Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
CRIUとSeccomp / criu-and-seccomp-and-me
Search
KONDO Uchio
April 17, 2021
Technology
1
810
CRIUとSeccomp / criu-and-seccomp-and-me
第14回 コンテナ技術の情報交換会@オンライン
https://ct-study.connpass.com/event/205571
KONDO Uchio
April 17, 2021
Tweet
Share
More Decks by KONDO Uchio
See All by KONDO Uchio
大規模レガシーテストを 倒すための CI基盤の作り方 / #CICD2023
udzura
5
2.4k
Ruby x BPF in Action / RubyKaigi 2022
udzura
0
250
Narrative of Ruby & Rust
udzura
0
230
開発者生産性指標の可視化 / pepabo-four-keys
udzura
3
1.7k
Talk of RBS
udzura
0
450
Re: みなさん最近どうですか? / FGN tech meetup in 2021
udzura
0
790
Dockerとやわらかい仮想化 - ProSec-IT/SECKUN 2021 edition -
udzura
2
730
Device access filtering in cgroup v2
udzura
1
920
"Story of Rucy" on RubyKaigi takeout 2021
udzura
0
840
Other Decks in Technology
See All in Technology
Agent Development Kitで始める生成 AI エージェント実践開発
danishi
0
120
GMOペパボのデータ基盤とデータ活用の現在地 / Current State of GMO Pepabo's Data Infrastructure and Data Utilization
zaimy
3
200
家族の思い出を形にする 〜 1秒動画の生成を支えるインフラアーキテクチャ
ojima_h
1
340
Foundation Model × VisionKit で実現するローカル OCR
sansantech
PRO
0
290
JAWS AI/ML #30 AI コーディング IDE "Kiro" を触ってみよう
inariku
3
270
【CEDEC2025】大規模言語モデルを活用したゲーム内会話パートのスクリプト作成支援への取り組み
cygames
PRO
2
770
マルチプロダクト×マルチテナントを支えるモジュラモノリスを中心としたアソビューのアーキテクチャ
disc99
0
280
AWS DDoS攻撃防御の最前線
ryutakondo
0
110
【CEDEC2025】現場を理解して実現!ゲーム開発を効率化するWebサービスの開発と、利用促進のための継続的な改善
cygames
PRO
0
720
AIエージェントを現場で使う / 2025.08.07 著者陣に聞く!現場で活用するためのAIエージェント実践入門(Findyランチセッション)
smiyawaki0820
6
590
大規模イベントに向けた ABEMA アーキテクチャの遍歴 ~ Platform Strategy 詳細解説 ~
nagapad
0
190
Claude Codeは仕様駆動の夢を見ない
gotalab555
4
520
Featured
See All Featured
Making Projects Easy
brettharned
117
6.3k
Reflections from 52 weeks, 52 projects
jeffersonlam
351
21k
Building a Modern Day E-commerce SEO Strategy
aleyda
43
7.4k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
33
2.4k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
229
22k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
110
19k
Being A Developer After 40
akosma
90
590k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
18
1k
Building an army of robots
kneath
306
45k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
3k
Fireside Chat
paigeccino
38
3.6k
jQuery: Nuts, Bolts and Bling
dougneiner
63
7.8k
Transcript
ۙ౻Ӊஐ࿕ / GMO Pepabo, Inc. ୈ14ճ ίϯςφٕज़ͷใަձ@ΦϯϥΠϯ 2021/04/17 CRIUͱseccompͱ ֨ಆͨ͠
ʙશͯരىಈͷͨΊͩͬͨʙ *NBHFIUUQTQJYBCBZDPNJNBHFTJECZ"OUSBOJBT
γχΞɾϓϦϯγύϧΤϯδχΞ ۙ౻ Ӊஐ࿕ / @udzura https://blog.udzura.jp/ Uchio Kondo ٕज़෦ ٕज़ج൫νʔϜ
@ GMOϖύϘ ΤϯδχΞΧϑΣʢԬࢢẂנจԽձؗʣ αϙʔλʔ #Ruby #mruby #Rust #Containers #eBPF #CRIU #Seccomp #RubyKaigi #CloudNativeDays #Zumba #γϨϯ #FitBoxing2 --- ͖ͳγεςϜίʔϧʁ ͬͺΓ unshare(2) Ͱ͢Ͷɻ
αϙʔλʔͯ͠·͢ !ΤϯδχΞΧϑΣ ԬࢢẂנจԽؗ
ToC •࡞CRIUϥούʔ “Miehistö” ʹ͍ͭͯ •ҙͷΞϓϦέʔγϣϯΛҙͷՕॴͰμϯϓ͢Δٕज़ͷ࣮ݱ •seccomp + SCMP_ACT_TRACE ʹΑΔख๏ •seccomp
+ SCMP_ACT_NOTIFY ʹΑΔख๏ wͦͯ͠આ
ɹɹ(Caveats) •Seccomp ͕ςʔϚͳͷʹ͙Β͍CRIUͷ͍ํͷΛ͠·͢ •·ͱΊͯൃද͢Δػձ͕ͣͬͱͳ͔ͬͨͷͰ... •ॻ͍ͯ͋Δ͜ͱࣗମɺ ͍͍ͩͨ͜ͷϒϩάͷ༰Ͱ͢ • CRIUʹؔ͢Δ࣮༰ͷίΞ2019ʹ ॻ͍͓ͯΓɺ͔ͨ͠͠Β࠷৽ͷ࠷৽ มԽ͋Δ͔ɻ
CRIU
CRIUͬͯ •Linuxʹ͓͍ͯɺϓϩηεͷνΣοΫϙΠϯτɾϦετΞΛ࡞͢Δͨ ΊͷϢʔβϥϯυͰͷπʔϧ (Checkpoint-Restore In Userspace) •ίϯςφϓϩηεͳͷͰɺίϯςφͷνΣοΫϙΠϯτɾϦετΞ Λ࣮ݱ͢ΔͨΊओʹ͏Α͏ʹͳͬͨ https://criu.org/Main_Page
۩ମతʹ •͜͏͍͏༻్Λఆͯ͠ΔΒ͍͠ɻ (https://criu.org/Usage_scenarios) •ίϯςφͷϥΠϒϚΠάϨʔγϣϯ •ىಈ͕͍ΞϓϦέʔγϣϯͷߴԽ •σεΫτοϓڥͷαεϖϯυɾϨδϡʔϜ •ແఀࢭʢʹݟ͔͚ͤΔʣΧʔωϧΞοϓάϨʔυ •ͳͲͳͲ...
࠷ۙͷCRIU •3.13(Sep 11, 2019) ... libcriu.a ͕ϏϧυͰ͖ΔΑ͏ʹͳͬͨ by @udzura •3.14(π,
Apr 29, 2020) ... clone3(2)ͱTime NS support, ଞ •3.15(Nov 04, 2020) ... MIPS support, cgroup v2 support, PID NS෦ ͷϦετΞ, ... ଞ •Still developing... ຊൃදͷ$3*6ͷόʔδϣϯͰ͢
CRIU͍͍Ͷʂ •ૣͬͯΈΑ͏ʂ... ❓ ❓❓ $3*6ͰҰԠ ͜ΕͰ0,ɻ͔͠͠ ଓ
CRIUͬͯͲ͏͏ͷ...ʁ •CRIUɺͦͦʮͪΌΜͱಈ͔͢ʯͷ͕͍͠ •ϝϞϦͷଞʹɺFile Descriptor/tty/socket ͦͷଞͷѻ͍... •ϦετΞޙʹPID͕ॏෳͯ͠Δͱ࠶ੜͰ͖ͳ͍ •͜ͷʮΠϝʔδʯతͳͭͬͯͲ͏ཧ͢Ε͍͍Μͩʁ
طʹΈࠐ·ΕͨCRIUΛ͏ʁ •ίϯςφϥϯλΠϜʹΈࠐ·Εͨcheckpoint/retoreΛ͏ख͋Δ ͕ɺϥϯλΠϜʹΑΓૢ࡞͕ҧ͏֮͑͠ΒΕͳ͍... •ͦͦطଘͷ σʔϞϯ͕ ίϯςφ͡Όͳ͍ɺͱ͔ IUUQTTQFBLFSEFDLDPNVE[VSBNJFIJTUPBSFDPNNFOEFETUBDLUPJOUFHSBUFDSJVJOUPFYJTUJOHTZTUFNT TMJEF
ͳͷͰॻ͍ͨ
Miehistö (Έ͑ͻͯ͢) • (ex. Grenadine) • Miehistö = “CREW” in
Finnish NJF 㷺IJTU
Miehistö ͱ •CRIUΛͳΔ͘ී௨ͷϓϩηεʹରͯ͠ద༻͘͢͢͠ΔɺҰ࿈ͷ πʔϧϥούʔ •miehistod: αʔϏεΠϝʔδΛ ཧ͢ΔதԝσʔϞϯ •mhctl: ΫϥΠΞϯτ •runmh:
CRIU͍͢͠ϓϩηεΛ ࡞ΔҰछͷϥϯλΠϜ Έ͑ͻͯ͢Ͱ͌ʔ Ήʔ͜ΜͱΖʔΔ ΒΜΉʔ
runmh ͕͍ͯ͠Δ͜ͱ •ͳΔ͘ʮී௨ʹVMʹ্ཱͪ͛ͨϓϩηεʯͱಉ͡ڥͰ্ཱͪ ͕͍ͬͯΔঢ়ଶͷϓϩηεΛ࡞Δ •ͦͷ্ͰɺCRIUͰͷμϯϓ/ϦετΞͷোนʹͳΔΑ͏ͳ݅Λ֎ ͠ɺCRIU-readyͳঢ়ଶʹ͢ΔҰ࿈ͷૢ࡞Λߦ͏
۩ମతʹ... •·ͣɺPID Namespace Λ͠ɺPIDΛ1͔Β࢝ΊΔඞཁ͕͋Δ •→ clone(2) ʹΑΓִ͠ɺ /proc ϑΝΠϧγεςϜΛࣗͰϚϯτ •→
ͦͷͨΊɺMount namespaceִ
Mount namespace/root ͷ •/proc ΛϚϯτ͢͠ͷͰMount NSunshared •ಠཱͨ͠ɺ͔ͭϗετͱେମಉ͡root filesystem͕ඞཁ •࡞Γํ: •ԾͷσΟϨΫτϦʹ
/ Λbind mountɺ/devͳͲݸผʹbind mount •ͦ͜ʹpivot_root͢Δ(chroot μϝɺͦͷMount NSͰೝࣝ͞ΕΔ rootΛૠ͛ସ͑Δඞཁ͕͋ΔͨΊ)
ͦͷଞ •ttyɺrootͷ֎ʹ͋ΔϑΝΠϧΛࢀর͍ͯ͠Δͱμϝ: •stderr/outrootͷϑΝΠϧΛ։͖͢ •ʢϩάϑΝΠϧ O_WRONLY|O_APPEND Ͱ։͍͍ͯͳ͍ͱμϝʣ •setsid() ΛݺΜͩηογϣϯϦʔμʔ͕process treeͷrootͰ͋Δඞཁ ͕͋ΔͷͰݺͿ
࣮ͷΠϝʔδ /&8/4 /&81*%ͷϑϥάΛ༩͑ͯDMPOF )PTUSPPU ΛผͷՕॴʹCJOENPVOU TFUTJE QJWPU@SPPU GEΛEFWOVMM
GE ΛݱࡏͷSPPU෦ͷϑΝΠϧʹ͠ 0@830/-:c0@"11&/%Ͱ։͘ ରϓϩάϥϜʹFYFD
͜ΕͰμϯϓ࣮֬ʹޭ™͢Δɻ •ߟྀͰ͖͍ͯͳ͍͜ͱ·͍ͩͬͯΔ͔ɻ
μϯϓ·Ͱ҆ఆ͚ͨ͠Ͳ... •ϦετΞɺͲ͏͠·͠ΐ͏ͱ͍͏ •ૉʹɺͰ͖ͨΠϝʔδΛ༻͍ͯCRIUίϚϯυΛୟ͚ݩͷϓϩη ε͕ϦετΞ͞ΕΔ͕... •miehistodαʔϏεͰϦετΞલ/ϦετΞޙͷϓϩηεΛ౷Ұతʹ ཧ͍ͨ͠ɻͳͷͰɺϦετΞޙͷϓϩηεΛmiehistodͷԼʹͿΒԼ ͍͛ͨɻͲ͏͢Ε͑͑ͶΜɻ
ϦετΞʹ͍ͭͯ •Miehistöͷཁ্݅ɺϦετΞ͞Εͨϓϩηεmiehistod(runmh)Ͱ ཧ͍ͨ͠ɻͳͷͰҙͷϓϩηεͷࢠϓϩηεͱͯ͠ϦετΞ͢Δඞ ཁ͕͋Δ... ͦΜͳͷͰ͖Δʁ •ӈͷΑ͏ͳ͜ͱΛ͢Δࡍɺ runmh -> criu ->
ruby criu͕ফ͑ͨΒ... μϝ ࢦ͍ͯ͠ΔϓϩηεπϦʔ
miehistö ͰͷϦετΞ࣮ •miehistod ͷԼͰ criu restore ΛݺͿ •ͦͷࡍʹɺ --exec-cmd ͱ͍͏ΦϓγϣϯΛར༻͠ɺ
ϦετΞޙʹcriuίϚϯυࣗΛrunmhϓϩάϥϜʹexec͢Δ • ΛrunmhɺࢠΛϦετΞޙͷίϚϯυͱ͍͏ϓϩηεπϦʔΛ࡞͍ͨͨ͠Ί •·ͨɺbind mountͷѻ͍ʹ͍ͭͯcriu restoreʹ͢ඞཁ͕͋Δ •--external Φϓγϣϯʹ͍ͭͯ
͜͏͍͏criuίϚϯυΛੜ࣮ͯ͠ߦ͢Δ •ͪͳΈʹCRIUʹΫϥΠΞϯταʔόಈ࡞(libcriuܦ༝)ͱɺίϚϯυ ىಈʹΑΔಈ࡞ͷϞʔυ͕ଘࡏ͢Δɻࠓճͷέʔεɺϓϩηε μϯϓΫϥαόͰOKɺϓϩηε࠶ੜίϚϯυͰͳ͍ͱෆՄɻ
--exec-cmd •criuίϚϯυͰɺϓϩηεΛϦετΞ͠spwanͨ͠ޙʹɺݩͷcriuίϚ ϯυࣗମΛผͷϓϩάϥϜʹexecͯ͠͠·͏͜ͱ͕Ͱ͖Δɻ •ͦ͏͢ΔͱʮϦετΞޙͷϓϩηεΛwait͢ΔϓϩάϥϜʯΛࠩ ͠ସ͑ΒΕΔͷͰɺࠓճͷΑ͏ʹεʔύόΠβʔతͳϓϩάϥϜΛ࡞ ͢Δ্Ͱศརɻ •miehistod -> runmh ->
(ϦετΞޙϓϩηε) ͷπϦʔ͕
ͷ͛͢ସ͑ͷΠϝʔδਤ IUUQTTQFBLFSEFDLDPNVE[VSBNZDSJVMJGFJOQSPHSFTT TMJEFɹ
External bind mounts •root͔Βݟͯ֎෦σΟϨΫτϦΛBind mount͍ͯ͠Δใɺdump/ restore࣌ʹࣗಈݕ͞Εͳ͍ͷͰɺ໌ࣔతʹࢦఆ͢Δඞཁ͕͋Δɻ •dump࣌ʹˠ ֎෦Bind mountઌΛنͰܾΊ͍ͯΔͷͰɺͦΕΒͷ ใΛ
--external ૬ͷΦϓγϣϯͱͯ͠criuαʔϏεʹ͢ •restore࣌ʹˠ ҎԼͷΑ͏ͳܗࣜͰίϚϯυʹ͢ --external mnt[__pids-d05739ddd0a12dd5040494c20461a197]:/sys/fs/cgroup/pids IUUQTDSJVPSH&YUFSOBM@CJOE@NPVOUT
͜ΕͰϦετΞͰ͖ΔΑ͏ʹɻ
ࠓCRIUͰ͍ͯ͠ͳ͍͜ͱ •MiehistöͰະ༻ͷΦϓγϣϯ: --cgroup-root, --action-script ͳͲ •swrkϞʔυͷ ͍͔ͭ͢ػձ͕དྷΔΜͰ͠ΐ͏͔ Ϣʔεέʔε͕ͲΕχονͳΜͰ͚͢Ͳ Ұ෦ʮ$3*6ΛϗεςΟϯάͰࢼ͍ͯ͘͠IPTUJOHDBTVBMʯ Ͱ͍ͯ͠·͢IUUQTTQFBLFSEFDLDPNVE[VSBNZDSJVMJGFJOQSPHSFTT
ΞϓϦέʔγϣϯΛࢭΊΔ
Γ͍ͨʢ͔ͬͨʣ͜ͱ •ʮΞΫηε࣌ʹॳΊͯىಈ͢ΔʯΞʔΩςΫνϟͰɺॳճىಈͷΦʔ όϔουΛۃݶ·Ͱݮ͍ͨ͠ •FastContainer (ref: https://rand.pepabo.com/article/2017/06/28/iot38-matsumotory/) •ۙͳͷͰHerokuͱ͔Cloud Runͱ͔
ϓϩηεͷࣄલμϯϓͱ͍͏ख๏ •ࣄલʹίϯςφͷϝϞϦμϯϓΛ࡞ͬͯɺ͔ͦ͜Βىಈ͢Εɺ ྫ͑εΫϦϓτݴޠʹΑΔϑϧελοΫϑϨʔϜϫʔΫͷΑ͏ʹɺ ىಈϓϩηεʹ͕͔͔࣌ؒΔΞϓϦέʔγϣϯͰ ىಈͷΦʔόϔουΛݮͰ͖ΔͷͰͳ͍͔ɺͱߟ͑ͨɻ •ʢϗεςΟϯάαʔϏε෦Ͱ͍͔ͨͬͨͷͰɺͳΔ͘ΞϓϦͷ ੑ࣭ʹΑΒͳ͍൚༻తͳํ๏ʹ͔ͨͬͨ͠എܠ͋Δʣ
cf. strace -c rails s •rails newͯ͠΄΅CRUDͻͱͭՃ͚ͨͩ͠ͷΞϓϦɺͷىಈ RAILS_ENV=production •΄΅openͱstat ϑΝΠϧૢ࡞
•͜ΕΒͷopenΛશ෦ εΩοϓͰ͖Εͦ͏
͍ͭࢭΊΔʁ •ͳΔ͘ʮঢ়ଶ͕ͳ͍ʯλΠϛϯάͰࢭΊ͍ͨ •ͨ͘͞ΜޙΖͷDBͱestablishͯ͠ɺଓΊͬͪΌड͚ࢭΊͯͯ... ͳঢ়ଶͰɺCRIUͰνΣοΫϙΠϯτͰ͖ΔͩΖ͏͕ɺෆཁͳτϥ ϒϧͱͦͷγϡʔτ͕ى͜Γͦ͏ɻ •͋ΔఔػցతʹࢭΊΔλΠϛϯάΛܾఆ͍ͨ͠ •ྫ͑ɺॳճͷ listen(2) ͳͲͷλΠϛϯάͰఀࢭ͢ΔͷͲ͏͔ɻ
seccomp (SCMP_ACT_TRACE)
listen(2) ʹϑοΫͯ͠ͳΜ͔͍ͨ͠ •͍ͭʹseccomp͕ग़ͯ͘Δ... •seccompɺ୯७ͳallowlist/denylistͷ΄͔ɺࢦఆͨ͠γεςϜίʔϧ ݺͼग़͠ͷࡍʹptrace(2)ܦ༝Ͱ௨ΛૹΔΦϓγϣϯ͕͋Δ (SCMP_ACT_TRACE) •ʢͪͳΈʹݺͼग़͢γεςϜίʔϧ൪߸ࣗମΛมߋͰ͖ΔΦϓγϣϯ Ͱɺ͔֬gVisorͳͲͰΘΕ͍ͯΔɺΜͰ͢ΑͶ??ʣ
SCMP_ACT_TRACE ͍ํ • fork͢Δ • [] ptrace(PTRACE_ATTACH); ptrace(PTRACE_O_TRACESECCOMP) ͢Δ •
[] ptrace(PTRACE_CONT) ͢Δ • [] waitpid(-1, &status, WUNTRACED | WCONTINUED | __WALL) ͢Δ (-1 ͳͷtraceͯ͠Δ͞ΒʹࢠϓϩηεɾεϨουΛ͏ͨΊ) • [ࢠ] SCMP_ACT_TRACE ͳseccomp ctxΛϩʔυ͢Δ • [] ࢠͰ֘γεςϜίʔϧ͕ݺΕΔͱɺ֘ϓϩηεͷใ͕waitpidͷΓɺ ptrace(PTRACE_GETEVENTMSG)ɺptrace(PTRACE_GETREGS)ͳͲͰऔಘͰ͖Δ
͍͜͠ͷͰmrubyͰϥοϓͨ͠ •https://github.com/haconiwa/mruby-seccomp/blob/master/examples/ tracing.rb
seccomp + ptrace •SCMP_ACT_TRACEγεςϜίʔϧΛݺͼग़͢લʹτϨʔεݩϓ ϩηεΛఀࢭ͠ɺτϨʔεઌͷϓϩηεʹ௨ΛૹΓɺͦͷ༰ʹԠ ͡ҙͷॲཧΛͤ͞Δ͜ͱ͕Ͱ͖Δɻ •͕ͨͬͯ͠ɺlisten(2)ͳͲͷγεςϜίʔϧͷݺͼग़͠લʹϑοΫɺ criuʹΑΔϓϩηεμϯϓΛ࣮ࢪ͢Εɺͦͷϓϩηεͷ listen(2)લͷঢ়ଶͷμϯϓΛػցతʹऔಘͰ͖Δ... ͣʁ
•ʢ͜ͷลΓͷΞΠσΞͷݩ @matsumotory ͞ΜͰ͢ʣ
ͬͯΈ·͠ΐ͏ •؆୯ͳϥούʔΛט·ͤɺmiehistöͰىಈɺseccompͰఀࢭ •μϯϓʹޭ͠ͳ͍
ptrace ͷΦϓγϣϯ͕όοςΟϯά͢Δʁ •seccompͰͷτϨʔεϓϩηεΛ ptrace(PTRACE_ATTACH) ͯ͠Ξ λονঢ়ଶʹ͠ɺఀࢭঢ়ଶΛݕ͢Δ •Ұํɺcriuͷ෦Ͱɺ ptrace(PTRACE_SEIZE) ͰΞλονঢ়ଶʹͯ͠ ptrace(PTRACE_INTERRUPT)
Ͱ໌ࣔతʹࢭΊ͍ͯΔɻ •ผʑͷΦϓγϣϯͰࢭΊ͍ͯΔͷʹͳ͍ͬͯΔՄೳੑ͕͋Δ •͜ͷลΓͷύονΛແཧʹcriuʹͯͯ... • ݁ہseccomp ctx͕ϓϩηε͔Βൈ͚ͳ͍ͨΊɺ2ճͷ listen() ͕ptrace tracee͕ଘࡏ͠ͳ͍ѻ͍ʹͳΓENOSYS ʹͳΔ?
ͪΐͬͱݟ௨͕͠ѱͦ͏ͩ... •ͱ͔ݴ͍ͬͯΔ͏ͪʹผ݅Ͱ͘͠ͳͬͨΓ͠ɺSwap outɻ •͜͜·Ͱɺ ࣮2018ʹݕূͨ͠ɻ IUUQTICNBUTVNPUPSKQFOUSZɹ
(ͬͱ) seccomp notification
Seccompʹ৽Φϓγϣϯ͕དྷͨ •SCMP_ACT_NOTIFY (seccomp notification) •Կऀͳͷ͔ɺ͜͜·ͰͷτʔΫͰօશཧղͨͣ͠... ຊൃදͷMJCTFDDPNQͷόʔδϣϯͰ͢ ΧʔωϧHFOFSJD6CVOUV(SPPWZ
Seccomp notificationͷ߹ʁ •ࢦఆͨ͠γεςϜίʔϧݺͼग़͠Λͨ͠ࡍʹɺผͷϓϩηεʹͲ͏ॲ ཧ͢Δ͔ΛҠৡ͢Δ͜ͱ͕Ͱ͖Δɻ •ͦͷؒɺݩͷϓϩηεϒϩοΫ͍ͯ͠Δ •ͭ·Γɺಉ͡Α͏ʹɺʮҙͷγεςϜίʔϧݺͼग़͠ʯͰఀࢭ͢Δ ͜ͱ͕Մೳʹ...ʁ
࣮ݧ͢Δ •ӈͷΑ͏ͳ seccomp notif receiver Λ࣮͢Δ
ϥούܦ༝Ͱىಈ͢Δ •ϥούࠨ •͜ΕΛט·ͤͯىಈ •ͪΌΜͱlistenલͰ ࢭ·Δ 3VMFOPUJGZͱ͍͏"1*Λ࣮ ɹ6/*9υϝΠϯιέοτΛ։͍ͯ ɹ4FDDPNQOPUJGZGEΛ ɹ4FOEP⒎Ͱ͖ΔΑ͏ʹ͍ͯ͠Δ
͜ͷͱ͖ࢭ·͍ͬͯΔϓϩηεͷstack •seccomp_do_user_notification ͱ͍͏ṖͷؔͰఀࢭ͍ͯ͠Δ •௨ৗͷΧʔωϧؔͷҰ෦ͰϒϩοΫ͍ͯ͠Δ •γάφϧɺptraceͳͲͰࢭ·͍ͬͯΔঢ়ଶͰͳ͍
͜ΕΛμϯϓϦετΞͯ͠... •μϯϓແࣄޭ͢Δɻ •ϦετΞͯ͠ɺENOSYS ͕ग़ͯ͠·͏ɻ
ਖ਼ৗʹμϯϓͰ͖Δ͕… •ϦετΞͨ͠λΠϛϯάͰɺ৽͍͠ϓϩηε Seccomp Context ͕ ਖ਼ৗʹϋϯυϧ͞Ε͍ͯͳ͍ঢ়ଶʹͳͬͯ͠·͏ •͜͏ͳΔͱɺSCMP_ACT_NOTIFYͰ௨͢Δ௨ઌ͕ͳ͍ͱ͍͏ঢ়ଶ ʹͳͬͯ͠·͏Α͏Ͱɺͦ͏͍͏߹ͷ༷Ͱ͋Δ ʮγεςϜίʔϧ͕ errno=ENOSYS
Ͱࣦഊ͢Δʯ ͱ͍͏݁Ռʹͳͬͨɻlisten(2)Λਖ਼ৗ࠶։͢Δํ๏͕ͳ͍ɻ
ͰͲ͏͢Δ͔ʁ •<దͳ͍Β͢ͱΛҾ༻͢Δ>
ͰͲ͏͢Δ͔ʁ •ʮޭࣦͯ͠ഊͯ͠ԿӨڹ͕ͳ͍ʯγεςϜίʔϧΛߟ͑Δ •ྫ͑ɺϦΞϧλΠϜγάφϧΛҰͭબΜͰ signal(s, SIG_IGN) •ͦͷγάφϧΛࣗʹૹΔͱɺԿ͠ͳ͍͕ɺ γάφϧ൪߸ͰಉఆՄೳͳ γεςϜίʔϧݺͼग़͠Λ࡞ΕΔ
ͦͷϚʔΧʔతγεςϜίʔϧΛ •libcͷlisten(3)ͷݺͼग़͠ͷલʹϑοΫͤ͞Δ •LD_PRELOADΛ༻͍ɺϥούؔΛఆٛ͢Δɻ •͜ΕͰɺ࣮࣭తʹ listen(2) ͷલʹ ϓϩάϥϜΛఀࢭͤ͞ɺ·ͨ࠶ੜ࣌ Өڹͳ͘ॲཧΛܧଓͰ͖Δͣɻ
࠷ޙͷ࣮ݧ •ϥούʔΛ͞Βʹࠨʹมߋ •ىಈˠ Notification receiver ܦ༝Ͱμϯϓ LJMM BOZ ͷݺͼग़͠Λτϥοϓ
4*(35."9 -%@13&-0"%ΛFYFD࣌ʹࢦఆ
ࠓճͷμϯϓɺϓϩηε࠶ੜʹޭ͢Δ
None
ͪͳΈʹ... •LD_PRELOADΛ࣋ͪग़ͨ࣌͠ͰͳΜͰΞϦ..... •ͱࢥͬͯɺͨͱ͑ӈͷΑ͏ʹίʔυΛม͑ͯΈͨɻ •݁Ռ →ίϯςφԽ(PID unshared)͍ͯ͠ΔͷͰɺ ͕ࣗࣗPID=1ʹͳͬͯSIGSTOPΛແࢹɻ • ݁ہίϯςφͷinit processΛ࣮֬ʹࢭΊΔʹseccomp͔͠ͳ͍Α͏ʹࢥΘΕͨɻ
ߟྀ࿙Ε͕͋Εڭ͍͑ͯͩ͘͞ɻ
·ͩݕ౼͍ͯ͠ͳ͍͜ͱ •ϚϧνεϨουΞϓϦέʔγϣϯ... Ͳ͏͍͏;͏ʹࢭ·Δͷ͔ •ͱݴͬͯ࠷ॳͷݺͼग़͠Ͱࢭ·Δʁ ͷ͔ͳʁ •LD_PRELOAD ͕Կ͔ͷཧ༝Ͱ͑ͳ͍࣌ •libcΛͦͦͬͯͳ͍࣌ʢಛʹGoʣ •syscall͕ݺͼग़͞ΕΔ࣌ ....
͓͜ͱΘΓ •ߥແܤͳ͜ͱΛ͍ͯ͠Δ͜ͱঝ͍ͯ͠·͢ɻ •໘നLinuxωλͱͯ͠ফඅ͍͚ͨͩΕ͍Ͱ͢ •ࣅͨΑ͏ͳ͜ͱΛͬͱ͏·͍ͬͯ͘Δྫ͕ΕͨΒخ͍͠ •ͱΓ͋͑ͣɺ2018ͷ಄͔Βஅଓతʹपลͷ࣮Λଓ͚͖ͯͨҰ࿈ͷ ݚڀΛɺ͜ͷػձʹڙཆͰ͖Εͱࢥ͍ɺ͓࣌ؒΛ͍͖ͨͩ·ͨ͠ɻ ͝ਗ਼ௌʹײँ
ࢀߟهࣄͳͲ •அଓతʹॻ͍ͯΔseccompͱMiehistöͷϒϩά • ʮmrubyͱseccompͱptraceͰγεςϜίʔϧΛͱʹ͔͍͔͚͘Δʯ(2017/04) • ʮGrenadine: ʮී௨ͷΞϓϦέʔγϣϯʯ͕νΣοΫϙΠϯτ/ϦετΞͷԸܙΛڗड͢Δʯ (2019/03) • ʮWSAݚڀձ
ୈ7ճ ͰCRIUͱMiehistöͷൃදΛ͠·ͨ͠ #WSAݚʯ(2020/11) • ʮҙͷϥΠϒϥϦίʔϧͰϓϩάϥϜΛఀࢭ͠ɺىಈ༻ͷCRIUΠϝʔδΛ࡞͢ΔΞϓ ϩʔνʹ͍ͭͯʯ(2020/12) IUUQTVE[VSBIBUFOBCMPHKQ