺͦͷάϧʔϓ͝ͱʹ
 ϋʔυ΢ΣΞϦιʔε04ϦιʔεͳͲͷར༻ঢ়گΛ֬ೝͨ͠Γɺ
 ͋Δ͍͸੍ޚΛ͢Δػೳ͕͋ΔɻͦΕ͕DHSPVQ wMJCDHSPVQͷΑ͏ͳϥΠϒϥϦ΍ɺDHSPVQGT͔ΒΞΫηεՄೳ w·ͨɺTZTUFNE͕಺෦Ͱར༻͢ΔʢϓϩηεͷάϧʔϐϯάɺϦιʔ ε੍ݶͳͲʣ wDGTZTUFNEOTQBXO TZTUFNEʹಉࠝͷίϯςφ

  48. DHSPVQTVCTZTUFN w੍ޚͰ͖Δର৅͝ͱʹαϒγεςϜ͕͋Δ wαϒγεςϜ͸ͨ͘͞Μ͋Δ wDQV wNFNPSZ wCMLJP OFU@DMT GSFF[FS  wͦͷதͰ΋QJETαϒγεςϜΛ঺հ

  49. ίϯςφͰͷGPSLCPNC߈ܸ w౰વͰ͋Δ͕ɺ฼؋04શମͰͷϓϩηεͷ࠷େ਺͸༗ݶͰ͋Δ w͕ͨͬͯ͠ɺίϯςφ؀ڥͷத͔Β๲େͳϓϩηεΛ࡞੒͢Δͱɺ
 ݁Ռతʹ฼؋04ͷϓϩηε਺ͷ্ݶʹୡ͢Δ͜ͱ͸ى͜Γ͏Δ w఻౷తʹ͸ɺSMJNJUͰϓϩηεπϦʔ͝ͱͷϓϩηε਺Λ੍ݶ wίϯςφͷ৔߹BUUBDIͳͲʹΑΓɺίϯςφ಺ͷશͯͷϓϩηε͕ɺ ಉ͡ϓϩηεπϦʔʹॴଐ͍ͯ͠ͳ͍৔߹΋͋Γ͏Δ

  50. QJETTVCTZTUFN w-JOVYҎ߱Ͱಋೖ͞ΕͨαϒγεςϜ wҎԼͷ஋Λར༻Ͱ͖Δ wQJETDVSSFOUάϧʔϓ಺ͷݱࡏͷϓϩηε਺ wQJETNBYͦͷάϧʔϓͰڐՄ͢Δ࠷େϓϩηε਺ SPPUάϧʔϓͰ͸ར༻Ͱ͖ͳ͍ͷͰ஫ҙ ࢀߟʮ-9$ͰֶͿίϯςφೖ໳ʯ IUUQHJIZPKQBENJOTFSJBMMJOVY@DPOUBJOFST

  51. ͖ͬ͞ͷ1FSMίϯςφʹύον --- chroot2.pl 2017-06-20 10:47:02.780313607 +0900 +++ bomber.pl 2017-06-20 12:55:41.572399620

    +0900 @@ -2,11 +2,19 @@ use strict; use POSIX; use Linux::Clone; +system "mkdir -p /sys/fs/cgroup/pids/yapc-fukuoka"; my $flg = POSIX::SIGCHLD | Linux::Clone::NEWNS | Linux::Clone::NEWPID; my $pid = Linux::Clone::clone sub { system "mount --make-rslave /"; chroot "/var/lib/haconiwa/rootfs/php"; chdir "/"; - exec "/bin/sh"; 127 }, 0, $flg; + exec "/bin/bash"; 127 }, 0, $flg; +open TASKS, ">> /sys/fs/cgroup/pids/yapc-fukuoka/tasks"; +print TASKS "$pid"; +close TASKS; +open MAX, ">> /sys/fs/cgroup/pids/yapc-fukuoka/pids.max"; +print MAX "32"; +close MAX; + print "PID=", $pid, "\n"; waitpid $pid, 0 if($pid); QJETDHSPVQΛ௥Ճ ίϯςφͷQJEΛॴଐͤ͞ɺ NBYΛ੍ݶ
  52. GPSLCPNCΛ๷͛Δ͜ͱ͕Θ͔Δ wQJETNBY੍ݶͳͩ͠ͱ฼؋͝ͱ௜໧͠·͢

  53. ,FSOFM $BQBCJMJUZ

  54. -JOVY,FSOFM$BQBCJMJUZ w-JOVYͰ͸ɺSPPU͕͍࣋ͬͯΔ༷ʑͳݖݶΛɺࡉ͔͘෼ׂͯ͠ɺ
 Ұ෦͚ͩ෇༩ɺ·ͨ͸Ұ෦੍͚ͩݶ͢Δ͜ͱ͕Ͱ͖Δ w͜ΕΒͷݖݶͷू߹ΛέʔύϏϦςΟηοτɺҰͭҰͭΛέʔύϏϦ ςΟͱݺͿɻ wྫ͑͹ɺ࣌ؒΛઃఆ͢Δݖݶ CAP_SYS_TIME ɺLJMMΛͲΜͳϓϩηε ʹ΋ૹΔݖݶ CAP_KILL

    ɺ࠶ىಈ͢Δݖݶ CAP_SYS_BOOT 
  55. 6CVOUV9FOJBM -JOVY Ͱ͸ wdͷͷ
 έʔύϏϦςΟ

  56. έʔύϏϦςΟͷܧঝϧʔϧ wϓϩηεϑΝΠϧͷͭͷηοτ 1FSNJUUFE*OIFSJUBCMF&⒎FDUJWF ɺ ό΢ϯσΟϯάηοτɺΞϯϏΤϯτηοτ -JOVYҎ߱ Ͱܾ·Δ wৄࡉ͸NBODBQBCJMJUJFT wྫTFUVTFSJESPPUͰɺଞ͕
 σϑΥϧτͷ৔߹ɺ


    ό΢ϯσΟϯάηοτͰམͱͯ͠
 FYFDWF ͢Δͱ৽͍͠ϓϩάϥϜ
 Ͱ͸ͦͷݖݶ͕མ͍ͪͯΔ
  57. ྫҰൠϢʔβͰ൪ΛϦεϯ͍ͨ͠ wҰൠతʹɺ൪ҎԼͷϙʔτ͸ҰൠϢʔβ͸࢖͑ͳ͍ w͜͏͍͏(Pͷ)5514FSWFSΛ࡞ͬͨΒɺҰൠϢʔβ͸ىಈͰ͖ͳ͍

  58. TFUDBQ  ͰpMFDBQBCJMJUJFTΛ෇༩͢Δ w൪ҎԼΛϦεϯ͢Δݖݶʹ CAP_NET_BIND_SERVICE ubuntu@compute-1:~$ sudo setcap cap_net_bind_service+ep ./listen80

    ubuntu@compute-1:~$ ./listen80 & [1] 5915 ubuntu@compute-1:~$ curl localhost Hello, World ubuntu@compute-1:~$ sudo getcap ./listen80 ./listen80 = cap_net_bind_service+ep VCVOUVϢʔβͰ αʔόΛىಈͰ͖Δ
  59. ྫ੍ݶ෇͖ͷίϯςφ಺SPPU wίϯςφ಺෦Ͱ΋ɺSPPUΛ౉͢ͱศརͳ͜ͱ͸ଟ͍ wͱ͸ݴ͑ͳΜͰ΋͸ͤͨ͘͞ͳ͍ɻͰ͖Δ͜ͱ͚ͩ wCAP_SYS_TIMEͱCAP_SYS_CHROOTݖݶΛୣͬͯΈΔ

  60. ࠷ॳͷ1FSMίϯςφʹύον --- chroot2.pl 2017-06-20 10:47:02.780313607 +0900 +++ dropcap.pl 2017-06-20 14:38:31.335190235

    +0900 @@ -2,10 +2,14 @@ use strict; use POSIX; use Linux::Clone; +use Linux::Prctl; + my $flg = POSIX::SIGCHLD | Linux::Clone::NEWNS | ...; my $pid = Linux::Clone::clone sub { system "mount --make-rslave /"; chroot "/var/lib/haconiwa/rootfs/php"; chdir "/"; + $Linux::Prctl::capbset{"sys_time"} = 0; + $Linux::Prctl::capbset{"sys_chroot"} = 0; exec "/bin/sh"; 127 }, 0, $flg; print "PID=", $pid, "\n"; waitpid $pid, 0 if($pid); CPVOEJOHTFU͔Β࡟আ
  61. EBUFͰ೔෇ͷηοτ͕Ͱ͖ͳ͘ͳΔ w0QFSBUJPOOPUQFSNJUUFEѻ͍ʹͳΔ root@compute-1:~# perl dropcap.pl PID=5962 # date Tue Jun

    20 06:34:50 UTC 2017 # date -s 00:00:00 date: cannot set date: Operation not permitted Tue Jun 20 00:00:00 UTC 2017 # date Tue Jun 20 06:34:59 UTC 2017
  62. DISPPUͰίϯςφΛൈ͚ΒΕͳ͘ͳΔʂ

  63. %PDLFS.PCZͰ͸ wEPDLFSNPCZSVOͷΦϓγϣϯɺDBQBEE DBQESPQ
 ΦϓγϣϯͰίϯτϩʔϧՄೳ wσϑΥϧτͷ$BQBCJMJUZ͸ιʔεʹϋʔυίʔυ͞Ε͍ͯΔ wIUUQTHJUIVCDPNNPCZNPCZCMPCNBTUFSPDJ EFGBVMUTHP--

  64. ͱ͜ΖͰօ͞Μ

  65. QSJWJMFHFEΛ҆қʹ࢖͍ͬͯ·ͤΜ͔ʁ wจࣈͲ͓Γɺਫ਼ࠪͤͣʹɺ͢΂ͯͷ$BQBCJMJUZΛ෇༩͢ΔΦϓγϣϯ wͦͷଞͷɺTFDDPNQBQQBSNPSͳͲͷઃఆʹΑΓɺίϯςφ಺ͷ ݖݶ͸ߜΓࠐ·ΕΔɻͱ͸͍͑ wྫ͑͹ɺΧʔωϧʹΑͬͯTFDDPNQ౳͕༗ޮͰͳ͍͜ͱ΋͋Δ w TFDDPNQ BQQBSNPS౳Λແޮʹ͢ΔΦϓγϣϯ΋͋Δ w ҆શੑ͕ઈର֬อͰ͖ΔΑ͏ͳ৔໘

    $*Ͱར༻ΠϝʔδΛݶఆ͢Δ౳ Ͱ͸·ͨผ͕ͩ w࠷খݖݶͷݪଇʹै͍ɺਫ਼ࠪͯ͠DBQBEEͰ໌ࣔత௥Ճ͢Δ΂͖
  66. ٳܜ 

  67. ͓ർΕͰ͠ΐ͏ͷͰ ෱Ԭͷඒຯ͍͠΋ͷͷը૾Λ ோΊ·͠ΐ͏

  68. None
  69. None
  70. None
  71. SFTUPSF

  72. TFDDPNQ

  73. TFDDPNQ TFDDPNQCQG w-JOVYͰɺαϯυϘοΫεΛ࣮ݱ͢ΔͨΊʹɺ
 ϓϩηεͷγεςϜίʔϧݺͼग़͠ΛϑΟϧλϦϯά͠ɺ
 ੍ݶɾτϥοϓɾτϥοΩϯάͳͲΛ࣮ݱ͢Δػೳ wࠓճ͸ɺ-JOVYҎ߱ͷTFDDNPQNPEFͷ࿩ w#FSLFMFZ1BDLFU'JMUFS #1' Λ༻͍ͯߴ଎ʹݺͼग़͠ΛϑΟϧλϦ ϯά͢Δ

  74. Կ͕Ͱ͖Δ͔ wಛఆͷγεςϜίʔϧͷڐՄ wಛఆͷγεςϜίʔϧͷېࢭ 4*(4:4ͷૹ෇  wಛఆͷγεςϜίʔϧͷݺͼग़͠Λ೚ҙͷFSSOPͰฦ͢ wಛఆͷγεςϜίʔϧΛɺQUSBDF  ͰτϥοΫՄೳʹ͢Δ w࠷ॳʹσϑΥϧτͷڍಈΛࢦఆ͠ɺݸผͷγεςϜίʔϧͷ৔߹Λఆ

    ٛ͢Δ
  75. ͔͜͜ΒNSVCZ͕ग़ͯ͘Δ w1FSMྗ͕௿͘ɺ͍͢·ͤΜ ҰԠϞδϡʔϧ͸͋ΔΑ͏Ͱ͕͢ɻ  wIBDPOJXBNSVCZTFDDPNQ

  76. NSVCZTDSJQU #!/usr/bin/env hacorb context = Seccomp.new(default: :allow) do |rule| rule.kill

    :mkdir rule.kill :fchownat end pid = Process.fork do context.load puts "==== It will be jailed. Please try to mkdir/chown" exec "/bin/sh" end p(Process.waitpid2 pid)
  77. ࣮ߦ͢ΔͱɺαϯυϘοΫε্ཱ͕͕ͪΔ w·͝͏ࣄͳ͖SPPUͰ͋Δ͕ɺϑΝΠϧͷॴ༗ऀΛม͑ͨΓɺ
 σΟϨΫτϦΛ࡞Εͳ͍ɻ͜Ε΋Ұछͷʮίϯςφʯ wʢIBDPOJXBQBDLBHFʹಉࠝ͞ΕΔIBDPSCόΠφϦΛ࢖͏ʣ 4:(4:4ͷΤϥʔϝοηʔδ

  78. ৄࡉ͸ϒϩάʹॻ͖·ͨ͠ʜ wNSCHFNͷ֓ཁʮTFDDPNQΛNSVCZͰࢼ͢ʯ wIUUQVE[VSBIBUFOBCMPHKQFOUSZ wTFDDPNQʹΑΔγεςϜίʔϧτϥοΩϯά
 ʮNSVCZͱTFDDPNQͱQUSBDFͰγεςϜίʔϧΛͱʹ͔͘௥͍͔͚Δʯ wIUUQVE[VSBIBUFOBCMPHKQFOUSZ ಛఆͷγεςϜίʔϧݺͼग़͠ΛϩΪϯά͢Δ γΣϧͷྫ͸ͪ͜Βͷهࣄ͔Β

  79. %PDLFSͷதͰ͸ʁ wݺͼग़ͤΔγεςϜίʔϧͷʮϗϫΠτϦετʯ͕ଘࡏ͢Δ wυΩϡϝϯτʹ΋͋Δ௨Γɻ wΦϓγϣϯͰ೚ҙͷϑΟϧλʔΛద༻Ͱ͖Δͦ͏ 4FDDPNQTFDVSJUZQSPpMFTGPS%PDLFS IUUQTEPDTEPDLFSDPNFOHJOFTFDVSJUZTFDDPNQ

  80. ."$ "QQ"SNPS

  81. ίϯςφػೳઆ໌ͱͯ͠͸ɺ ͜ΕͰ࠷ޙͳΜͰ ؤு͓ͬͯฉ͖͍ͩ͘͞

  82. ༤େͳେ෼ͷࣗવΛݟͯٳܜ CZ!NBUTVNPUPSZ͞Μ

  83. ."$ͱ͸ w͜͜Ͱ͸.BOEBUPSZ"DDFTT$POUSPMڧ੍ΞΫηε੍ޚͷ͜ͱ wҰൠతͳɺϑΝΠϧΦ΢φʔ͝ͱʹΞΫηε͢ΔݖݶΛߜΔํࣜ͸ɺ ೚ҙΞΫηε੍ޚ %JTDSFUJPOBSZ"DDFTT$POUSPM ͱݺ͹ΕΔɻ wࣄނͳͲʹΑΓݖݶΛඞཁҎ্ʹΏΔ͘Ͱ͖ͯ͠·͏
 ʢσΟϨΫτϦΛύʔϛογϣϯͰެ։Ͱ͖Δ౳ʣ͜ͱ͕͋Δ

  84. ."$ͱ͸  w%"$ͷݖݶݕࠪΛͨ͠ޙͰɺ؅ཧऀͷઃఆͨ͠."$ͷϙϦγʔ͕ద ༻͞ΕɺϦιʔε΁ͷΞΫηε͕ڧ੍ίϯτϩʔϧ͞ΕΔ wʮࣗ෼ͷݖݶͰ͋ͬͯ΋ɺࣗ෼ͰίϯτϩʔϧͰ͖ͳ͍ʯ͜ͱ΋ wྫ͑͹ࣗ෼Ͱ࡞ͬͨϑΝΠϧʹɺࣗ෼ͰΞΫηεͰ͖ͳ͘ͳΔɺͱ͍ ͏ઃఆ΋ՄೳͰ͋Δ w·ͨɺ%"$ΑΓࡉ͔͍ΞΫηε੍ޚ΋Մೳʹ

  85. "QQ"SNPSͱ͸ w."$Λ࣮ݱ͢Δϛυϧ΢ΣΞͷҰͭ wϓϩάϥϜͷύε୯Ґϓϩηε୯ҐͰϓϩϑΝΠϧͷద༻͕Ͱ͖Δ ͷ͕ಛ௃ w6CVOUVͷ$BOPOJDBMࣾʹΑΓ։ൃ͕͞Ε͍ͯΔ wFOGPSDFNPEFͱDPNQMBJONPEFʢه࿥ͷΈʣ͕͋Δ

  86. %PDLFSͰͷར༻ wίϯςφ͸σϑΥϧτɺEPDLFSEFGBVMUͱ͍͏ϓϩϑΝΠϧ͕౰ͨΔ ίϯςφΛͭ࡞ͬͨͷͰɺ ͭͷϓϩηεʹద༻͞Ε͍ͯΔ -9$΋࢖ͬͯ·͢Ͷ

  87. ϓϩϑΝΠϧͷྫ IUUQTEPDTEPDLFSDPNFOHJOFTFDVSJUZBQQBSNPSOHJOYFYBNQMFQSPpMF wಠࣗͷݴޠΛ༻͍ͯهड़͢Δ

  88. ΧελϜϓϩϑΝΠϧΛ౰ͯΔʹ͸ wdeny /usr/bin/top mrwklxͱ͍͏ϧʔϧΛՃ͑ͨϓϩϑΝΠϧ Λ࡞੒ɺొ࿥͢Δ wEPDLFSSVOίϚϯυͰ--security-opt apparmor=exampleͷ Α͏ʹࢦఆͯ͠ىಈ wͦͷίϯςφͰ͸ɺUPQίϚϯυΛ࣮ߦ͢Δ͜ͱ͕Ͱ͖ͳ͍ɻ wBVEJUͷΈɺͳͲ΋Մೳ

    ৄࡉ͸ϒϩάͰ ʮ"QQ"SNPSͱ%PDLFSͱͦͷଞίϯςφతϓϩηεʹ͍ͭͯʯ IUUQVE[VSBIBUFOBCMPHKQFOUSZ
  89. ΑΓৄࡉͳத਎ wMJCBQQBSNPSͱ͍͏ϥΠϒϥϦͰϓϩάϥϜ͔ΒΞΫηεͰ͖Δ wݱࡏͷϓϩηεͷϓϩϑΝΠϧΛมߋ͢ΔBB@DIBOHF@QSPpMF  ͱ
 FYFDWF ͷλΠϛϯάͰมߋ͢ΔBB@DIBOHF@POFYFD  ͕͋Δ wʢ6CVOUVͷNBOͰηΫγϣϯ͕ͳͷͰʣ

    wNSVCZͷCJOEJOH࡞੒ࡁʢ͔͠͠·ͩ)BDPOJXBʹ૊ΈࠐΜͰͳ͍ʣ IUUQNBOQBHFTVCVOUVDPNNBOQBHFTYFOJBMNBOBB@DIBOHF@QSPpMFIUNM
  90. ͓ർΕ༷
 Ͱͨ͠

  91. ·ͱΊ

  92. ίϯςφ͸ ಛผͳϓϩηεʹա͗ͳ͍ɻ ˠͦͷϓϩηεΛ҆શʹɺಠཱͨ͠ܗͰɺ ޮ཰తʹར༻͢΂༷͘ʑͳγεςϜίʔϧ΍ػೳ͕͋Δ

  93. %PDLFS͸σϑΥϧτͰ ͍Ζ͍Ζ͍͍ײ͡ʹ͍ͯ͠Δ ˠ͔͠͠ɺཧղ͕ෆे෼ͩͱൈ͚ಓΛ࡞ͬͯ͠·͏͜ͱ΋ɻ ɹQSJWJMFHFEΦϓγϣϯɺؒҧͬͨઃఆɺ ɹΧʔωϧόʔδϣϯͰ࢖͑ͳ͍ػೳͳͲ

  94. ࢀߟεΠενʔζϞσϧ ˠҰͭҰͭʹ͕ۭ͍͍݀ͯͨͱͯ͠΋ɺ ɹͨ͘͞ΜॏͶΔ͜ͱͰɺશͯͷ݀Λൈ͚Δ͜ͱ͸ ɹඇৗʹ೉͘͠ͳΔ *NBHF$$IUUQTQJYBCBZDPNQ

  95. ͔ͬ͠Γͱத਎ʹڵຯΛ࣋ͪ ཧղͯ͠࢖͏͜ͱͰ ϋϚΓͲ͜ΖΛճආͰ͖Δ ˠIBDPSC͕ศར͔΋͠Εͳ͍ɻ ɹ1FSMͰ΋ɺίϯςφػೳͰ༡΂ΔΑʂ

  96. ָ҆͘͠શʹ ίϯςφΛ࢖͓͏ʂ

  97. ࢀߟࢿྉͷօ͞Μ wVE[VSBͷϒϩάʢTFDDPNQBQQBSNPSIBDPOJXBଞʣ wMYDKQ!5FO'PSXBSE͞Μͷࢿྉ w IUUQTTQFBLFSEFDLDPNUFOGPSXBSE wաڈͷ:"1$ :"1B$ ൃදͳͲ w 1FSMͰθϩ͔Β࡞Δίϯςφ

    w ֶͭͬͯ͘Ϳ-JOVYίϯςφͷཪଆ w%PDLFSTFDVSJUZ w IUUQTEPDTEPDLFSDPNFOHJOFTFDVSJUZTFDVSJUZ
  98. 4QFDJBM5IBOLT w!5FO'PSXBSE͞ΜʹຊεϥΠυͷϨϏϡʔΛ͓ئ͍͠·ͨ͠ɻ
 ͋Γ͕ͱ͏͍͟͝·ͨ͠ɻ·ͨຊொͰҿΈ·͠ΐ͏ɻ