コンテナを「守る」仕組みから中身を理解しよう!!1; /how-to-be-a-container

%PDLFSɺ)BDPOJXBɺͦΕ͔Β1FSM ۙ౻͏͓ͪ(.01FQBCP *OD :"1$'VLVPLB ίϯςφΛʮकΔʯ࢓૊Έ͔Βɺ த਎Λཧղ͠Α͏

ΤϯδχΞ ۙ౻͏͓ͪ!VE[VSB (.0ϖύϘٕज़ج൫νʔϜ 5XJUUFS(JU)VC!VE[VSB 'BDFCPPLVDIJPLPOEP

!VE[VSBʹ͍ͭͯ ɾ3VCZJTUɻ೥໨ʁ ɾύʔϑΣΫτ3VCZ3P3ڞஶ ɾ'VLVPLBSC ɾ3VCZ,BJHJTQFBLFS ɾNSVCZίϯςφ)BDPOJXB

3VCZJTU

෱Ԭ3VCZձٞ! IUUQSFHJPOBMSVCZLBJHJPSHGVLVPLB

ίϯςφ

TFDVSJUZ

6/*9 -JOVY

ίϯςφͱ͸ w༷ʑͳ6/*9γεςϜʹ͓͍ͯ͸ɺ༷ʑͳίϯςφ࣮૷͕͋Δ w'SFF#4%ܥͷKBJMɺ4PMBSJT$POUBJOFSɺ w-JOVYʹ͓͍ͯ͸ɺ-9$ɺ%PDLFSɺTZTUFNEOTQBXOͳͲ w-JOVYͷίϯςφ͸جຊతʹʮಛघͳϓϩηεʯͱ࣮ͯ͠૷

ϓϩηεͬͯʁ

ϓϩηεͷ࡞Γํ ਌ϓϩηε ࢠϓϩηε ৽͍͠ ϓϩάϥϜ GPSL FYFDWF XBJU

ϓϩηεͷ࡞Γํ ਌ϓϩηε ࢠϓϩηε ৽͍͠ ϓϩάϥϜ ϓϩηεΛ ʮෳ੡ʯ͢Δ ݹ͍ϓϩηεΛࣺͯɺ ৽͍͠ϓϩάϥϜʹʮม਎ʯ͢Δ ਌͕ࢠڙͷ
ऴྃΛ؂ࢹ

ϓϩηεͷଐੑ wͱ͜ΖͰɺϓϩηεʹ͸༷ʑͳଐੑ͕͋Δ wQSPDͷԼ͔Β֬ೝͰ͖Δ wDXE SPPU OTGT QQJE QJE DBQBCJMJUZ DHSPVQ

ྫQSPD1*%TUBUVT 1*%ɺ਌ͷ1*% ࣮ߦϢʔβɺάϧʔϓ ϓϩηεάϧʔϓͳͲͷ*% ϝϞϦͷར༻ঢ়گ γάφϧͷઃఆʢϚεΫͳͲʣ $BQBCJMJUZ4FU

GPSL ͱFYFD ͷؒ ਌ϓϩηε ࢠϓϩηε ৽͍͠ ϓϩάϥϜ GPSL FYFDWF
XBJU GPSL ͱFYFD଒ͷ࣮ߦͷؒʹɺ ϓϩηεͷଐੑΛมߋ͢Δ͜ͱ͕Ͱ͖Δ

GPSL ͱFYFD ͷؒ wGPSL ͢ΔͱɺϓϩάϥϜͱͯ͠͸GPSL ݩͷίϐʔͱͳΔ͕ɺͦͷ ࣌఺Ͱಠཱͨ͠ଐੑΛ࣋ͭ wಠཱ͍ͯ͠ΔͷͰɺͦͷޙͰ༷ʑͳଐੑΛมߋ͢ΔγεςϜίʔϧΛ ݺ΂Δ wͦͷଐੑͷ͏ͪଟ͘͸FYFD
ͯ͠৽͍͠΋ͷΛܧঝ͢ΔͷͰɺͦͷ ৽͍͠ϓϩηε͕ίϯςφతͳଐੑΛ͍࣋ͬͯΔͱɺίϯςφͱͯ͠ ѻ͑Δ

GPSL ͱFYFD ͷؒ wGPSL ͢ΔͱɺϓϩάϥϜͱͯ͠͸GPSL ݩͷίϐʔͱͳΔ͕ɺͦͷ ࣌఺Ͱಠཱͨ͠ଐੑΛ࣋ͭ wಠཱ͍ͯ͠ΔͷͰɺͦͷޙͰ༷ʑͳଐੑΛมߋ͢ΔγεςϜίʔϧΛ ݺ΂Δ wͦͷଐੑͷ͏ͪଟ͘͸FYFD
ͯ͠৽͍͠΋ͷΛܧঝ͢ΔͷͰɺͦͷ ৽͍͠ϓϩηε͕ίϯςφతͳଐੑΛ͍࣋ͬͯΔͱɺίϯςφͱͯ͠ ѻ͑Δ VOTIBSF DISPPU QSDUM ࠓ೔ɺ͜Ε͔Βઆ໌͢Δ֤߲໨Ͱ͢

ຊൃදͰͷ࢖͍ํ wޙड़͢ΔΑ͏ͳγεςϜίʔϧ౳Λ༻͍ͯɺԿ͔͠Βͷ04Ϧιʔεͷ ִ཭ɺػೳ੍ݶɺ·ͨݖݶ෼཭ΛߦͬͨϓϩηεΛɺ  ʮίϯςφʢ·ͨ͸ίϯςφతϓϩηεʣʯͱݺͼ·͢ɻ

ίϯςφͷத਎

%PDLFS.PCZMJCDPOUBJOFS w%PDLFSͷίϯςφϓϩηε࡞੒ͷίΞ࣮૷͸ʮ3VO$ʯͱ͍͏໊લͰ ಠཱ͍ͯ͠Δɻͦͷத਎Ͱ࢖͍ͬͯΔ΋ͷ͕MJCDPOUBJOFS wMJCDPOUBJOFSࣗମ͸ଞͷ  (Pݴޠͷ࣮૷͔Β΋ར༻Մೳ wίϯςφपΓͷ༷ʑͳ  ੜͷΦϓγϣϯΛࢦఆ IUUQTNFEJVNDPN!UJ⒎BOZGBZKEPDLFSFUQMVTFOHJOFJTOPXCVJMUPOSVODBOEDPOUBJOFSEBEEFFG

-9$ w-JOVYίϯςφͷϦϑΝϨϯεత࣮૷ wத਎͸ɺ$ݴޠ  γεςϜίʔϧΛඇৗʹ  ૉ௚ʹར༻ wίϯςφܥγεςϜίʔϧͷݺͼํͷษڧʹͳΔ

)BDPOJXB w!VE[VSBͱ͍͏ਓ͕NSVCZͰ࡞ͬͨίϯςφ࣮૷ wγεςϜίʔϧͱͷΞΫηεΛ$CJOEJOHͰɺϓϩηε࡞੒΍%4-ධ ՁͳͲͷॲཧΛNSVCZͰॻ͍͍ͯΔ w෭࢈෺ͱͯ͠ίϯςφܥγεςϜίʔϧʹ؆୯ʹΞΫηεͰ͖Δ NSVCZJSCόΠφϦ͕ೖΔʢύοέʔδΠϯετʔϧͷ৔߹ʣ

ͦͷଞͷ࣮૷ w1FSMͷ࣮૷KBJMJOH BRS wIUUQTHJUIVCDPNLB[VIPKBJMJOH wIUUQTHJUIVCDPNIBZBKPBRS w3VTUʹWBHHBͱ͍͏΋ͷ͕͋ΔΒ͍͠ wIUUQTHJUIVCDPNUBJMIPPLWBHHB

ίϯςφͷ ػೳͱ ηΩϡϦςΟ

ࠓ೔࿩͢͜ͱ wDISPPUQJWPU@SPPU w-JOVYOBNFTQBDF w$(SPVQ w,FSOFM$BQBCJMJUZ wTFDDPNQ w."$BQQBSNPS

ࠓ೔࿩͢͜ͱ wDISPPUQJWPU@SPPU w-JOVYOBNFTQBDF w$(SPVQ w,FSOFM$BQBCJMJUZ wTFDDPNQ w."$BQQBSNPS 04Ϧιʔεͷ෼཭ ݖݶɾػೳͷ੍ݶ ΞΫηείϯτϩʔϧ
04Ϧιʔεͷར༻੍ݶ

DISPPU

DISPPU ίϚϯυ wDISPPU γεςϜίʔϧͷϥούʔ w΋ͬͱ΋୯७ͳʮίϯςφʯ wผͷͱ͜Ζʹ࡞ͬͨ04ͷSPPUϑΝΠϧγεςϜͷதʹʮೖΓʯɺ  ਌ϓϩηεͱ͸ผͷ؀ڥΛ࡞Δ wDISPPUޙͷ؀ڥ͔ΒɺผͷSPPU΍ɺ਌ͷϑΝΠϧγεςϜ͸ɺ 
ݪଇͱͯ͠͸ݟ͑ͳ͍

୯७ͳ͚ͩʹ͕݀͋Δ wDISPPU ͨ͠؀ڥ಺෦ͰɺDISPPU Մೳͩͱ؆୯ʹൈ͚ΒΕΔ # mkdir .tmp # mount --bind
. .tmp # mount devtmpfs -t devtmpfs .tmp/dev # perl -e 'chroot ".tmp"; chdir "..";chdir "..";chdir ".."; chdir "..";chdir "..";chdir ".."; chroot ".";exec "/bin/sh"' # ls /vagrant ...... (਌ͷσΟϨΫτϦ͕ݟ͑Δʂ)

VODISPPUΛ๷͙ʹ͸ wDISPPUͰ͖ͳ͘͢Δͱ͍͏ํ๏͕Ұൠత wݖݶΛམͱ͢DBQBCJMJUZ wγεςϜίʔϧ୯ҐͰݺ΂ͳ͘͢ΔTFDDPNQ wͦͷଞɺ6TFSOBNFTQBDFΛ෼͚ͯ͠·͑͹࣮࣭୤ࠈෆՄ w͍ͣΕʹͤΑɺ΄͔ͷίϯςφػೳͱ૊Έ߹Θͤͯ҆શੑΛ֬อ͢Δ

DGQJWPU@SPPU wSPPUϑΝΠϧγεςϜΛʮೖΕସ͑ΔʯɻDISPPUΑΓڧྗ w04ͷϒʔτϓϩηεɺOFUCPPUͷࡍʹ࢖͍ͬͯΔ wDISPPUΑΓ͸੍ݶ͕͋Δ wlOFX@SPPUͱQVU@PME͸ݱࡏͷSPPUͱಉ͡ϑΝΠϧγεςϜʹ͋ͬͯ͸ͳ Βͳ͍zͳͲ wDISPPU΄Ͳखܰʹ͸࢖͑ͳ͍͕ɺҰํ୤ࠈͷ໰୊͸ͳ͘ͳΔ IUUQTMJOVYKNPTEOKQIUNM-%1@NBOQBHFTNBOQJWPU@SPPUIUNM

-JOVY OBNFTQBDF

-JOVYOBNFTQBDF͕ͳ͍ͱ wDISPPU͢ΔͱϑΝΠϧγεςϜ͕෼཭͞ΕΔɻ wͱ͍͏͜ͱͰɺ/procΛվΊͯϚ΢ϯτ͢Δඞཁ͕͋Δɻ wϚ΢ϯτ͢Δͱ  ݟ͑ͯ͸͍͚ͳ͍΋ͷ͕  ݟ͑ΔΑ͏ͳ

04ͷϦιʔε͸ଞʹ΋ʮ෼཭Ͱ͖Δʯ wϓϩηεΛ෼཭͠ͳ͍ͱɺίϯςφͷத͔Β֎ͷϓϩηεΛ͍͡ΕΔ wϗετ໊Λ෼཭͠ͳ͍ͱɺίϯςφ಺Ͱผ్ϗετ໊ΛઃఆͰ͖ͳ͍ wͦͷଞʹɺ෼཭Ͱ͖Δ΋ͷ wϚ΢ϯτϙΠϯτͷ৘ใ w*1$ϦιʔεTINHFU ͱ͔NR@PQFO తͳ΋ͷ wωοτϫʔΫɺϢʔβ*%ɺ$(SPVQ

Πϝʔδ wάϩʔόϧOBNFTQBDFͷ  தʹɺ͍͔ͭ͘  OBNFTQBDFΛ࡞ΕΔ IUUQTTQFBLFSEFDLDPNVE[VSBDSFBUJOHDPOUBJOFSTXJUIHPMBOH

Ұ෦͚ͩͷҠಈ΋Մೳ wྫip nets exec wOFUXPSLOBNFTQBDFʢʴЋʣ  ͚ͩΛ෼཭͢Δ  ίϯςφͱݴ͑Δ wҰൠతʹ͸ɺηοτͰ෼཭͢Δํ͕ศརͰ͸͋Δ $ sudo
ip netns add test001 $ sudo ip netns exec test001 /bin/bash root@test-1:/home/ubuntu# ip a 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

ͱ͍͏͜ͱͰɺ1*%Λ෼཭͢Δ w࣮૷ͷํ਑ w1*%͸/proc͔Βݟ͑Δ΋ͷ wͳͷͰผͷ/procΛ҆શʹϚ΢ϯτͰ͖ΔΑ͏ɺ  .PVOUOBNFTQBDF΋Ұॹʹ෼཭͢Δ wGPSLͷ୅ΘΓʹDMPOF γεςϜίʔϧΛݺͼɺ࠷ޙʹFYFD ͢Δ ৚݅Λࡉ͔͘ࢦఆͰ͖Δ
GPSL ͱߟ͍͑ͯͩ͘͞

1FSMΛษڧͯ͠ॻ͍ͯΈ·ͨ͠ #!/usr/bin/env perl use strict; use POSIX; use Linux::Clone; my
$flg = POSIX::SIGCHLD | Linux::Clone::NEWNS | Linux::Clone::NEWPID; my $pid = Linux::Clone::clone sub { system "mount --make-rslave /"; chroot "/var/lib/rootfs/yapc"; chdir "/"; exec "/bin/sh"; 127 }, 0, $flg; print "PID=", $pid, "\n"; waitpid $pid, 0 if($pid); print "Container exited\n";

ಈ࡞֬ೝ w͜ͷล·Ͱ͸ɺͲΜͳίϯςφͰ΋ಉ͡Α͏ʹ࣮૷͍ͯ͠Δ

(.0ϖύϘ෱Ԭࢧࣾ͸ ΤϯδχΞΛืू͍ͯ͠·͢ ࠷৽ͷ࠾༻৘ใΛνΣοΫˠ !QC@SFDSVJU

࢓ࣄͰɺίϯςφΛ  ΨοπϦ࢖͍͍ͨʂ  ͋Δ͍͸։ൃ͍ͨ͠ํ  ੠Λֻ͓͚͍ͩ͘͞

SFTVNF

DHSPVQ

$POUSPM(SPVQ DHSPVQ w-JOVYʹ͸ɺϓϩηεΛάϧʔϐϯάͯ͠ɺͦͷάϧʔϓ͝ͱʹ  ϋʔυ΢ΣΞϦιʔε04ϦιʔεͳͲͷར༻ঢ়گΛ֬ೝͨ͠Γɺ  ͋Δ͍͸੍ޚΛ͢Δػೳ͕͋ΔɻͦΕ͕DHSPVQ wMJCDHSPVQͷΑ͏ͳϥΠϒϥϦ΍ɺDHSPVQGT͔ΒΞΫηεՄೳ w·ͨɺTZTUFNE͕಺෦Ͱར༻͢ΔʢϓϩηεͷάϧʔϐϯάɺϦιʔ ε੍ݶͳͲʣ wDGTZTUFNEOTQBXO TZTUFNEʹಉࠝͷίϯςφ

DHSPVQTVCTZTUFN w੍ޚͰ͖Δର৅͝ͱʹαϒγεςϜ͕͋Δ wαϒγεςϜ͸ͨ͘͞Μ͋Δ wDQV wNFNPSZ wCMLJP OFU@DMT GSFF[FS wͦͷதͰ΋QJETαϒγεςϜΛ঺հ

ίϯςφͰͷGPSLCPNC߈ܸ w౰વͰ͋Δ͕ɺ฼؋04શମͰͷϓϩηεͷ࠷େ਺͸༗ݶͰ͋Δ w͕ͨͬͯ͠ɺίϯςφ؀ڥͷத͔Β๲େͳϓϩηεΛ࡞੒͢Δͱɺ  ݁Ռతʹ฼؋04ͷϓϩηε਺ͷ্ݶʹୡ͢Δ͜ͱ͸ى͜Γ͏Δ w఻౷తʹ͸ɺSMJNJUͰϓϩηεπϦʔ͝ͱͷϓϩηε਺Λ੍ݶ wίϯςφͷ৔߹BUUBDIͳͲʹΑΓɺίϯςφ಺ͷશͯͷϓϩηε͕ɺ ಉ͡ϓϩηεπϦʔʹॴଐ͍ͯ͠ͳ͍৔߹΋͋Γ͏Δ

QJETTVCTZTUFN w-JOVYҎ߱Ͱಋೖ͞ΕͨαϒγεςϜ wҎԼͷ஋Λར༻Ͱ͖Δ wQJETDVSSFOUάϧʔϓ಺ͷݱࡏͷϓϩηε਺ wQJETNBYͦͷάϧʔϓͰڐՄ͢Δ࠷େϓϩηε਺ SPPUάϧʔϓͰ͸ར༻Ͱ͖ͳ͍ͷͰ஫ҙ ࢀߟʮ-9$ͰֶͿίϯςφೖ໳ʯ IUUQHJIZPKQBENJOTFSJBMMJOVY@DPOUBJOFST

͖ͬ͞ͷ1FSMίϯςφʹύον --- chroot2.pl 2017-06-20 10:47:02.780313607 +0900 +++ bomber.pl 2017-06-20 12:55:41.572399620
+0900 @@ -2,11 +2,19 @@ use strict; use POSIX; use Linux::Clone; +system "mkdir -p /sys/fs/cgroup/pids/yapc-fukuoka"; my $flg = POSIX::SIGCHLD | Linux::Clone::NEWNS | Linux::Clone::NEWPID; my $pid = Linux::Clone::clone sub { system "mount --make-rslave /"; chroot "/var/lib/haconiwa/rootfs/php"; chdir "/"; - exec "/bin/sh"; 127 }, 0, $flg; + exec "/bin/bash"; 127 }, 0, $flg; +open TASKS, ">> /sys/fs/cgroup/pids/yapc-fukuoka/tasks"; +print TASKS "$pid"; +close TASKS; +open MAX, ">> /sys/fs/cgroup/pids/yapc-fukuoka/pids.max"; +print MAX "32"; +close MAX; + print "PID=", $pid, "\n"; waitpid $pid, 0 if($pid); QJETDHSPVQΛ௥Ճ ίϯςφͷQJEΛॴଐͤ͞ɺ NBYΛ੍ݶ

GPSLCPNCΛ๷͛Δ͜ͱ͕Θ͔Δ wQJETNBY੍ݶͳͩ͠ͱ฼؋͝ͱ௜໧͠·͢

,FSOFM $BQBCJMJUZ

-JOVY,FSOFM$BQBCJMJUZ w-JOVYͰ͸ɺSPPU͕͍࣋ͬͯΔ༷ʑͳݖݶΛɺࡉ͔͘෼ׂͯ͠ɺ  Ұ෦͚ͩ෇༩ɺ·ͨ͸Ұ෦੍͚ͩݶ͢Δ͜ͱ͕Ͱ͖Δ w͜ΕΒͷݖݶͷू߹ΛέʔύϏϦςΟηοτɺҰͭҰͭΛέʔύϏϦ ςΟͱݺͿɻ wྫ͑͹ɺ࣌ؒΛઃఆ͢Δݖݶ CAP_SYS_TIME ɺLJMMΛͲΜͳϓϩηε ʹ΋ૹΔݖݶ CAP_KILL
ɺ࠶ىಈ͢Δݖݶ CAP_SYS_BOOT

6CVOUV9FOJBM -JOVY Ͱ͸ wdͷͷ  έʔύϏϦςΟ

έʔύϏϦςΟͷܧঝϧʔϧ wϓϩηεϑΝΠϧͷͭͷηοτ 1FSNJUUFE*OIFSJUBCMF&⒎FDUJWF ɺ ό΢ϯσΟϯάηοτɺΞϯϏΤϯτηοτ -JOVYҎ߱ Ͱܾ·Δ wৄࡉ͸NBODBQBCJMJUJFT wྫTFUVTFSJESPPUͰɺଞ͕  σϑΥϧτͷ৔߹ɺ 
ό΢ϯσΟϯάηοτͰམͱͯ͠  FYFDWF ͢Δͱ৽͍͠ϓϩάϥϜ  Ͱ͸ͦͷݖݶ͕མ͍ͪͯΔ

ྫҰൠϢʔβͰ൪ΛϦεϯ͍ͨ͠ wҰൠతʹɺ൪ҎԼͷϙʔτ͸ҰൠϢʔβ͸࢖͑ͳ͍ w͜͏͍͏(Pͷ)5514FSWFSΛ࡞ͬͨΒɺҰൠϢʔβ͸ىಈͰ͖ͳ͍

TFUDBQ ͰpMFDBQBCJMJUJFTΛ෇༩͢Δ w൪ҎԼΛϦεϯ͢Δݖݶʹ CAP_NET_BIND_SERVICE ubuntu@compute-1:~$ sudo setcap cap_net_bind_service+ep ./listen80
ubuntu@compute-1:~$ ./listen80 & [1] 5915 ubuntu@compute-1:~$ curl localhost Hello, World ubuntu@compute-1:~$ sudo getcap ./listen80 ./listen80 = cap_net_bind_service+ep VCVOUVϢʔβͰ αʔόΛىಈͰ͖Δ

ྫ੍ݶ෇͖ͷίϯςφ಺SPPU wίϯςφ಺෦Ͱ΋ɺSPPUΛ౉͢ͱศརͳ͜ͱ͸ଟ͍ wͱ͸ݴ͑ͳΜͰ΋͸ͤͨ͘͞ͳ͍ɻͰ͖Δ͜ͱ͚ͩ wCAP_SYS_TIMEͱCAP_SYS_CHROOTݖݶΛୣͬͯΈΔ

࠷ॳͷ1FSMίϯςφʹύον --- chroot2.pl 2017-06-20 10:47:02.780313607 +0900 +++ dropcap.pl 2017-06-20 14:38:31.335190235
+0900 @@ -2,10 +2,14 @@ use strict; use POSIX; use Linux::Clone; +use Linux::Prctl; + my $flg = POSIX::SIGCHLD | Linux::Clone::NEWNS | ...; my $pid = Linux::Clone::clone sub { system "mount --make-rslave /"; chroot "/var/lib/haconiwa/rootfs/php"; chdir "/"; + $Linux::Prctl::capbset{"sys_time"} = 0; + $Linux::Prctl::capbset{"sys_chroot"} = 0; exec "/bin/sh"; 127 }, 0, $flg; print "PID=", $pid, "\n"; waitpid $pid, 0 if($pid); CPVOEJOHTFU͔Β࡟আ

EBUFͰ೔෇ͷηοτ͕Ͱ͖ͳ͘ͳΔ w0QFSBUJPOOPUQFSNJUUFEѻ͍ʹͳΔ root@compute-1:~# perl dropcap.pl PID=5962 # date Tue Jun
20 06:34:50 UTC 2017 # date -s 00:00:00 date: cannot set date: Operation not permitted Tue Jun 20 00:00:00 UTC 2017 # date Tue Jun 20 06:34:59 UTC 2017

DISPPUͰίϯςφΛൈ͚ΒΕͳ͘ͳΔʂ

%PDLFS.PCZͰ͸ wEPDLFSNPCZSVOͷΦϓγϣϯɺDBQBEE DBQESPQ  ΦϓγϣϯͰίϯτϩʔϧՄೳ wσϑΥϧτͷ$BQBCJMJUZ͸ιʔεʹϋʔυίʔυ͞Ε͍ͯΔ wIUUQTHJUIVCDPNNPCZNPCZCMPCNBTUFSPDJ EFGBVMUTHP--

ͱ͜ΖͰօ͞Μ

QSJWJMFHFEΛ҆қʹ࢖͍ͬͯ·ͤΜ͔ʁ wจࣈͲ͓Γɺਫ਼ࠪͤͣʹɺ͢΂ͯͷ$BQBCJMJUZΛ෇༩͢ΔΦϓγϣϯ wͦͷଞͷɺTFDDPNQBQQBSNPSͳͲͷઃఆʹΑΓɺίϯςφ಺ͷ ݖݶ͸ߜΓࠐ·ΕΔɻͱ͸͍͑ wྫ͑͹ɺΧʔωϧʹΑͬͯTFDDPNQ౳͕༗ޮͰͳ͍͜ͱ΋͋Δ w TFDDPNQ BQQBSNPS౳Λແޮʹ͢ΔΦϓγϣϯ΋͋Δ w ҆શੑ͕ઈର֬อͰ͖ΔΑ͏ͳ৔໘
$*Ͱར༻ΠϝʔδΛݶఆ͢Δ౳ Ͱ͸·ͨผ͕ͩ w࠷খݖݶͷݪଇʹै͍ɺਫ਼ࠪͯ͠DBQBEEͰ໌ࣔత௥Ճ͢Δ΂͖

͓ർΕͰ͠ΐ͏ͷͰ ෱Ԭͷඒຯ͍͠΋ͷͷը૾Λ ோΊ·͠ΐ͏

SFTUPSF

TFDDPNQ

TFDDPNQ TFDDPNQCQG w-JOVYͰɺαϯυϘοΫεΛ࣮ݱ͢ΔͨΊʹɺ  ϓϩηεͷγεςϜίʔϧݺͼग़͠ΛϑΟϧλϦϯά͠ɺ  ੍ݶɾτϥοϓɾτϥοΩϯάͳͲΛ࣮ݱ͢Δػೳ wࠓճ͸ɺ-JOVYҎ߱ͷTFDDNPQNPEFͷ࿩ w#FSLFMFZ1BDLFU'JMUFS #1' Λ༻͍ͯߴ଎ʹݺͼग़͠ΛϑΟϧλϦ ϯά͢Δ

Կ͕Ͱ͖Δ͔ wಛఆͷγεςϜίʔϧͷڐՄ wಛఆͷγεςϜίʔϧͷېࢭ 4*(4:4ͷૹ෇ wಛఆͷγεςϜίʔϧͷݺͼग़͠Λ೚ҙͷFSSOPͰฦ͢ wಛఆͷγεςϜίʔϧΛɺQUSBDF ͰτϥοΫՄೳʹ͢Δ w࠷ॳʹσϑΥϧτͷڍಈΛࢦఆ͠ɺݸผͷγεςϜίʔϧͷ৔߹Λఆ
ٛ͢Δ

͔͜͜ΒNSVCZ͕ग़ͯ͘Δ w1FSMྗ͕௿͘ɺ͍͢·ͤΜ ҰԠϞδϡʔϧ͸͋ΔΑ͏Ͱ͕͢ɻ wIBDPOJXBNSVCZTFDDPNQ

NSVCZTDSJQU #!/usr/bin/env hacorb context = Seccomp.new(default: :allow) do |rule| rule.kill
:mkdir rule.kill :fchownat end pid = Process.fork do context.load puts "==== It will be jailed. Please try to mkdir/chown" exec "/bin/sh" end p(Process.waitpid2 pid)

࣮ߦ͢ΔͱɺαϯυϘοΫε্ཱ͕͕ͪΔ w·͝͏ࣄͳ͖SPPUͰ͋Δ͕ɺϑΝΠϧͷॴ༗ऀΛม͑ͨΓɺ  σΟϨΫτϦΛ࡞Εͳ͍ɻ͜Ε΋Ұछͷʮίϯςφʯ wʢIBDPOJXBQBDLBHFʹಉࠝ͞ΕΔIBDPSCόΠφϦΛ࢖͏ʣ 4:(4:4ͷΤϥʔϝοηʔδ

ৄࡉ͸ϒϩάʹॻ͖·ͨ͠ʜ wNSCHFNͷ֓ཁʮTFDDPNQΛNSVCZͰࢼ͢ʯ wIUUQVE[VSBIBUFOBCMPHKQFOUSZ wTFDDPNQʹΑΔγεςϜίʔϧτϥοΩϯά  ʮNSVCZͱTFDDPNQͱQUSBDFͰγεςϜίʔϧΛͱʹ͔͘௥͍͔͚Δʯ wIUUQVE[VSBIBUFOBCMPHKQFOUSZ ಛఆͷγεςϜίʔϧݺͼग़͠ΛϩΪϯά͢Δ γΣϧͷྫ͸ͪ͜Βͷهࣄ͔Β

%PDLFSͷதͰ͸ʁ wݺͼग़ͤΔγεςϜίʔϧͷʮϗϫΠτϦετʯ͕ଘࡏ͢Δ wυΩϡϝϯτʹ΋͋Δ௨Γɻ wΦϓγϣϯͰ೚ҙͷϑΟϧλʔΛద༻Ͱ͖Δͦ͏ 4FDDPNQTFDVSJUZQSPpMFTGPS%PDLFS IUUQTEPDTEPDLFSDPNFOHJOFTFDVSJUZTFDDPNQ

."$ "QQ"SNPS

ίϯςφػೳઆ໌ͱͯ͠͸ɺ ͜ΕͰ࠷ޙͳΜͰ ؤு͓ͬͯฉ͖͍ͩ͘͞

༤େͳେ෼ͷࣗવΛݟͯٳܜ CZ!NBUTVNPUPSZ͞Μ

."$ͱ͸ w͜͜Ͱ͸.BOEBUPSZ"DDFTT$POUSPMڧ੍ΞΫηε੍ޚͷ͜ͱ wҰൠతͳɺϑΝΠϧΦ΢φʔ͝ͱʹΞΫηε͢ΔݖݶΛߜΔํࣜ͸ɺ ೚ҙΞΫηε੍ޚ %JTDSFUJPOBSZ"DDFTT$POUSPM ͱݺ͹ΕΔɻ wࣄނͳͲʹΑΓݖݶΛඞཁҎ্ʹΏΔ͘Ͱ͖ͯ͠·͏  ʢσΟϨΫτϦΛύʔϛογϣϯͰެ։Ͱ͖Δ౳ʣ͜ͱ͕͋Δ

."$ͱ͸ w%"$ͷݖݶݕࠪΛͨ͠ޙͰɺ؅ཧऀͷઃఆͨ͠."$ͷϙϦγʔ͕ద ༻͞ΕɺϦιʔε΁ͷΞΫηε͕ڧ੍ίϯτϩʔϧ͞ΕΔ wʮࣗ෼ͷݖݶͰ͋ͬͯ΋ɺࣗ෼ͰίϯτϩʔϧͰ͖ͳ͍ʯ͜ͱ΋ wྫ͑͹ࣗ෼Ͱ࡞ͬͨϑΝΠϧʹɺࣗ෼ͰΞΫηεͰ͖ͳ͘ͳΔɺͱ͍ ͏ઃఆ΋ՄೳͰ͋Δ w·ͨɺ%"$ΑΓࡉ͔͍ΞΫηε੍ޚ΋Մೳʹ

"QQ"SNPSͱ͸ w."$Λ࣮ݱ͢Δϛυϧ΢ΣΞͷҰͭ wϓϩάϥϜͷύε୯Ґϓϩηε୯ҐͰϓϩϑΝΠϧͷద༻͕Ͱ͖Δ ͷ͕ಛ௃ w6CVOUVͷ$BOPOJDBMࣾʹΑΓ։ൃ͕͞Ε͍ͯΔ wFOGPSDFNPEFͱDPNQMBJONPEFʢه࿥ͷΈʣ͕͋Δ

%PDLFSͰͷར༻ wίϯςφ͸σϑΥϧτɺEPDLFSEFGBVMUͱ͍͏ϓϩϑΝΠϧ͕౰ͨΔ ίϯςφΛͭ࡞ͬͨͷͰɺ ͭͷϓϩηεʹద༻͞Ε͍ͯΔ -9$΋࢖ͬͯ·͢Ͷ

ϓϩϑΝΠϧͷྫ IUUQTEPDTEPDLFSDPNFOHJOFTFDVSJUZBQQBSNPSOHJOYFYBNQMFQSPpMF wಠࣗͷݴޠΛ༻͍ͯهड़͢Δ

ΧελϜϓϩϑΝΠϧΛ౰ͯΔʹ͸ wdeny /usr/bin/top mrwklxͱ͍͏ϧʔϧΛՃ͑ͨϓϩϑΝΠϧ Λ࡞੒ɺొ࿥͢Δ wEPDLFSSVOίϚϯυͰ--security-opt apparmor=exampleͷ Α͏ʹࢦఆͯ͠ىಈ wͦͷίϯςφͰ͸ɺUPQίϚϯυΛ࣮ߦ͢Δ͜ͱ͕Ͱ͖ͳ͍ɻ wBVEJUͷΈɺͳͲ΋Մೳ
ৄࡉ͸ϒϩάͰ ʮ"QQ"SNPSͱ%PDLFSͱͦͷଞίϯςφతϓϩηεʹ͍ͭͯʯ IUUQVE[VSBIBUFOBCMPHKQFOUSZ

ΑΓৄࡉͳத਎ wMJCBQQBSNPSͱ͍͏ϥΠϒϥϦͰϓϩάϥϜ͔ΒΞΫηεͰ͖Δ wݱࡏͷϓϩηεͷϓϩϑΝΠϧΛมߋ͢ΔBB@DIBOHF@QSPpMF ͱ  FYFDWF ͷλΠϛϯάͰมߋ͢ΔBB@DIBOHF@POFYFD ͕͋Δ wʢ6CVOUVͷNBOͰηΫγϣϯ͕ͳͷͰʣ
wNSVCZͷCJOEJOH࡞੒ࡁʢ͔͠͠·ͩ)BDPOJXBʹ૊ΈࠐΜͰͳ͍ʣ IUUQNBOQBHFTVCVOUVDPNNBOQBHFTYFOJBMNBOBB@DIBOHF@QSPpMFIUNM

͓ർΕ༷  Ͱͨ͠

·ͱΊ

ίϯςφ͸ ಛผͳϓϩηεʹա͗ͳ͍ɻ ˠͦͷϓϩηεΛ҆શʹɺಠཱͨ͠ܗͰɺ ޮ཰తʹར༻͢΂༷͘ʑͳγεςϜίʔϧ΍ػೳ͕͋Δ

%PDLFS͸σϑΥϧτͰ ͍Ζ͍Ζ͍͍ײ͡ʹ͍ͯ͠Δ ˠ͔͠͠ɺཧղ͕ෆे෼ͩͱൈ͚ಓΛ࡞ͬͯ͠·͏͜ͱ΋ɻ ɹQSJWJMFHFEΦϓγϣϯɺؒҧͬͨઃఆɺ ɹΧʔωϧόʔδϣϯͰ࢖͑ͳ͍ػೳͳͲ

ࢀߟεΠενʔζϞσϧ ˠҰͭҰͭʹ͕ۭ͍͍݀ͯͨͱͯ͠΋ɺ ɹͨ͘͞ΜॏͶΔ͜ͱͰɺશͯͷ݀Λൈ͚Δ͜ͱ͸ ɹඇৗʹ೉͘͠ͳΔ *NBHF$$IUUQTQJYBCBZDPNQ

͔ͬ͠Γͱத਎ʹڵຯΛ࣋ͪ ཧղͯ͠࢖͏͜ͱͰ ϋϚΓͲ͜ΖΛճආͰ͖Δ ˠIBDPSC͕ศར͔΋͠Εͳ͍ɻ ɹ1FSMͰ΋ɺίϯςφػೳͰ༡΂ΔΑʂ

ָ҆͘͠શʹ ίϯςφΛ࢖͓͏ʂ

ࢀߟࢿྉͷօ͞Μ wVE[VSBͷϒϩάʢTFDDPNQBQQBSNPSIBDPOJXBଞʣ wMYDKQ!5FO'PSXBSE͞Μͷࢿྉ w IUUQTTQFBLFSEFDLDPNUFOGPSXBSE wաڈͷ:"1$ :"1B$ ൃදͳͲ w 1FSMͰθϩ͔Β࡞Δίϯςφ
w ֶͭͬͯ͘Ϳ-JOVYίϯςφͷཪଆ w%PDLFSTFDVSJUZ w IUUQTEPDTEPDLFSDPNFOHJOFTFDVSJUZTFDVSJUZ

4QFDJBM5IBOLT w!5FO'PSXBSE͞ΜʹຊεϥΠυͷϨϏϡʔΛ͓ئ͍͠·ͨ͠ɻ  ͋Γ͕ͱ͏͍͟͝·ͨ͠ɻ·ͨຊொͰҿΈ·͠ΐ͏ɻ

コンテナを「守る」仕組みから中身を理解しよう!!1; /how-to-be-a-container

コンテナを「守る」仕組みから中身を理解しよう!!1; /how-to-be-a-container

More Decks by KONDO Uchio

Other Decks in Technology

Featured

Transcript