Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
CRIUとSeccomp / criu-and-seccomp-and-me
Search
KONDO Uchio
April 17, 2021
Technology
1
810
CRIUとSeccomp / criu-and-seccomp-and-me
第14回 コンテナ技術の情報交換会@オンライン
https://ct-study.connpass.com/event/205571
KONDO Uchio
April 17, 2021
Tweet
Share
More Decks by KONDO Uchio
See All by KONDO Uchio
大規模レガシーテストを 倒すための CI基盤の作り方 / #CICD2023
udzura
5
2.5k
Ruby x BPF in Action / RubyKaigi 2022
udzura
0
260
Narrative of Ruby & Rust
udzura
0
230
開発者生産性指標の可視化 / pepabo-four-keys
udzura
3
1.7k
Talk of RBS
udzura
0
460
Re: みなさん最近どうですか? / FGN tech meetup in 2021
udzura
0
790
Dockerとやわらかい仮想化 - ProSec-IT/SECKUN 2021 edition -
udzura
2
740
Device access filtering in cgroup v2
udzura
1
940
"Story of Rucy" on RubyKaigi takeout 2021
udzura
0
850
Other Decks in Technology
See All in Technology
SoccerNet GSRの紹介と技術応用:選手視点映像を提供するサッカー作戦盤ツール
mixi_engineers
PRO
1
170
生成AI_その前_に_マルチクラウド時代の信頼できるデータを支えるSnowflakeメタデータ活用術.pdf
cm_mikami
0
110
KAGのLT会 #8 - 東京リージョンでGAしたAmazon Q in QuickSightを使って、報告用の資料を作ってみた
0air
0
200
OpenAI gpt-oss ファインチューニング入門
kmotohas
2
960
ユニットテストに対する考え方の変遷 / Everyone should watch his live coding
mdstoy
0
120
DataOpsNight#8_Terragruntを用いたスケーラブルなSnowflakeインフラ管理
roki18d
1
340
"複雑なデータ処理 × 静的サイト" を両立させる、楽をするRails運用 / A low-effort Rails workflow that combines “Complex Data Processing × Static Sites”
hogelog
3
1.9k
Large Vision Language Modelを用いた 文書画像データ化作業自動化の検証、運用 / shibuya_AI
sansan_randd
0
100
英語は話せません!それでも海外チームと信頼関係を作るため、対話を重ねた2ヶ月間のまなび
niioka_97
0
110
許しとアジャイル
jnuank
1
120
Findy Team+のSOC2取得までの道のり
rvirus0817
0
330
業務自動化プラットフォーム Google Agentspace に入門してみる #devio2025
maroon1st
0
190
Featured
See All Featured
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
188
55k
A designer walks into a library…
pauljervisheath
209
24k
A Modern Web Designer's Workflow
chriscoyier
697
190k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
33
2.5k
What's in a price? How to price your products and services
michaelherold
246
12k
Being A Developer After 40
akosma
91
590k
Fireside Chat
paigeccino
40
3.7k
RailsConf 2023
tenderlove
30
1.2k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
140
34k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
32
1.6k
We Have a Design System, Now What?
morganepeng
53
7.8k
How to train your dragon (web standard)
notwaldorf
96
6.3k
Transcript
ۙ౻Ӊஐ࿕ / GMO Pepabo, Inc. ୈ14ճ ίϯςφٕज़ͷใަձ@ΦϯϥΠϯ 2021/04/17 CRIUͱseccompͱ ֨ಆͨ͠
ʙશͯരىಈͷͨΊͩͬͨʙ *NBHFIUUQTQJYBCBZDPNJNBHFTJECZ"OUSBOJBT
γχΞɾϓϦϯγύϧΤϯδχΞ ۙ౻ Ӊஐ࿕ / @udzura https://blog.udzura.jp/ Uchio Kondo ٕज़෦ ٕज़ج൫νʔϜ
@ GMOϖύϘ ΤϯδχΞΧϑΣʢԬࢢẂנจԽձؗʣ αϙʔλʔ #Ruby #mruby #Rust #Containers #eBPF #CRIU #Seccomp #RubyKaigi #CloudNativeDays #Zumba #γϨϯ #FitBoxing2 --- ͖ͳγεςϜίʔϧʁ ͬͺΓ unshare(2) Ͱ͢Ͷɻ
αϙʔλʔͯ͠·͢ !ΤϯδχΞΧϑΣ ԬࢢẂנจԽؗ
ToC •࡞CRIUϥούʔ “Miehistö” ʹ͍ͭͯ •ҙͷΞϓϦέʔγϣϯΛҙͷՕॴͰμϯϓ͢Δٕज़ͷ࣮ݱ •seccomp + SCMP_ACT_TRACE ʹΑΔख๏ •seccomp
+ SCMP_ACT_NOTIFY ʹΑΔख๏ wͦͯ͠આ
ɹɹ(Caveats) •Seccomp ͕ςʔϚͳͷʹ͙Β͍CRIUͷ͍ํͷΛ͠·͢ •·ͱΊͯൃද͢Δػձ͕ͣͬͱͳ͔ͬͨͷͰ... •ॻ͍ͯ͋Δ͜ͱࣗମɺ ͍͍ͩͨ͜ͷϒϩάͷ༰Ͱ͢ • CRIUʹؔ͢Δ࣮༰ͷίΞ2019ʹ ॻ͍͓ͯΓɺ͔ͨ͠͠Β࠷৽ͷ࠷৽ มԽ͋Δ͔ɻ
CRIU
CRIUͬͯ •Linuxʹ͓͍ͯɺϓϩηεͷνΣοΫϙΠϯτɾϦετΞΛ࡞͢Δͨ ΊͷϢʔβϥϯυͰͷπʔϧ (Checkpoint-Restore In Userspace) •ίϯςφϓϩηεͳͷͰɺίϯςφͷνΣοΫϙΠϯτɾϦετΞ Λ࣮ݱ͢ΔͨΊओʹ͏Α͏ʹͳͬͨ https://criu.org/Main_Page
۩ମతʹ •͜͏͍͏༻్Λఆͯ͠ΔΒ͍͠ɻ (https://criu.org/Usage_scenarios) •ίϯςφͷϥΠϒϚΠάϨʔγϣϯ •ىಈ͕͍ΞϓϦέʔγϣϯͷߴԽ •σεΫτοϓڥͷαεϖϯυɾϨδϡʔϜ •ແఀࢭʢʹݟ͔͚ͤΔʣΧʔωϧΞοϓάϨʔυ •ͳͲͳͲ...
࠷ۙͷCRIU •3.13(Sep 11, 2019) ... libcriu.a ͕ϏϧυͰ͖ΔΑ͏ʹͳͬͨ by @udzura •3.14(π,
Apr 29, 2020) ... clone3(2)ͱTime NS support, ଞ •3.15(Nov 04, 2020) ... MIPS support, cgroup v2 support, PID NS෦ ͷϦετΞ, ... ଞ •Still developing... ຊൃදͷ$3*6ͷόʔδϣϯͰ͢
CRIU͍͍Ͷʂ •ૣͬͯΈΑ͏ʂ... ❓ ❓❓ $3*6ͰҰԠ ͜ΕͰ0,ɻ͔͠͠ ଓ
CRIUͬͯͲ͏͏ͷ...ʁ •CRIUɺͦͦʮͪΌΜͱಈ͔͢ʯͷ͕͍͠ •ϝϞϦͷଞʹɺFile Descriptor/tty/socket ͦͷଞͷѻ͍... •ϦετΞޙʹPID͕ॏෳͯ͠Δͱ࠶ੜͰ͖ͳ͍ •͜ͷʮΠϝʔδʯతͳͭͬͯͲ͏ཧ͢Ε͍͍Μͩʁ
طʹΈࠐ·ΕͨCRIUΛ͏ʁ •ίϯςφϥϯλΠϜʹΈࠐ·Εͨcheckpoint/retoreΛ͏ख͋Δ ͕ɺϥϯλΠϜʹΑΓૢ࡞͕ҧ͏֮͑͠ΒΕͳ͍... •ͦͦطଘͷ σʔϞϯ͕ ίϯςφ͡Όͳ͍ɺͱ͔ IUUQTTQFBLFSEFDLDPNVE[VSBNJFIJTUPBSFDPNNFOEFETUBDLUPJOUFHSBUFDSJVJOUPFYJTUJOHTZTUFNT TMJEF
ͳͷͰॻ͍ͨ
Miehistö (Έ͑ͻͯ͢) • (ex. Grenadine) • Miehistö = “CREW” in
Finnish NJF 㷺IJTU
Miehistö ͱ •CRIUΛͳΔ͘ී௨ͷϓϩηεʹରͯ͠ద༻͘͢͢͠ΔɺҰ࿈ͷ πʔϧϥούʔ •miehistod: αʔϏεΠϝʔδΛ ཧ͢ΔதԝσʔϞϯ •mhctl: ΫϥΠΞϯτ •runmh:
CRIU͍͢͠ϓϩηεΛ ࡞ΔҰछͷϥϯλΠϜ Έ͑ͻͯ͢Ͱ͌ʔ Ήʔ͜ΜͱΖʔΔ ΒΜΉʔ
runmh ͕͍ͯ͠Δ͜ͱ •ͳΔ͘ʮී௨ʹVMʹ্ཱͪ͛ͨϓϩηεʯͱಉ͡ڥͰ্ཱͪ ͕͍ͬͯΔঢ়ଶͷϓϩηεΛ࡞Δ •ͦͷ্ͰɺCRIUͰͷμϯϓ/ϦετΞͷোนʹͳΔΑ͏ͳ݅Λ֎ ͠ɺCRIU-readyͳঢ়ଶʹ͢ΔҰ࿈ͷૢ࡞Λߦ͏
۩ମతʹ... •·ͣɺPID Namespace Λ͠ɺPIDΛ1͔Β࢝ΊΔඞཁ͕͋Δ •→ clone(2) ʹΑΓִ͠ɺ /proc ϑΝΠϧγεςϜΛࣗͰϚϯτ •→
ͦͷͨΊɺMount namespaceִ
Mount namespace/root ͷ •/proc ΛϚϯτ͢͠ͷͰMount NSunshared •ಠཱͨ͠ɺ͔ͭϗετͱେମಉ͡root filesystem͕ඞཁ •࡞Γํ: •ԾͷσΟϨΫτϦʹ
/ Λbind mountɺ/devͳͲݸผʹbind mount •ͦ͜ʹpivot_root͢Δ(chroot μϝɺͦͷMount NSͰೝࣝ͞ΕΔ rootΛૠ͛ସ͑Δඞཁ͕͋ΔͨΊ)
ͦͷଞ •ttyɺrootͷ֎ʹ͋ΔϑΝΠϧΛࢀর͍ͯ͠Δͱμϝ: •stderr/outrootͷϑΝΠϧΛ։͖͢ •ʢϩάϑΝΠϧ O_WRONLY|O_APPEND Ͱ։͍͍ͯͳ͍ͱμϝʣ •setsid() ΛݺΜͩηογϣϯϦʔμʔ͕process treeͷrootͰ͋Δඞཁ ͕͋ΔͷͰݺͿ
࣮ͷΠϝʔδ /&8/4 /&81*%ͷϑϥάΛ༩͑ͯDMPOF )PTUSPPU ΛผͷՕॴʹCJOENPVOU TFUTJE QJWPU@SPPU GEΛEFWOVMM
GE ΛݱࡏͷSPPU෦ͷϑΝΠϧʹ͠ 0@830/-:c0@"11&/%Ͱ։͘ ରϓϩάϥϜʹFYFD
͜ΕͰμϯϓ࣮֬ʹޭ™͢Δɻ •ߟྀͰ͖͍ͯͳ͍͜ͱ·͍ͩͬͯΔ͔ɻ
μϯϓ·Ͱ҆ఆ͚ͨ͠Ͳ... •ϦετΞɺͲ͏͠·͠ΐ͏ͱ͍͏ •ૉʹɺͰ͖ͨΠϝʔδΛ༻͍ͯCRIUίϚϯυΛୟ͚ݩͷϓϩη ε͕ϦετΞ͞ΕΔ͕... •miehistodαʔϏεͰϦετΞલ/ϦετΞޙͷϓϩηεΛ౷Ұతʹ ཧ͍ͨ͠ɻͳͷͰɺϦετΞޙͷϓϩηεΛmiehistodͷԼʹͿΒԼ ͍͛ͨɻͲ͏͢Ε͑͑ͶΜɻ
ϦετΞʹ͍ͭͯ •Miehistöͷཁ্݅ɺϦετΞ͞Εͨϓϩηεmiehistod(runmh)Ͱ ཧ͍ͨ͠ɻͳͷͰҙͷϓϩηεͷࢠϓϩηεͱͯ͠ϦετΞ͢Δඞ ཁ͕͋Δ... ͦΜͳͷͰ͖Δʁ •ӈͷΑ͏ͳ͜ͱΛ͢Δࡍɺ runmh -> criu ->
ruby criu͕ফ͑ͨΒ... μϝ ࢦ͍ͯ͠ΔϓϩηεπϦʔ
miehistö ͰͷϦετΞ࣮ •miehistod ͷԼͰ criu restore ΛݺͿ •ͦͷࡍʹɺ --exec-cmd ͱ͍͏ΦϓγϣϯΛར༻͠ɺ
ϦετΞޙʹcriuίϚϯυࣗΛrunmhϓϩάϥϜʹexec͢Δ • ΛrunmhɺࢠΛϦετΞޙͷίϚϯυͱ͍͏ϓϩηεπϦʔΛ࡞͍ͨͨ͠Ί •·ͨɺbind mountͷѻ͍ʹ͍ͭͯcriu restoreʹ͢ඞཁ͕͋Δ •--external Φϓγϣϯʹ͍ͭͯ
͜͏͍͏criuίϚϯυΛੜ࣮ͯ͠ߦ͢Δ •ͪͳΈʹCRIUʹΫϥΠΞϯταʔόಈ࡞(libcriuܦ༝)ͱɺίϚϯυ ىಈʹΑΔಈ࡞ͷϞʔυ͕ଘࡏ͢Δɻࠓճͷέʔεɺϓϩηε μϯϓΫϥαόͰOKɺϓϩηε࠶ੜίϚϯυͰͳ͍ͱෆՄɻ
--exec-cmd •criuίϚϯυͰɺϓϩηεΛϦετΞ͠spwanͨ͠ޙʹɺݩͷcriuίϚ ϯυࣗମΛผͷϓϩάϥϜʹexecͯ͠͠·͏͜ͱ͕Ͱ͖Δɻ •ͦ͏͢ΔͱʮϦετΞޙͷϓϩηεΛwait͢ΔϓϩάϥϜʯΛࠩ ͠ସ͑ΒΕΔͷͰɺࠓճͷΑ͏ʹεʔύόΠβʔతͳϓϩάϥϜΛ࡞ ͢Δ্Ͱศརɻ •miehistod -> runmh ->
(ϦετΞޙϓϩηε) ͷπϦʔ͕
ͷ͛͢ସ͑ͷΠϝʔδਤ IUUQTTQFBLFSEFDLDPNVE[VSBNZDSJVMJGFJOQSPHSFTT TMJEFɹ
External bind mounts •root͔Βݟͯ֎෦σΟϨΫτϦΛBind mount͍ͯ͠Δใɺdump/ restore࣌ʹࣗಈݕ͞Εͳ͍ͷͰɺ໌ࣔతʹࢦఆ͢Δඞཁ͕͋Δɻ •dump࣌ʹˠ ֎෦Bind mountઌΛنͰܾΊ͍ͯΔͷͰɺͦΕΒͷ ใΛ
--external ૬ͷΦϓγϣϯͱͯ͠criuαʔϏεʹ͢ •restore࣌ʹˠ ҎԼͷΑ͏ͳܗࣜͰίϚϯυʹ͢ --external mnt[__pids-d05739ddd0a12dd5040494c20461a197]:/sys/fs/cgroup/pids IUUQTDSJVPSH&YUFSOBM@CJOE@NPVOUT
͜ΕͰϦετΞͰ͖ΔΑ͏ʹɻ
ࠓCRIUͰ͍ͯ͠ͳ͍͜ͱ •MiehistöͰະ༻ͷΦϓγϣϯ: --cgroup-root, --action-script ͳͲ •swrkϞʔυͷ ͍͔ͭ͢ػձ͕དྷΔΜͰ͠ΐ͏͔ Ϣʔεέʔε͕ͲΕχονͳΜͰ͚͢Ͳ Ұ෦ʮ$3*6ΛϗεςΟϯάͰࢼ͍ͯ͘͠IPTUJOHDBTVBMʯ Ͱ͍ͯ͠·͢IUUQTTQFBLFSEFDLDPNVE[VSBNZDSJVMJGFJOQSPHSFTT
ΞϓϦέʔγϣϯΛࢭΊΔ
Γ͍ͨʢ͔ͬͨʣ͜ͱ •ʮΞΫηε࣌ʹॳΊͯىಈ͢ΔʯΞʔΩςΫνϟͰɺॳճىಈͷΦʔ όϔουΛۃݶ·Ͱݮ͍ͨ͠ •FastContainer (ref: https://rand.pepabo.com/article/2017/06/28/iot38-matsumotory/) •ۙͳͷͰHerokuͱ͔Cloud Runͱ͔
ϓϩηεͷࣄલμϯϓͱ͍͏ख๏ •ࣄલʹίϯςφͷϝϞϦμϯϓΛ࡞ͬͯɺ͔ͦ͜Βىಈ͢Εɺ ྫ͑εΫϦϓτݴޠʹΑΔϑϧελοΫϑϨʔϜϫʔΫͷΑ͏ʹɺ ىಈϓϩηεʹ͕͔͔࣌ؒΔΞϓϦέʔγϣϯͰ ىಈͷΦʔόϔουΛݮͰ͖ΔͷͰͳ͍͔ɺͱߟ͑ͨɻ •ʢϗεςΟϯάαʔϏε෦Ͱ͍͔ͨͬͨͷͰɺͳΔ͘ΞϓϦͷ ੑ࣭ʹΑΒͳ͍൚༻తͳํ๏ʹ͔ͨͬͨ͠എܠ͋Δʣ
cf. strace -c rails s •rails newͯ͠΄΅CRUDͻͱͭՃ͚ͨͩ͠ͷΞϓϦɺͷىಈ RAILS_ENV=production •΄΅openͱstat ϑΝΠϧૢ࡞
•͜ΕΒͷopenΛશ෦ εΩοϓͰ͖Εͦ͏
͍ͭࢭΊΔʁ •ͳΔ͘ʮঢ়ଶ͕ͳ͍ʯλΠϛϯάͰࢭΊ͍ͨ •ͨ͘͞ΜޙΖͷDBͱestablishͯ͠ɺଓΊͬͪΌड͚ࢭΊͯͯ... ͳঢ়ଶͰɺCRIUͰνΣοΫϙΠϯτͰ͖ΔͩΖ͏͕ɺෆཁͳτϥ ϒϧͱͦͷγϡʔτ͕ى͜Γͦ͏ɻ •͋ΔఔػցతʹࢭΊΔλΠϛϯάΛܾఆ͍ͨ͠ •ྫ͑ɺॳճͷ listen(2) ͳͲͷλΠϛϯάͰఀࢭ͢ΔͷͲ͏͔ɻ
seccomp (SCMP_ACT_TRACE)
listen(2) ʹϑοΫͯ͠ͳΜ͔͍ͨ͠ •͍ͭʹseccomp͕ग़ͯ͘Δ... •seccompɺ୯७ͳallowlist/denylistͷ΄͔ɺࢦఆͨ͠γεςϜίʔϧ ݺͼग़͠ͷࡍʹptrace(2)ܦ༝Ͱ௨ΛૹΔΦϓγϣϯ͕͋Δ (SCMP_ACT_TRACE) •ʢͪͳΈʹݺͼग़͢γεςϜίʔϧ൪߸ࣗମΛมߋͰ͖ΔΦϓγϣϯ Ͱɺ͔֬gVisorͳͲͰΘΕ͍ͯΔɺΜͰ͢ΑͶ??ʣ
SCMP_ACT_TRACE ͍ํ • fork͢Δ • [] ptrace(PTRACE_ATTACH); ptrace(PTRACE_O_TRACESECCOMP) ͢Δ •
[] ptrace(PTRACE_CONT) ͢Δ • [] waitpid(-1, &status, WUNTRACED | WCONTINUED | __WALL) ͢Δ (-1 ͳͷtraceͯ͠Δ͞ΒʹࢠϓϩηεɾεϨουΛ͏ͨΊ) • [ࢠ] SCMP_ACT_TRACE ͳseccomp ctxΛϩʔυ͢Δ • [] ࢠͰ֘γεςϜίʔϧ͕ݺΕΔͱɺ֘ϓϩηεͷใ͕waitpidͷΓɺ ptrace(PTRACE_GETEVENTMSG)ɺptrace(PTRACE_GETREGS)ͳͲͰऔಘͰ͖Δ
͍͜͠ͷͰmrubyͰϥοϓͨ͠ •https://github.com/haconiwa/mruby-seccomp/blob/master/examples/ tracing.rb
seccomp + ptrace •SCMP_ACT_TRACEγεςϜίʔϧΛݺͼग़͢લʹτϨʔεݩϓ ϩηεΛఀࢭ͠ɺτϨʔεઌͷϓϩηεʹ௨ΛૹΓɺͦͷ༰ʹԠ ͡ҙͷॲཧΛͤ͞Δ͜ͱ͕Ͱ͖Δɻ •͕ͨͬͯ͠ɺlisten(2)ͳͲͷγεςϜίʔϧͷݺͼग़͠લʹϑοΫɺ criuʹΑΔϓϩηεμϯϓΛ࣮ࢪ͢Εɺͦͷϓϩηεͷ listen(2)લͷঢ়ଶͷμϯϓΛػցతʹऔಘͰ͖Δ... ͣʁ
•ʢ͜ͷลΓͷΞΠσΞͷݩ @matsumotory ͞ΜͰ͢ʣ
ͬͯΈ·͠ΐ͏ •؆୯ͳϥούʔΛט·ͤɺmiehistöͰىಈɺseccompͰఀࢭ •μϯϓʹޭ͠ͳ͍
ptrace ͷΦϓγϣϯ͕όοςΟϯά͢Δʁ •seccompͰͷτϨʔεϓϩηεΛ ptrace(PTRACE_ATTACH) ͯ͠Ξ λονঢ়ଶʹ͠ɺఀࢭঢ়ଶΛݕ͢Δ •Ұํɺcriuͷ෦Ͱɺ ptrace(PTRACE_SEIZE) ͰΞλονঢ়ଶʹͯ͠ ptrace(PTRACE_INTERRUPT)
Ͱ໌ࣔతʹࢭΊ͍ͯΔɻ •ผʑͷΦϓγϣϯͰࢭΊ͍ͯΔͷʹͳ͍ͬͯΔՄೳੑ͕͋Δ •͜ͷลΓͷύονΛແཧʹcriuʹͯͯ... • ݁ہseccomp ctx͕ϓϩηε͔Βൈ͚ͳ͍ͨΊɺ2ճͷ listen() ͕ptrace tracee͕ଘࡏ͠ͳ͍ѻ͍ʹͳΓENOSYS ʹͳΔ?
ͪΐͬͱݟ௨͕͠ѱͦ͏ͩ... •ͱ͔ݴ͍ͬͯΔ͏ͪʹผ݅Ͱ͘͠ͳͬͨΓ͠ɺSwap outɻ •͜͜·Ͱɺ ࣮2018ʹݕূͨ͠ɻ IUUQTICNBUTVNPUPSKQFOUSZɹ
(ͬͱ) seccomp notification
Seccompʹ৽Φϓγϣϯ͕དྷͨ •SCMP_ACT_NOTIFY (seccomp notification) •Կऀͳͷ͔ɺ͜͜·ͰͷτʔΫͰօશཧղͨͣ͠... ຊൃදͷMJCTFDDPNQͷόʔδϣϯͰ͢ ΧʔωϧHFOFSJD6CVOUV(SPPWZ
Seccomp notificationͷ߹ʁ •ࢦఆͨ͠γεςϜίʔϧݺͼग़͠Λͨ͠ࡍʹɺผͷϓϩηεʹͲ͏ॲ ཧ͢Δ͔ΛҠৡ͢Δ͜ͱ͕Ͱ͖Δɻ •ͦͷؒɺݩͷϓϩηεϒϩοΫ͍ͯ͠Δ •ͭ·Γɺಉ͡Α͏ʹɺʮҙͷγεςϜίʔϧݺͼग़͠ʯͰఀࢭ͢Δ ͜ͱ͕Մೳʹ...ʁ
࣮ݧ͢Δ •ӈͷΑ͏ͳ seccomp notif receiver Λ࣮͢Δ
ϥούܦ༝Ͱىಈ͢Δ •ϥούࠨ •͜ΕΛט·ͤͯىಈ •ͪΌΜͱlistenલͰ ࢭ·Δ 3VMFOPUJGZͱ͍͏"1*Λ࣮ ɹ6/*9υϝΠϯιέοτΛ։͍ͯ ɹ4FDDPNQOPUJGZGEΛ ɹ4FOEP⒎Ͱ͖ΔΑ͏ʹ͍ͯ͠Δ
͜ͷͱ͖ࢭ·͍ͬͯΔϓϩηεͷstack •seccomp_do_user_notification ͱ͍͏ṖͷؔͰఀࢭ͍ͯ͠Δ •௨ৗͷΧʔωϧؔͷҰ෦ͰϒϩοΫ͍ͯ͠Δ •γάφϧɺptraceͳͲͰࢭ·͍ͬͯΔঢ়ଶͰͳ͍
͜ΕΛμϯϓϦετΞͯ͠... •μϯϓແࣄޭ͢Δɻ •ϦετΞͯ͠ɺENOSYS ͕ग़ͯ͠·͏ɻ
ਖ਼ৗʹμϯϓͰ͖Δ͕… •ϦετΞͨ͠λΠϛϯάͰɺ৽͍͠ϓϩηε Seccomp Context ͕ ਖ਼ৗʹϋϯυϧ͞Ε͍ͯͳ͍ঢ়ଶʹͳͬͯ͠·͏ •͜͏ͳΔͱɺSCMP_ACT_NOTIFYͰ௨͢Δ௨ઌ͕ͳ͍ͱ͍͏ঢ়ଶ ʹͳͬͯ͠·͏Α͏Ͱɺͦ͏͍͏߹ͷ༷Ͱ͋Δ ʮγεςϜίʔϧ͕ errno=ENOSYS
Ͱࣦഊ͢Δʯ ͱ͍͏݁Ռʹͳͬͨɻlisten(2)Λਖ਼ৗ࠶։͢Δํ๏͕ͳ͍ɻ
ͰͲ͏͢Δ͔ʁ •<దͳ͍Β͢ͱΛҾ༻͢Δ>
ͰͲ͏͢Δ͔ʁ •ʮޭࣦͯ͠ഊͯ͠ԿӨڹ͕ͳ͍ʯγεςϜίʔϧΛߟ͑Δ •ྫ͑ɺϦΞϧλΠϜγάφϧΛҰͭબΜͰ signal(s, SIG_IGN) •ͦͷγάφϧΛࣗʹૹΔͱɺԿ͠ͳ͍͕ɺ γάφϧ൪߸ͰಉఆՄೳͳ γεςϜίʔϧݺͼग़͠Λ࡞ΕΔ
ͦͷϚʔΧʔతγεςϜίʔϧΛ •libcͷlisten(3)ͷݺͼग़͠ͷલʹϑοΫͤ͞Δ •LD_PRELOADΛ༻͍ɺϥούؔΛఆٛ͢Δɻ •͜ΕͰɺ࣮࣭తʹ listen(2) ͷલʹ ϓϩάϥϜΛఀࢭͤ͞ɺ·ͨ࠶ੜ࣌ Өڹͳ͘ॲཧΛܧଓͰ͖Δͣɻ
࠷ޙͷ࣮ݧ •ϥούʔΛ͞Βʹࠨʹมߋ •ىಈˠ Notification receiver ܦ༝Ͱμϯϓ LJMM BOZ ͷݺͼग़͠Λτϥοϓ
4*(35."9 -%@13&-0"%ΛFYFD࣌ʹࢦఆ
ࠓճͷμϯϓɺϓϩηε࠶ੜʹޭ͢Δ
None
ͪͳΈʹ... •LD_PRELOADΛ࣋ͪग़ͨ࣌͠ͰͳΜͰΞϦ..... •ͱࢥͬͯɺͨͱ͑ӈͷΑ͏ʹίʔυΛม͑ͯΈͨɻ •݁Ռ →ίϯςφԽ(PID unshared)͍ͯ͠ΔͷͰɺ ͕ࣗࣗPID=1ʹͳͬͯSIGSTOPΛແࢹɻ • ݁ہίϯςφͷinit processΛ࣮֬ʹࢭΊΔʹseccomp͔͠ͳ͍Α͏ʹࢥΘΕͨɻ
ߟྀ࿙Ε͕͋Εڭ͍͑ͯͩ͘͞ɻ
·ͩݕ౼͍ͯ͠ͳ͍͜ͱ •ϚϧνεϨουΞϓϦέʔγϣϯ... Ͳ͏͍͏;͏ʹࢭ·Δͷ͔ •ͱݴͬͯ࠷ॳͷݺͼग़͠Ͱࢭ·Δʁ ͷ͔ͳʁ •LD_PRELOAD ͕Կ͔ͷཧ༝Ͱ͑ͳ͍࣌ •libcΛͦͦͬͯͳ͍࣌ʢಛʹGoʣ •syscall͕ݺͼग़͞ΕΔ࣌ ....
͓͜ͱΘΓ •ߥແܤͳ͜ͱΛ͍ͯ͠Δ͜ͱঝ͍ͯ͠·͢ɻ •໘നLinuxωλͱͯ͠ফඅ͍͚ͨͩΕ͍Ͱ͢ •ࣅͨΑ͏ͳ͜ͱΛͬͱ͏·͍ͬͯ͘Δྫ͕ΕͨΒخ͍͠ •ͱΓ͋͑ͣɺ2018ͷ಄͔Βஅଓతʹपลͷ࣮Λଓ͚͖ͯͨҰ࿈ͷ ݚڀΛɺ͜ͷػձʹڙཆͰ͖Εͱࢥ͍ɺ͓࣌ؒΛ͍͖ͨͩ·ͨ͠ɻ ͝ਗ਼ௌʹײँ
ࢀߟهࣄͳͲ •அଓతʹॻ͍ͯΔseccompͱMiehistöͷϒϩά • ʮmrubyͱseccompͱptraceͰγεςϜίʔϧΛͱʹ͔͍͔͚͘Δʯ(2017/04) • ʮGrenadine: ʮී௨ͷΞϓϦέʔγϣϯʯ͕νΣοΫϙΠϯτ/ϦετΞͷԸܙΛڗड͢Δʯ (2019/03) • ʮWSAݚڀձ
ୈ7ճ ͰCRIUͱMiehistöͷൃදΛ͠·ͨ͠ #WSAݚʯ(2020/11) • ʮҙͷϥΠϒϥϦίʔϧͰϓϩάϥϜΛఀࢭ͠ɺىಈ༻ͷCRIUΠϝʔδΛ࡞͢ΔΞϓ ϩʔνʹ͍ͭͯʯ(2020/12) IUUQTVE[VSBIBUFOBCMPHKQ