The presentation introduces Linux mode 2 secccomp.
H25.08.11ു ༸ีLinux Seccomp TutorialηΩϡϦςΟΩϟϯϓ2013γεςϜιϑτΣΞθϛิॿࢿྉ1138݄12݄༵
View Slide
Seccompͱ• ਖ਼ࣜʹSecure computing mode ͱ͍͏ɺϓϩηεͷαϯυϘοΫεԽΛࢧԉ͢ΔΧʔωϧͷΈ• ϓϩηε͕ࣗൃతʹγεςϜίʔϧͷൃߦݖݶΛ์غ͢Δ• Ͳ͏͍͏ͱ͖ʹ͏ͷ͔ʁ• ͜ͷϓϩηε͜Ε͔Βո͍͠σʔλΛѻ͍·͢Αɺͱ͍͏ͱ͖ʹઃఆ͢Δ• ͦͷޙɺϓϩηε͕ൃߦͰ͖ΔγεςϜίʔϧ͕ஶ੍͘͠ݶ͞ΕΔͨΊɺϓϩηε͕ͬऔΒΕͯ΄ͱΜͲԿͰ͖ͳ͘ͳΔ2138݄12݄༵
Mode 1 Seccomp• Linux kernel 2.6.12͔ΒϚʔδ͞ΕͨɺγεςϜίʔϧͷϑΟϧλ• ϓϩηε͕prctl_set_seccomp()ΛݺͿͱɺ͔ͦ͜ΒҎԼͷγεςϜίʔϧ͔͠ൃߦͰ͖ͳ͘ͳΔ• read,() write(), exit(), sigreturn()• fork()ͱ͔execve()͕͑ͳ͍→߈ܸ͞Εͨͱ͖ɺ΄ͱΜͲԿग़དྷͳ͍ʂprocesssecure computing modefork()read()3138݄12݄༵
Mode 2 Seccomp• Linux Kernel 3.5͔ΒϚʔδ͞ΕͨɺMode 2 seccompΛஔ͖͑ΔΈ• Mode 1ͱҧ͍ɺҙͷγεςϜίʔϧΛڐՄ͢Δ͜ͱ͕Ͱ͖Δ• Berkley Packet FilterΛϕʔεʹɺߴʹγεςϜίʔϧΛϑΟϧλϦϯά͢Δ͜ͱ͕ग़དྷΔ• ͜ͷͨΊɺseccomp-bpfͱݺΕΔ͜ͱ͕ଟ͍• ͪͳΈʹFedoraͰsyscall filterͱݺͿ• seccomp 2ͱ͔seccomp mode 2ͱ͔දه༳Ε͕ଟ͍( ꒪⌓꒪)4138݄12݄༵
Berkley Packet Filter(bpf)Λϕʔεʹɾɾɾ• bpfͷྺ࢙Έলུ• ಛ• ύέοτΛޮΑ͘ϑΟϧλϦϯά͢ΔͨΊɺϑΟϧλϦϯάϧʔϧʹಛԽͨ͠ॲཧܥ͕ಈ͍ͯΔʢVMͱ͍͍͍ͬͯϨϕϧʣ• ڪΔ͖ɺJITΛαϙʔτ͍ͯ͠ΔʢΧʔωϧͰʂʣ• ͜ͷͨΊɺ͔ͳΓෳࡶmode 2 seccomp͜ͷbpfΛͬͯγεςϜίʔϧΛϑΟϧλϦϯά͍ͯ͠ΔͨΊɺbpfͷ͕ࣝແ͍ͱ͑ͳ͍5138݄12݄༵
Mode 2 seccompͷԠ༻ྫ• Google Chromium• Ubuntu 12.04͔Βར༻ՄೳʢKernel3.2͕ͩɺbackport͞Ε͍ͯΔʣ• vsftpd3.0.0͔ΒMode 2 seccompΛ͍ͬͯΔΒ͍͠※ͲͪΒϓϩηεΛαϯυϘοΫεԽ͢ΔͨΊɺݩʑׂϢʔβʔʹΑͬͯϓϩηεׂ͞Ε͍ͯΔ6138݄12݄༵
ϓϩηεׂʴmode 2 seccomp= ࠷ڧʂ7138݄12݄༵
Using simple seccomp filters• ͔͠͠ɺݱঢ়͔ͳΓ͍͜ͳ͢ͷ͕͍͠• bpfΛڧҾʹୟ͍͍ͯΔͨΊ• ґଘ͕ؔෳࡶɺݩʑbpf͜Μͳ༻్ఆͯ͠ͳ͍• ԼهURLΛࢀরɻʢશવsimple͡Όͳ͍ɾɾʣhttp://outflux.net/teach-seccomp/8138݄12݄༵
libseccomp Tutorial9138݄12݄༵
αϯυϘοΫεԽͷ४උ• ո͍͠σʔλεΫϦϓτΛ”࣮ߦ”ͨ͠Γ”ղऍ”͢Δ෦͕Ұ൪੬ऑ• σʔλΛόΠτྻͱͯ͠ಡΈऔΔ͚ͩͳΒͦΜͳʹةݥ͡Όͳ͍• ͜ͷ෦Λ্ख͘αϯυϘοΫεԽ͢ΔΑ͏ʹϓϩάϥϜΛઃܭ10138݄12݄༵
Main mission: Securing mruby• mrubyΛηΩϡΞʹ࣮ߦͰ͖ΔϑϨʔϜϫʔΫΛ࡞ͬͯΈΑ͏• ͜ͷϑϨʔϜϫʔΫΛͬͯɺ”۠ըԽ”ͨ͠΄͏͕ྑͦ͞͏ͳΦϦδφϧΞϓϦέʔγϣϯΛઃܭɺ࣮͠Α͏Master processmrubyprocessIPCSandboxing by Mode 2seccompmruby code(string)result(char[])11138݄12݄༵
ϓϩηεׂ• σʔλͷΓऔΓpipeΛ͏• mruby࣮ߦ෦Λfork()͢Δ• ͜ΕͰͻͱ·ͣɺmruby͕ͯ͠େৎ✌('ω'✌ )ࡾ✌('ω')✌ࡾ( ✌'ω')✌• ࢠϓϩηε͕ͨ͠Γམͪͯɺੜ͖Δ12138݄12݄༵
αϯυϘοΫεԽ• fork() ͨ͠ޙʹɺࣗࣗΛαϯυϘοΫεԽ͢Δ• seccomp_init(SCMP_ACT_KILL);ͰॳظԽ• seccomp_rule_add();ͰڐՄ͢ΔγεςϜίʔϧΛࢦఆ͍ͯ͘͠• seccomp_load();Ͱ४උྃ• seccomp_release();ͰෆཁͳݖݶΛશ෦ख์͢→αϯυϘοΫεԽʂ13138݄12݄༵
sample• seccamp2013_sandbox/samples/libseccomp_base.c• γεςϜίʔϧ͕ݺͳ͘ͳΔྫ• seccamp2013_sandbox/ samples/libseccomp_sample.c• ͍͔ͭ͘ͷγεςϜίʔϧΛڐՄͨ͠ྫ• read, writefile descriptorΛࢦఆͯ͠ڐՄ͢Δ͜ͱՄೳ14138݄12݄༵
͓ΘΓ• αϯυϘοΫεপʹΑ͏ͦ͜ʂ15138݄12݄༵