Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
CRIUとSeccomp / criu-and-seccomp-and-me
Search
KONDO Uchio
April 17, 2021
Technology
1
690
CRIUとSeccomp / criu-and-seccomp-and-me
第14回 コンテナ技術の情報交換会@オンライン
https://ct-study.connpass.com/event/205571
KONDO Uchio
April 17, 2021
Tweet
Share
More Decks by KONDO Uchio
See All by KONDO Uchio
大規模レガシーテストを 倒すための CI基盤の作り方 / #CICD2023
udzura
5
2.1k
Ruby x BPF in Action / RubyKaigi 2022
udzura
0
130
Narrative of Ruby & Rust
udzura
0
140
開発者生産性指標の可視化 / pepabo-four-keys
udzura
3
1.4k
Talk of RBS
udzura
0
320
Re: みなさん最近どうですか? / FGN tech meetup in 2021
udzura
0
650
Dockerとやわらかい仮想化 - ProSec-IT/SECKUN 2021 edition -
udzura
2
590
Device access filtering in cgroup v2
udzura
1
680
"Story of Rucy" on RubyKaigi takeout 2021
udzura
0
580
Other Decks in Technology
See All in Technology
AI JIMY - 登壇(インストール編)
hanacchi
0
150
[PyconUS 2024] Having fun with Pydantic and pattern matching
enforcerpl
0
150
エムスリーマルチデバイスチーム紹介資料 / Introduction of M3 Multi Device Team
m3_engineering
1
150
サービス開発におけるVue3とTypeScriptの親和性について
tsukuha
10
1.8k
AWS CLIの起動が重くてつらいので aws-sdk-client-go を書いた / kamakura.go#6
fujiwara3
6
2.9k
複雑なビジネスルールに挑む:正確性と効率性を両立するfp-tsのチーム活用術 / Strike a balance between correctness and efficiency with fp-ts
kakehashi
5
3.5k
SLOいつ決めましょう?
abnoumaru
3
300
OPENLOGI Company Profile for engineer
hr01
1
2.2k
開発スピードの維持向上を支える、テスト設計の 漸進的進化への取り組み / Continuous Test Design Development for Speed of Product Development
ropqa
0
180
大規模言語モデル (LLM)における低精度数値表現
pfn
PRO
3
810
日本が誇るイタリアのダンスミュージック!? ユーロビートって何??
minorun365
PRO
2
200
cgroup v2 で何が変わったのか / TechFeed Experts Night #28
tenforward
2
160
Featured
See All Featured
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
20
1.8k
Robots, Beer and Maslow
schacon
PRO
155
8k
VelocityConf: Rendering Performance Case Studies
addyosmani
321
23k
The Illustrated Children's Guide to Kubernetes
chrisshort
32
47k
Art, The Web, and Tiny UX
lynnandtonic
290
19k
Embracing the Ebb and Flow
colly
80
4.2k
BBQ
matthewcrist
80
8.8k
From Idea to $5000 a Month in 5 Months
shpigford
377
45k
Building a Scalable Design System with Sketch
lauravandoore
457
32k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
9
1.3k
The Invisible Customer
myddelton
114
12k
Agile that works and the tools we love
rasmusluckow
325
20k
Transcript
ۙ౻Ӊஐ࿕ / GMO Pepabo, Inc. ୈ14ճ ίϯςφٕज़ͷใަձ@ΦϯϥΠϯ 2021/04/17 CRIUͱseccompͱ ֨ಆͨ͠
ʙશͯരىಈͷͨΊͩͬͨʙ *NBHFIUUQTQJYBCBZDPNJNBHFTJECZ"OUSBOJBT
γχΞɾϓϦϯγύϧΤϯδχΞ ۙ౻ Ӊஐ࿕ / @udzura https://blog.udzura.jp/ Uchio Kondo ٕज़෦ ٕज़ج൫νʔϜ
@ GMOϖύϘ ΤϯδχΞΧϑΣʢԬࢢẂנจԽձؗʣ αϙʔλʔ #Ruby #mruby #Rust #Containers #eBPF #CRIU #Seccomp #RubyKaigi #CloudNativeDays #Zumba #γϨϯ #FitBoxing2 --- ͖ͳγεςϜίʔϧʁ ͬͺΓ unshare(2) Ͱ͢Ͷɻ
αϙʔλʔͯ͠·͢ !ΤϯδχΞΧϑΣ ԬࢢẂנจԽؗ
ToC •࡞CRIUϥούʔ “Miehistö” ʹ͍ͭͯ •ҙͷΞϓϦέʔγϣϯΛҙͷՕॴͰμϯϓ͢Δٕज़ͷ࣮ݱ •seccomp + SCMP_ACT_TRACE ʹΑΔख๏ •seccomp
+ SCMP_ACT_NOTIFY ʹΑΔख๏ wͦͯ͠આ
ɹɹ(Caveats) •Seccomp ͕ςʔϚͳͷʹ͙Β͍CRIUͷ͍ํͷΛ͠·͢ •·ͱΊͯൃද͢Δػձ͕ͣͬͱͳ͔ͬͨͷͰ... •ॻ͍ͯ͋Δ͜ͱࣗମɺ ͍͍ͩͨ͜ͷϒϩάͷ༰Ͱ͢ • CRIUʹؔ͢Δ࣮༰ͷίΞ2019ʹ ॻ͍͓ͯΓɺ͔ͨ͠͠Β࠷৽ͷ࠷৽ มԽ͋Δ͔ɻ
CRIU
CRIUͬͯ •Linuxʹ͓͍ͯɺϓϩηεͷνΣοΫϙΠϯτɾϦετΞΛ࡞͢Δͨ ΊͷϢʔβϥϯυͰͷπʔϧ (Checkpoint-Restore In Userspace) •ίϯςφϓϩηεͳͷͰɺίϯςφͷνΣοΫϙΠϯτɾϦετΞ Λ࣮ݱ͢ΔͨΊओʹ͏Α͏ʹͳͬͨ https://criu.org/Main_Page
۩ମతʹ •͜͏͍͏༻్Λఆͯ͠ΔΒ͍͠ɻ (https://criu.org/Usage_scenarios) •ίϯςφͷϥΠϒϚΠάϨʔγϣϯ •ىಈ͕͍ΞϓϦέʔγϣϯͷߴԽ •σεΫτοϓڥͷαεϖϯυɾϨδϡʔϜ •ແఀࢭʢʹݟ͔͚ͤΔʣΧʔωϧΞοϓάϨʔυ •ͳͲͳͲ...
࠷ۙͷCRIU •3.13(Sep 11, 2019) ... libcriu.a ͕ϏϧυͰ͖ΔΑ͏ʹͳͬͨ by @udzura •3.14(π,
Apr 29, 2020) ... clone3(2)ͱTime NS support, ଞ •3.15(Nov 04, 2020) ... MIPS support, cgroup v2 support, PID NS෦ ͷϦετΞ, ... ଞ •Still developing... ຊൃදͷ$3*6ͷόʔδϣϯͰ͢
CRIU͍͍Ͷʂ •ૣͬͯΈΑ͏ʂ... ❓ ❓❓ $3*6ͰҰԠ ͜ΕͰ0,ɻ͔͠͠ ଓ
CRIUͬͯͲ͏͏ͷ...ʁ •CRIUɺͦͦʮͪΌΜͱಈ͔͢ʯͷ͕͍͠ •ϝϞϦͷଞʹɺFile Descriptor/tty/socket ͦͷଞͷѻ͍... •ϦετΞޙʹPID͕ॏෳͯ͠Δͱ࠶ੜͰ͖ͳ͍ •͜ͷʮΠϝʔδʯతͳͭͬͯͲ͏ཧ͢Ε͍͍Μͩʁ
طʹΈࠐ·ΕͨCRIUΛ͏ʁ •ίϯςφϥϯλΠϜʹΈࠐ·Εͨcheckpoint/retoreΛ͏ख͋Δ ͕ɺϥϯλΠϜʹΑΓૢ࡞͕ҧ͏֮͑͠ΒΕͳ͍... •ͦͦطଘͷ σʔϞϯ͕ ίϯςφ͡Όͳ͍ɺͱ͔ IUUQTTQFBLFSEFDLDPNVE[VSBNJFIJTUPBSFDPNNFOEFETUBDLUPJOUFHSBUFDSJVJOUPFYJTUJOHTZTUFNT TMJEF
ͳͷͰॻ͍ͨ
Miehistö (Έ͑ͻͯ͢) • (ex. Grenadine) • Miehistö = “CREW” in
Finnish NJF 㷺IJTU
Miehistö ͱ •CRIUΛͳΔ͘ී௨ͷϓϩηεʹରͯ͠ద༻͘͢͢͠ΔɺҰ࿈ͷ πʔϧϥούʔ •miehistod: αʔϏεΠϝʔδΛ ཧ͢ΔதԝσʔϞϯ •mhctl: ΫϥΠΞϯτ •runmh:
CRIU͍͢͠ϓϩηεΛ ࡞ΔҰछͷϥϯλΠϜ Έ͑ͻͯ͢Ͱ͌ʔ Ήʔ͜ΜͱΖʔΔ ΒΜΉʔ
runmh ͕͍ͯ͠Δ͜ͱ •ͳΔ͘ʮී௨ʹVMʹ্ཱͪ͛ͨϓϩηεʯͱಉ͡ڥͰ্ཱͪ ͕͍ͬͯΔঢ়ଶͷϓϩηεΛ࡞Δ •ͦͷ্ͰɺCRIUͰͷμϯϓ/ϦετΞͷোนʹͳΔΑ͏ͳ݅Λ֎ ͠ɺCRIU-readyͳঢ়ଶʹ͢ΔҰ࿈ͷૢ࡞Λߦ͏
۩ମతʹ... •·ͣɺPID Namespace Λ͠ɺPIDΛ1͔Β࢝ΊΔඞཁ͕͋Δ •→ clone(2) ʹΑΓִ͠ɺ /proc ϑΝΠϧγεςϜΛࣗͰϚϯτ •→
ͦͷͨΊɺMount namespaceִ
Mount namespace/root ͷ •/proc ΛϚϯτ͢͠ͷͰMount NSunshared •ಠཱͨ͠ɺ͔ͭϗετͱେମಉ͡root filesystem͕ඞཁ •࡞Γํ: •ԾͷσΟϨΫτϦʹ
/ Λbind mountɺ/devͳͲݸผʹbind mount •ͦ͜ʹpivot_root͢Δ(chroot μϝɺͦͷMount NSͰೝࣝ͞ΕΔ rootΛૠ͛ସ͑Δඞཁ͕͋ΔͨΊ)
ͦͷଞ •ttyɺrootͷ֎ʹ͋ΔϑΝΠϧΛࢀর͍ͯ͠Δͱμϝ: •stderr/outrootͷϑΝΠϧΛ։͖͢ •ʢϩάϑΝΠϧ O_WRONLY|O_APPEND Ͱ։͍͍ͯͳ͍ͱμϝʣ •setsid() ΛݺΜͩηογϣϯϦʔμʔ͕process treeͷrootͰ͋Δඞཁ ͕͋ΔͷͰݺͿ
࣮ͷΠϝʔδ /&8/4 /&81*%ͷϑϥάΛ༩͑ͯDMPOF )PTUSPPU ΛผͷՕॴʹCJOENPVOU TFUTJE QJWPU@SPPU GEΛEFWOVMM
GE ΛݱࡏͷSPPU෦ͷϑΝΠϧʹ͠ 0@830/-:c0@"11&/%Ͱ։͘ ରϓϩάϥϜʹFYFD
͜ΕͰμϯϓ࣮֬ʹޭ™͢Δɻ •ߟྀͰ͖͍ͯͳ͍͜ͱ·͍ͩͬͯΔ͔ɻ
μϯϓ·Ͱ҆ఆ͚ͨ͠Ͳ... •ϦετΞɺͲ͏͠·͠ΐ͏ͱ͍͏ •ૉʹɺͰ͖ͨΠϝʔδΛ༻͍ͯCRIUίϚϯυΛୟ͚ݩͷϓϩη ε͕ϦετΞ͞ΕΔ͕... •miehistodαʔϏεͰϦετΞલ/ϦετΞޙͷϓϩηεΛ౷Ұతʹ ཧ͍ͨ͠ɻͳͷͰɺϦετΞޙͷϓϩηεΛmiehistodͷԼʹͿΒԼ ͍͛ͨɻͲ͏͢Ε͑͑ͶΜɻ
ϦετΞʹ͍ͭͯ •Miehistöͷཁ্݅ɺϦετΞ͞Εͨϓϩηεmiehistod(runmh)Ͱ ཧ͍ͨ͠ɻͳͷͰҙͷϓϩηεͷࢠϓϩηεͱͯ͠ϦετΞ͢Δඞ ཁ͕͋Δ... ͦΜͳͷͰ͖Δʁ •ӈͷΑ͏ͳ͜ͱΛ͢Δࡍɺ runmh -> criu ->
ruby criu͕ফ͑ͨΒ... μϝ ࢦ͍ͯ͠ΔϓϩηεπϦʔ
miehistö ͰͷϦετΞ࣮ •miehistod ͷԼͰ criu restore ΛݺͿ •ͦͷࡍʹɺ --exec-cmd ͱ͍͏ΦϓγϣϯΛར༻͠ɺ
ϦετΞޙʹcriuίϚϯυࣗΛrunmhϓϩάϥϜʹexec͢Δ • ΛrunmhɺࢠΛϦετΞޙͷίϚϯυͱ͍͏ϓϩηεπϦʔΛ࡞͍ͨͨ͠Ί •·ͨɺbind mountͷѻ͍ʹ͍ͭͯcriu restoreʹ͢ඞཁ͕͋Δ •--external Φϓγϣϯʹ͍ͭͯ
͜͏͍͏criuίϚϯυΛੜ࣮ͯ͠ߦ͢Δ •ͪͳΈʹCRIUʹΫϥΠΞϯταʔόಈ࡞(libcriuܦ༝)ͱɺίϚϯυ ىಈʹΑΔಈ࡞ͷϞʔυ͕ଘࡏ͢Δɻࠓճͷέʔεɺϓϩηε μϯϓΫϥαόͰOKɺϓϩηε࠶ੜίϚϯυͰͳ͍ͱෆՄɻ
--exec-cmd •criuίϚϯυͰɺϓϩηεΛϦετΞ͠spwanͨ͠ޙʹɺݩͷcriuίϚ ϯυࣗମΛผͷϓϩάϥϜʹexecͯ͠͠·͏͜ͱ͕Ͱ͖Δɻ •ͦ͏͢ΔͱʮϦετΞޙͷϓϩηεΛwait͢ΔϓϩάϥϜʯΛࠩ ͠ସ͑ΒΕΔͷͰɺࠓճͷΑ͏ʹεʔύόΠβʔతͳϓϩάϥϜΛ࡞ ͢Δ্Ͱศརɻ •miehistod -> runmh ->
(ϦετΞޙϓϩηε) ͷπϦʔ͕
ͷ͛͢ସ͑ͷΠϝʔδਤ IUUQTTQFBLFSEFDLDPNVE[VSBNZDSJVMJGFJOQSPHSFTT TMJEFɹ
External bind mounts •root͔Βݟͯ֎෦σΟϨΫτϦΛBind mount͍ͯ͠Δใɺdump/ restore࣌ʹࣗಈݕ͞Εͳ͍ͷͰɺ໌ࣔతʹࢦఆ͢Δඞཁ͕͋Δɻ •dump࣌ʹˠ ֎෦Bind mountઌΛنͰܾΊ͍ͯΔͷͰɺͦΕΒͷ ใΛ
--external ૬ͷΦϓγϣϯͱͯ͠criuαʔϏεʹ͢ •restore࣌ʹˠ ҎԼͷΑ͏ͳܗࣜͰίϚϯυʹ͢ --external mnt[__pids-d05739ddd0a12dd5040494c20461a197]:/sys/fs/cgroup/pids IUUQTDSJVPSH&YUFSOBM@CJOE@NPVOUT
͜ΕͰϦετΞͰ͖ΔΑ͏ʹɻ
ࠓCRIUͰ͍ͯ͠ͳ͍͜ͱ •MiehistöͰະ༻ͷΦϓγϣϯ: --cgroup-root, --action-script ͳͲ •swrkϞʔυͷ ͍͔ͭ͢ػձ͕དྷΔΜͰ͠ΐ͏͔ Ϣʔεέʔε͕ͲΕχονͳΜͰ͚͢Ͳ Ұ෦ʮ$3*6ΛϗεςΟϯάͰࢼ͍ͯ͘͠IPTUJOHDBTVBMʯ Ͱ͍ͯ͠·͢IUUQTTQFBLFSEFDLDPNVE[VSBNZDSJVMJGFJOQSPHSFTT
ΞϓϦέʔγϣϯΛࢭΊΔ
Γ͍ͨʢ͔ͬͨʣ͜ͱ •ʮΞΫηε࣌ʹॳΊͯىಈ͢ΔʯΞʔΩςΫνϟͰɺॳճىಈͷΦʔ όϔουΛۃݶ·Ͱݮ͍ͨ͠ •FastContainer (ref: https://rand.pepabo.com/article/2017/06/28/iot38-matsumotory/) •ۙͳͷͰHerokuͱ͔Cloud Runͱ͔
ϓϩηεͷࣄલμϯϓͱ͍͏ख๏ •ࣄલʹίϯςφͷϝϞϦμϯϓΛ࡞ͬͯɺ͔ͦ͜Βىಈ͢Εɺ ྫ͑εΫϦϓτݴޠʹΑΔϑϧελοΫϑϨʔϜϫʔΫͷΑ͏ʹɺ ىಈϓϩηεʹ͕͔͔࣌ؒΔΞϓϦέʔγϣϯͰ ىಈͷΦʔόϔουΛݮͰ͖ΔͷͰͳ͍͔ɺͱߟ͑ͨɻ •ʢϗεςΟϯάαʔϏε෦Ͱ͍͔ͨͬͨͷͰɺͳΔ͘ΞϓϦͷ ੑ࣭ʹΑΒͳ͍൚༻తͳํ๏ʹ͔ͨͬͨ͠എܠ͋Δʣ
cf. strace -c rails s •rails newͯ͠΄΅CRUDͻͱͭՃ͚ͨͩ͠ͷΞϓϦɺͷىಈ RAILS_ENV=production •΄΅openͱstat ϑΝΠϧૢ࡞
•͜ΕΒͷopenΛશ෦ εΩοϓͰ͖Εͦ͏
͍ͭࢭΊΔʁ •ͳΔ͘ʮঢ়ଶ͕ͳ͍ʯλΠϛϯάͰࢭΊ͍ͨ •ͨ͘͞ΜޙΖͷDBͱestablishͯ͠ɺଓΊͬͪΌड͚ࢭΊͯͯ... ͳঢ়ଶͰɺCRIUͰνΣοΫϙΠϯτͰ͖ΔͩΖ͏͕ɺෆཁͳτϥ ϒϧͱͦͷγϡʔτ͕ى͜Γͦ͏ɻ •͋ΔఔػցతʹࢭΊΔλΠϛϯάΛܾఆ͍ͨ͠ •ྫ͑ɺॳճͷ listen(2) ͳͲͷλΠϛϯάͰఀࢭ͢ΔͷͲ͏͔ɻ
seccomp (SCMP_ACT_TRACE)
listen(2) ʹϑοΫͯ͠ͳΜ͔͍ͨ͠ •͍ͭʹseccomp͕ग़ͯ͘Δ... •seccompɺ୯७ͳallowlist/denylistͷ΄͔ɺࢦఆͨ͠γεςϜίʔϧ ݺͼग़͠ͷࡍʹptrace(2)ܦ༝Ͱ௨ΛૹΔΦϓγϣϯ͕͋Δ (SCMP_ACT_TRACE) •ʢͪͳΈʹݺͼग़͢γεςϜίʔϧ൪߸ࣗମΛมߋͰ͖ΔΦϓγϣϯ Ͱɺ͔֬gVisorͳͲͰΘΕ͍ͯΔɺΜͰ͢ΑͶ??ʣ
SCMP_ACT_TRACE ͍ํ • fork͢Δ • [] ptrace(PTRACE_ATTACH); ptrace(PTRACE_O_TRACESECCOMP) ͢Δ •
[] ptrace(PTRACE_CONT) ͢Δ • [] waitpid(-1, &status, WUNTRACED | WCONTINUED | __WALL) ͢Δ (-1 ͳͷtraceͯ͠Δ͞ΒʹࢠϓϩηεɾεϨουΛ͏ͨΊ) • [ࢠ] SCMP_ACT_TRACE ͳseccomp ctxΛϩʔυ͢Δ • [] ࢠͰ֘γεςϜίʔϧ͕ݺΕΔͱɺ֘ϓϩηεͷใ͕waitpidͷΓɺ ptrace(PTRACE_GETEVENTMSG)ɺptrace(PTRACE_GETREGS)ͳͲͰऔಘͰ͖Δ
͍͜͠ͷͰmrubyͰϥοϓͨ͠ •https://github.com/haconiwa/mruby-seccomp/blob/master/examples/ tracing.rb
seccomp + ptrace •SCMP_ACT_TRACEγεςϜίʔϧΛݺͼग़͢લʹτϨʔεݩϓ ϩηεΛఀࢭ͠ɺτϨʔεઌͷϓϩηεʹ௨ΛૹΓɺͦͷ༰ʹԠ ͡ҙͷॲཧΛͤ͞Δ͜ͱ͕Ͱ͖Δɻ •͕ͨͬͯ͠ɺlisten(2)ͳͲͷγεςϜίʔϧͷݺͼग़͠લʹϑοΫɺ criuʹΑΔϓϩηεμϯϓΛ࣮ࢪ͢Εɺͦͷϓϩηεͷ listen(2)લͷঢ়ଶͷμϯϓΛػցతʹऔಘͰ͖Δ... ͣʁ
•ʢ͜ͷลΓͷΞΠσΞͷݩ @matsumotory ͞ΜͰ͢ʣ
ͬͯΈ·͠ΐ͏ •؆୯ͳϥούʔΛט·ͤɺmiehistöͰىಈɺseccompͰఀࢭ •μϯϓʹޭ͠ͳ͍
ptrace ͷΦϓγϣϯ͕όοςΟϯά͢Δʁ •seccompͰͷτϨʔεϓϩηεΛ ptrace(PTRACE_ATTACH) ͯ͠Ξ λονঢ়ଶʹ͠ɺఀࢭঢ়ଶΛݕ͢Δ •Ұํɺcriuͷ෦Ͱɺ ptrace(PTRACE_SEIZE) ͰΞλονঢ়ଶʹͯ͠ ptrace(PTRACE_INTERRUPT)
Ͱ໌ࣔతʹࢭΊ͍ͯΔɻ •ผʑͷΦϓγϣϯͰࢭΊ͍ͯΔͷʹͳ͍ͬͯΔՄೳੑ͕͋Δ •͜ͷลΓͷύονΛແཧʹcriuʹͯͯ... • ݁ہseccomp ctx͕ϓϩηε͔Βൈ͚ͳ͍ͨΊɺ2ճͷ listen() ͕ptrace tracee͕ଘࡏ͠ͳ͍ѻ͍ʹͳΓENOSYS ʹͳΔ?
ͪΐͬͱݟ௨͕͠ѱͦ͏ͩ... •ͱ͔ݴ͍ͬͯΔ͏ͪʹผ݅Ͱ͘͠ͳͬͨΓ͠ɺSwap outɻ •͜͜·Ͱɺ ࣮2018ʹݕূͨ͠ɻ IUUQTICNBUTVNPUPSKQFOUSZɹ
(ͬͱ) seccomp notification
Seccompʹ৽Φϓγϣϯ͕དྷͨ •SCMP_ACT_NOTIFY (seccomp notification) •Կऀͳͷ͔ɺ͜͜·ͰͷτʔΫͰօશཧղͨͣ͠... ຊൃදͷMJCTFDDPNQͷόʔδϣϯͰ͢ ΧʔωϧHFOFSJD6CVOUV(SPPWZ
Seccomp notificationͷ߹ʁ •ࢦఆͨ͠γεςϜίʔϧݺͼग़͠Λͨ͠ࡍʹɺผͷϓϩηεʹͲ͏ॲ ཧ͢Δ͔ΛҠৡ͢Δ͜ͱ͕Ͱ͖Δɻ •ͦͷؒɺݩͷϓϩηεϒϩοΫ͍ͯ͠Δ •ͭ·Γɺಉ͡Α͏ʹɺʮҙͷγεςϜίʔϧݺͼग़͠ʯͰఀࢭ͢Δ ͜ͱ͕Մೳʹ...ʁ
࣮ݧ͢Δ •ӈͷΑ͏ͳ seccomp notif receiver Λ࣮͢Δ
ϥούܦ༝Ͱىಈ͢Δ •ϥούࠨ •͜ΕΛט·ͤͯىಈ •ͪΌΜͱlistenલͰ ࢭ·Δ 3VMFOPUJGZͱ͍͏"1*Λ࣮ ɹ6/*9υϝΠϯιέοτΛ։͍ͯ ɹ4FDDPNQOPUJGZGEΛ ɹ4FOEP⒎Ͱ͖ΔΑ͏ʹ͍ͯ͠Δ
͜ͷͱ͖ࢭ·͍ͬͯΔϓϩηεͷstack •seccomp_do_user_notification ͱ͍͏ṖͷؔͰఀࢭ͍ͯ͠Δ •௨ৗͷΧʔωϧؔͷҰ෦ͰϒϩοΫ͍ͯ͠Δ •γάφϧɺptraceͳͲͰࢭ·͍ͬͯΔঢ়ଶͰͳ͍
͜ΕΛμϯϓϦετΞͯ͠... •μϯϓແࣄޭ͢Δɻ •ϦετΞͯ͠ɺENOSYS ͕ग़ͯ͠·͏ɻ
ਖ਼ৗʹμϯϓͰ͖Δ͕… •ϦετΞͨ͠λΠϛϯάͰɺ৽͍͠ϓϩηε Seccomp Context ͕ ਖ਼ৗʹϋϯυϧ͞Ε͍ͯͳ͍ঢ়ଶʹͳͬͯ͠·͏ •͜͏ͳΔͱɺSCMP_ACT_NOTIFYͰ௨͢Δ௨ઌ͕ͳ͍ͱ͍͏ঢ়ଶ ʹͳͬͯ͠·͏Α͏Ͱɺͦ͏͍͏߹ͷ༷Ͱ͋Δ ʮγεςϜίʔϧ͕ errno=ENOSYS
Ͱࣦഊ͢Δʯ ͱ͍͏݁Ռʹͳͬͨɻlisten(2)Λਖ਼ৗ࠶։͢Δํ๏͕ͳ͍ɻ
ͰͲ͏͢Δ͔ʁ •<దͳ͍Β͢ͱΛҾ༻͢Δ>
ͰͲ͏͢Δ͔ʁ •ʮޭࣦͯ͠ഊͯ͠ԿӨڹ͕ͳ͍ʯγεςϜίʔϧΛߟ͑Δ •ྫ͑ɺϦΞϧλΠϜγάφϧΛҰͭબΜͰ signal(s, SIG_IGN) •ͦͷγάφϧΛࣗʹૹΔͱɺԿ͠ͳ͍͕ɺ γάφϧ൪߸ͰಉఆՄೳͳ γεςϜίʔϧݺͼग़͠Λ࡞ΕΔ
ͦͷϚʔΧʔతγεςϜίʔϧΛ •libcͷlisten(3)ͷݺͼग़͠ͷલʹϑοΫͤ͞Δ •LD_PRELOADΛ༻͍ɺϥούؔΛఆٛ͢Δɻ •͜ΕͰɺ࣮࣭తʹ listen(2) ͷલʹ ϓϩάϥϜΛఀࢭͤ͞ɺ·ͨ࠶ੜ࣌ Өڹͳ͘ॲཧΛܧଓͰ͖Δͣɻ
࠷ޙͷ࣮ݧ •ϥούʔΛ͞Βʹࠨʹมߋ •ىಈˠ Notification receiver ܦ༝Ͱμϯϓ LJMM BOZ ͷݺͼग़͠Λτϥοϓ
4*(35."9 -%@13&-0"%ΛFYFD࣌ʹࢦఆ
ࠓճͷμϯϓɺϓϩηε࠶ੜʹޭ͢Δ
None
ͪͳΈʹ... •LD_PRELOADΛ࣋ͪग़ͨ࣌͠ͰͳΜͰΞϦ..... •ͱࢥͬͯɺͨͱ͑ӈͷΑ͏ʹίʔυΛม͑ͯΈͨɻ •݁Ռ →ίϯςφԽ(PID unshared)͍ͯ͠ΔͷͰɺ ͕ࣗࣗPID=1ʹͳͬͯSIGSTOPΛແࢹɻ • ݁ہίϯςφͷinit processΛ࣮֬ʹࢭΊΔʹseccomp͔͠ͳ͍Α͏ʹࢥΘΕͨɻ
ߟྀ࿙Ε͕͋Εڭ͍͑ͯͩ͘͞ɻ
·ͩݕ౼͍ͯ͠ͳ͍͜ͱ •ϚϧνεϨουΞϓϦέʔγϣϯ... Ͳ͏͍͏;͏ʹࢭ·Δͷ͔ •ͱݴͬͯ࠷ॳͷݺͼग़͠Ͱࢭ·Δʁ ͷ͔ͳʁ •LD_PRELOAD ͕Կ͔ͷཧ༝Ͱ͑ͳ͍࣌ •libcΛͦͦͬͯͳ͍࣌ʢಛʹGoʣ •syscall͕ݺͼग़͞ΕΔ࣌ ....
͓͜ͱΘΓ •ߥແܤͳ͜ͱΛ͍ͯ͠Δ͜ͱঝ͍ͯ͠·͢ɻ •໘നLinuxωλͱͯ͠ফඅ͍͚ͨͩΕ͍Ͱ͢ •ࣅͨΑ͏ͳ͜ͱΛͬͱ͏·͍ͬͯ͘Δྫ͕ΕͨΒخ͍͠ •ͱΓ͋͑ͣɺ2018ͷ಄͔Βஅଓతʹपลͷ࣮Λଓ͚͖ͯͨҰ࿈ͷ ݚڀΛɺ͜ͷػձʹڙཆͰ͖Εͱࢥ͍ɺ͓࣌ؒΛ͍͖ͨͩ·ͨ͠ɻ ͝ਗ਼ௌʹײँ
ࢀߟهࣄͳͲ •அଓతʹॻ͍ͯΔseccompͱMiehistöͷϒϩά • ʮmrubyͱseccompͱptraceͰγεςϜίʔϧΛͱʹ͔͍͔͚͘Δʯ(2017/04) • ʮGrenadine: ʮී௨ͷΞϓϦέʔγϣϯʯ͕νΣοΫϙΠϯτ/ϦετΞͷԸܙΛڗड͢Δʯ (2019/03) • ʮWSAݚڀձ
ୈ7ճ ͰCRIUͱMiehistöͷൃදΛ͠·ͨ͠ #WSAݚʯ(2020/11) • ʮҙͷϥΠϒϥϦίʔϧͰϓϩάϥϜΛఀࢭ͠ɺىಈ༻ͷCRIUΠϝʔδΛ࡞͢ΔΞϓ ϩʔνʹ͍ͭͯʯ(2020/12) IUUQTVE[VSBIBUFOBCMPHKQ