Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
CRIUとSeccomp / criu-and-seccomp-and-me
Search
KONDO Uchio
April 17, 2021
Technology
1
740
CRIUとSeccomp / criu-and-seccomp-and-me
第14回 コンテナ技術の情報交換会@オンライン
https://ct-study.connpass.com/event/205571
KONDO Uchio
April 17, 2021
Tweet
Share
More Decks by KONDO Uchio
See All by KONDO Uchio
大規模レガシーテストを 倒すための CI基盤の作り方 / #CICD2023
udzura
5
2.3k
Ruby x BPF in Action / RubyKaigi 2022
udzura
0
190
Narrative of Ruby & Rust
udzura
0
170
開発者生産性指標の可視化 / pepabo-four-keys
udzura
3
1.6k
Talk of RBS
udzura
0
390
Re: みなさん最近どうですか? / FGN tech meetup in 2021
udzura
0
710
Dockerとやわらかい仮想化 - ProSec-IT/SECKUN 2021 edition -
udzura
2
670
Device access filtering in cgroup v2
udzura
1
770
"Story of Rucy" on RubyKaigi takeout 2021
udzura
0
720
Other Decks in Technology
See All in Technology
Platform Engineering for Software Developers and Architects
syntasso
1
520
Adopting Jetpack Compose in Your Existing Project - GDG DevFest Bangkok 2024
akexorcist
0
110
20241120_JAWS_東京_ランチタイムLT#17_AWS認定全冠の先へ
tsumita
2
290
Taming you application's environments
salaboy
0
190
初心者向けAWS Securityの勉強会mini Security-JAWSを9ヶ月ぐらい実施してきての近況
cmusudakeisuke
0
130
OCI Vault 概要
oracle4engineer
PRO
0
9.7k
OS 標準のデザインシステムを超えて - より柔軟な Flutter テーマ管理 | FlutterKaigi 2024
ronnnnn
0
160
Can We Measure Developer Productivity?
ewolff
1
150
The Role of Developer Relations in AI Product Success.
giftojabu1
1
130
AGIについてChatGPTに聞いてみた
blueb
0
130
第1回 国土交通省 データコンペ参加者向け勉強会③- Snowflake x estie編 -
estie
0
130
Application Development WG Intro at AppDeveloperCon
salaboy
0
190
Featured
See All Featured
GraphQLとの向き合い方2022年版
quramy
43
13k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
Fireside Chat
paigeccino
34
3k
Faster Mobile Websites
deanohume
305
30k
Being A Developer After 40
akosma
87
590k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
890
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
0
96
Designing for Performance
lara
604
68k
StorybookのUI Testing Handbookを読んだ
zakiyama
27
5.3k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
Transcript
ۙ౻Ӊஐ࿕ / GMO Pepabo, Inc. ୈ14ճ ίϯςφٕज़ͷใަձ@ΦϯϥΠϯ 2021/04/17 CRIUͱseccompͱ ֨ಆͨ͠
ʙશͯരىಈͷͨΊͩͬͨʙ *NBHFIUUQTQJYBCBZDPNJNBHFTJECZ"OUSBOJBT
γχΞɾϓϦϯγύϧΤϯδχΞ ۙ౻ Ӊஐ࿕ / @udzura https://blog.udzura.jp/ Uchio Kondo ٕज़෦ ٕज़ج൫νʔϜ
@ GMOϖύϘ ΤϯδχΞΧϑΣʢԬࢢẂנจԽձؗʣ αϙʔλʔ #Ruby #mruby #Rust #Containers #eBPF #CRIU #Seccomp #RubyKaigi #CloudNativeDays #Zumba #γϨϯ #FitBoxing2 --- ͖ͳγεςϜίʔϧʁ ͬͺΓ unshare(2) Ͱ͢Ͷɻ
αϙʔλʔͯ͠·͢ !ΤϯδχΞΧϑΣ ԬࢢẂנจԽؗ
ToC •࡞CRIUϥούʔ “Miehistö” ʹ͍ͭͯ •ҙͷΞϓϦέʔγϣϯΛҙͷՕॴͰμϯϓ͢Δٕज़ͷ࣮ݱ •seccomp + SCMP_ACT_TRACE ʹΑΔख๏ •seccomp
+ SCMP_ACT_NOTIFY ʹΑΔख๏ wͦͯ͠આ
ɹɹ(Caveats) •Seccomp ͕ςʔϚͳͷʹ͙Β͍CRIUͷ͍ํͷΛ͠·͢ •·ͱΊͯൃද͢Δػձ͕ͣͬͱͳ͔ͬͨͷͰ... •ॻ͍ͯ͋Δ͜ͱࣗମɺ ͍͍ͩͨ͜ͷϒϩάͷ༰Ͱ͢ • CRIUʹؔ͢Δ࣮༰ͷίΞ2019ʹ ॻ͍͓ͯΓɺ͔ͨ͠͠Β࠷৽ͷ࠷৽ มԽ͋Δ͔ɻ
CRIU
CRIUͬͯ •Linuxʹ͓͍ͯɺϓϩηεͷνΣοΫϙΠϯτɾϦετΞΛ࡞͢Δͨ ΊͷϢʔβϥϯυͰͷπʔϧ (Checkpoint-Restore In Userspace) •ίϯςφϓϩηεͳͷͰɺίϯςφͷνΣοΫϙΠϯτɾϦετΞ Λ࣮ݱ͢ΔͨΊओʹ͏Α͏ʹͳͬͨ https://criu.org/Main_Page
۩ମతʹ •͜͏͍͏༻్Λఆͯ͠ΔΒ͍͠ɻ (https://criu.org/Usage_scenarios) •ίϯςφͷϥΠϒϚΠάϨʔγϣϯ •ىಈ͕͍ΞϓϦέʔγϣϯͷߴԽ •σεΫτοϓڥͷαεϖϯυɾϨδϡʔϜ •ແఀࢭʢʹݟ͔͚ͤΔʣΧʔωϧΞοϓάϨʔυ •ͳͲͳͲ...
࠷ۙͷCRIU •3.13(Sep 11, 2019) ... libcriu.a ͕ϏϧυͰ͖ΔΑ͏ʹͳͬͨ by @udzura •3.14(π,
Apr 29, 2020) ... clone3(2)ͱTime NS support, ଞ •3.15(Nov 04, 2020) ... MIPS support, cgroup v2 support, PID NS෦ ͷϦετΞ, ... ଞ •Still developing... ຊൃදͷ$3*6ͷόʔδϣϯͰ͢
CRIU͍͍Ͷʂ •ૣͬͯΈΑ͏ʂ... ❓ ❓❓ $3*6ͰҰԠ ͜ΕͰ0,ɻ͔͠͠ ଓ
CRIUͬͯͲ͏͏ͷ...ʁ •CRIUɺͦͦʮͪΌΜͱಈ͔͢ʯͷ͕͍͠ •ϝϞϦͷଞʹɺFile Descriptor/tty/socket ͦͷଞͷѻ͍... •ϦετΞޙʹPID͕ॏෳͯ͠Δͱ࠶ੜͰ͖ͳ͍ •͜ͷʮΠϝʔδʯతͳͭͬͯͲ͏ཧ͢Ε͍͍Μͩʁ
طʹΈࠐ·ΕͨCRIUΛ͏ʁ •ίϯςφϥϯλΠϜʹΈࠐ·Εͨcheckpoint/retoreΛ͏ख͋Δ ͕ɺϥϯλΠϜʹΑΓૢ࡞͕ҧ͏֮͑͠ΒΕͳ͍... •ͦͦطଘͷ σʔϞϯ͕ ίϯςφ͡Όͳ͍ɺͱ͔ IUUQTTQFBLFSEFDLDPNVE[VSBNJFIJTUPBSFDPNNFOEFETUBDLUPJOUFHSBUFDSJVJOUPFYJTUJOHTZTUFNT TMJEF
ͳͷͰॻ͍ͨ
Miehistö (Έ͑ͻͯ͢) • (ex. Grenadine) • Miehistö = “CREW” in
Finnish NJF 㷺IJTU
Miehistö ͱ •CRIUΛͳΔ͘ී௨ͷϓϩηεʹରͯ͠ద༻͘͢͢͠ΔɺҰ࿈ͷ πʔϧϥούʔ •miehistod: αʔϏεΠϝʔδΛ ཧ͢ΔதԝσʔϞϯ •mhctl: ΫϥΠΞϯτ •runmh:
CRIU͍͢͠ϓϩηεΛ ࡞ΔҰछͷϥϯλΠϜ Έ͑ͻͯ͢Ͱ͌ʔ Ήʔ͜ΜͱΖʔΔ ΒΜΉʔ
runmh ͕͍ͯ͠Δ͜ͱ •ͳΔ͘ʮී௨ʹVMʹ্ཱͪ͛ͨϓϩηεʯͱಉ͡ڥͰ্ཱͪ ͕͍ͬͯΔঢ়ଶͷϓϩηεΛ࡞Δ •ͦͷ্ͰɺCRIUͰͷμϯϓ/ϦετΞͷোนʹͳΔΑ͏ͳ݅Λ֎ ͠ɺCRIU-readyͳঢ়ଶʹ͢ΔҰ࿈ͷૢ࡞Λߦ͏
۩ମతʹ... •·ͣɺPID Namespace Λ͠ɺPIDΛ1͔Β࢝ΊΔඞཁ͕͋Δ •→ clone(2) ʹΑΓִ͠ɺ /proc ϑΝΠϧγεςϜΛࣗͰϚϯτ •→
ͦͷͨΊɺMount namespaceִ
Mount namespace/root ͷ •/proc ΛϚϯτ͢͠ͷͰMount NSunshared •ಠཱͨ͠ɺ͔ͭϗετͱେମಉ͡root filesystem͕ඞཁ •࡞Γํ: •ԾͷσΟϨΫτϦʹ
/ Λbind mountɺ/devͳͲݸผʹbind mount •ͦ͜ʹpivot_root͢Δ(chroot μϝɺͦͷMount NSͰೝࣝ͞ΕΔ rootΛૠ͛ସ͑Δඞཁ͕͋ΔͨΊ)
ͦͷଞ •ttyɺrootͷ֎ʹ͋ΔϑΝΠϧΛࢀর͍ͯ͠Δͱμϝ: •stderr/outrootͷϑΝΠϧΛ։͖͢ •ʢϩάϑΝΠϧ O_WRONLY|O_APPEND Ͱ։͍͍ͯͳ͍ͱμϝʣ •setsid() ΛݺΜͩηογϣϯϦʔμʔ͕process treeͷrootͰ͋Δඞཁ ͕͋ΔͷͰݺͿ
࣮ͷΠϝʔδ /&8/4 /&81*%ͷϑϥάΛ༩͑ͯDMPOF )PTUSPPU ΛผͷՕॴʹCJOENPVOU TFUTJE QJWPU@SPPU GEΛEFWOVMM
GE ΛݱࡏͷSPPU෦ͷϑΝΠϧʹ͠ 0@830/-:c0@"11&/%Ͱ։͘ ରϓϩάϥϜʹFYFD
͜ΕͰμϯϓ࣮֬ʹޭ™͢Δɻ •ߟྀͰ͖͍ͯͳ͍͜ͱ·͍ͩͬͯΔ͔ɻ
μϯϓ·Ͱ҆ఆ͚ͨ͠Ͳ... •ϦετΞɺͲ͏͠·͠ΐ͏ͱ͍͏ •ૉʹɺͰ͖ͨΠϝʔδΛ༻͍ͯCRIUίϚϯυΛୟ͚ݩͷϓϩη ε͕ϦετΞ͞ΕΔ͕... •miehistodαʔϏεͰϦετΞલ/ϦετΞޙͷϓϩηεΛ౷Ұతʹ ཧ͍ͨ͠ɻͳͷͰɺϦετΞޙͷϓϩηεΛmiehistodͷԼʹͿΒԼ ͍͛ͨɻͲ͏͢Ε͑͑ͶΜɻ
ϦετΞʹ͍ͭͯ •Miehistöͷཁ্݅ɺϦετΞ͞Εͨϓϩηεmiehistod(runmh)Ͱ ཧ͍ͨ͠ɻͳͷͰҙͷϓϩηεͷࢠϓϩηεͱͯ͠ϦετΞ͢Δඞ ཁ͕͋Δ... ͦΜͳͷͰ͖Δʁ •ӈͷΑ͏ͳ͜ͱΛ͢Δࡍɺ runmh -> criu ->
ruby criu͕ফ͑ͨΒ... μϝ ࢦ͍ͯ͠ΔϓϩηεπϦʔ
miehistö ͰͷϦετΞ࣮ •miehistod ͷԼͰ criu restore ΛݺͿ •ͦͷࡍʹɺ --exec-cmd ͱ͍͏ΦϓγϣϯΛར༻͠ɺ
ϦετΞޙʹcriuίϚϯυࣗΛrunmhϓϩάϥϜʹexec͢Δ • ΛrunmhɺࢠΛϦετΞޙͷίϚϯυͱ͍͏ϓϩηεπϦʔΛ࡞͍ͨͨ͠Ί •·ͨɺbind mountͷѻ͍ʹ͍ͭͯcriu restoreʹ͢ඞཁ͕͋Δ •--external Φϓγϣϯʹ͍ͭͯ
͜͏͍͏criuίϚϯυΛੜ࣮ͯ͠ߦ͢Δ •ͪͳΈʹCRIUʹΫϥΠΞϯταʔόಈ࡞(libcriuܦ༝)ͱɺίϚϯυ ىಈʹΑΔಈ࡞ͷϞʔυ͕ଘࡏ͢Δɻࠓճͷέʔεɺϓϩηε μϯϓΫϥαόͰOKɺϓϩηε࠶ੜίϚϯυͰͳ͍ͱෆՄɻ
--exec-cmd •criuίϚϯυͰɺϓϩηεΛϦετΞ͠spwanͨ͠ޙʹɺݩͷcriuίϚ ϯυࣗମΛผͷϓϩάϥϜʹexecͯ͠͠·͏͜ͱ͕Ͱ͖Δɻ •ͦ͏͢ΔͱʮϦετΞޙͷϓϩηεΛwait͢ΔϓϩάϥϜʯΛࠩ ͠ସ͑ΒΕΔͷͰɺࠓճͷΑ͏ʹεʔύόΠβʔతͳϓϩάϥϜΛ࡞ ͢Δ্Ͱศརɻ •miehistod -> runmh ->
(ϦετΞޙϓϩηε) ͷπϦʔ͕
ͷ͛͢ସ͑ͷΠϝʔδਤ IUUQTTQFBLFSEFDLDPNVE[VSBNZDSJVMJGFJOQSPHSFTT TMJEFɹ
External bind mounts •root͔Βݟͯ֎෦σΟϨΫτϦΛBind mount͍ͯ͠Δใɺdump/ restore࣌ʹࣗಈݕ͞Εͳ͍ͷͰɺ໌ࣔతʹࢦఆ͢Δඞཁ͕͋Δɻ •dump࣌ʹˠ ֎෦Bind mountઌΛنͰܾΊ͍ͯΔͷͰɺͦΕΒͷ ใΛ
--external ૬ͷΦϓγϣϯͱͯ͠criuαʔϏεʹ͢ •restore࣌ʹˠ ҎԼͷΑ͏ͳܗࣜͰίϚϯυʹ͢ --external mnt[__pids-d05739ddd0a12dd5040494c20461a197]:/sys/fs/cgroup/pids IUUQTDSJVPSH&YUFSOBM@CJOE@NPVOUT
͜ΕͰϦετΞͰ͖ΔΑ͏ʹɻ
ࠓCRIUͰ͍ͯ͠ͳ͍͜ͱ •MiehistöͰະ༻ͷΦϓγϣϯ: --cgroup-root, --action-script ͳͲ •swrkϞʔυͷ ͍͔ͭ͢ػձ͕དྷΔΜͰ͠ΐ͏͔ Ϣʔεέʔε͕ͲΕχονͳΜͰ͚͢Ͳ Ұ෦ʮ$3*6ΛϗεςΟϯάͰࢼ͍ͯ͘͠IPTUJOHDBTVBMʯ Ͱ͍ͯ͠·͢IUUQTTQFBLFSEFDLDPNVE[VSBNZDSJVMJGFJOQSPHSFTT
ΞϓϦέʔγϣϯΛࢭΊΔ
Γ͍ͨʢ͔ͬͨʣ͜ͱ •ʮΞΫηε࣌ʹॳΊͯىಈ͢ΔʯΞʔΩςΫνϟͰɺॳճىಈͷΦʔ όϔουΛۃݶ·Ͱݮ͍ͨ͠ •FastContainer (ref: https://rand.pepabo.com/article/2017/06/28/iot38-matsumotory/) •ۙͳͷͰHerokuͱ͔Cloud Runͱ͔
ϓϩηεͷࣄલμϯϓͱ͍͏ख๏ •ࣄલʹίϯςφͷϝϞϦμϯϓΛ࡞ͬͯɺ͔ͦ͜Βىಈ͢Εɺ ྫ͑εΫϦϓτݴޠʹΑΔϑϧελοΫϑϨʔϜϫʔΫͷΑ͏ʹɺ ىಈϓϩηεʹ͕͔͔࣌ؒΔΞϓϦέʔγϣϯͰ ىಈͷΦʔόϔουΛݮͰ͖ΔͷͰͳ͍͔ɺͱߟ͑ͨɻ •ʢϗεςΟϯάαʔϏε෦Ͱ͍͔ͨͬͨͷͰɺͳΔ͘ΞϓϦͷ ੑ࣭ʹΑΒͳ͍൚༻తͳํ๏ʹ͔ͨͬͨ͠എܠ͋Δʣ
cf. strace -c rails s •rails newͯ͠΄΅CRUDͻͱͭՃ͚ͨͩ͠ͷΞϓϦɺͷىಈ RAILS_ENV=production •΄΅openͱstat ϑΝΠϧૢ࡞
•͜ΕΒͷopenΛશ෦ εΩοϓͰ͖Εͦ͏
͍ͭࢭΊΔʁ •ͳΔ͘ʮঢ়ଶ͕ͳ͍ʯλΠϛϯάͰࢭΊ͍ͨ •ͨ͘͞ΜޙΖͷDBͱestablishͯ͠ɺଓΊͬͪΌड͚ࢭΊͯͯ... ͳঢ়ଶͰɺCRIUͰνΣοΫϙΠϯτͰ͖ΔͩΖ͏͕ɺෆཁͳτϥ ϒϧͱͦͷγϡʔτ͕ى͜Γͦ͏ɻ •͋ΔఔػցతʹࢭΊΔλΠϛϯάΛܾఆ͍ͨ͠ •ྫ͑ɺॳճͷ listen(2) ͳͲͷλΠϛϯάͰఀࢭ͢ΔͷͲ͏͔ɻ
seccomp (SCMP_ACT_TRACE)
listen(2) ʹϑοΫͯ͠ͳΜ͔͍ͨ͠ •͍ͭʹseccomp͕ग़ͯ͘Δ... •seccompɺ୯७ͳallowlist/denylistͷ΄͔ɺࢦఆͨ͠γεςϜίʔϧ ݺͼग़͠ͷࡍʹptrace(2)ܦ༝Ͱ௨ΛૹΔΦϓγϣϯ͕͋Δ (SCMP_ACT_TRACE) •ʢͪͳΈʹݺͼग़͢γεςϜίʔϧ൪߸ࣗମΛมߋͰ͖ΔΦϓγϣϯ Ͱɺ͔֬gVisorͳͲͰΘΕ͍ͯΔɺΜͰ͢ΑͶ??ʣ
SCMP_ACT_TRACE ͍ํ • fork͢Δ • [] ptrace(PTRACE_ATTACH); ptrace(PTRACE_O_TRACESECCOMP) ͢Δ •
[] ptrace(PTRACE_CONT) ͢Δ • [] waitpid(-1, &status, WUNTRACED | WCONTINUED | __WALL) ͢Δ (-1 ͳͷtraceͯ͠Δ͞ΒʹࢠϓϩηεɾεϨουΛ͏ͨΊ) • [ࢠ] SCMP_ACT_TRACE ͳseccomp ctxΛϩʔυ͢Δ • [] ࢠͰ֘γεςϜίʔϧ͕ݺΕΔͱɺ֘ϓϩηεͷใ͕waitpidͷΓɺ ptrace(PTRACE_GETEVENTMSG)ɺptrace(PTRACE_GETREGS)ͳͲͰऔಘͰ͖Δ
͍͜͠ͷͰmrubyͰϥοϓͨ͠ •https://github.com/haconiwa/mruby-seccomp/blob/master/examples/ tracing.rb
seccomp + ptrace •SCMP_ACT_TRACEγεςϜίʔϧΛݺͼग़͢લʹτϨʔεݩϓ ϩηεΛఀࢭ͠ɺτϨʔεઌͷϓϩηεʹ௨ΛૹΓɺͦͷ༰ʹԠ ͡ҙͷॲཧΛͤ͞Δ͜ͱ͕Ͱ͖Δɻ •͕ͨͬͯ͠ɺlisten(2)ͳͲͷγεςϜίʔϧͷݺͼग़͠લʹϑοΫɺ criuʹΑΔϓϩηεμϯϓΛ࣮ࢪ͢Εɺͦͷϓϩηεͷ listen(2)લͷঢ়ଶͷμϯϓΛػցతʹऔಘͰ͖Δ... ͣʁ
•ʢ͜ͷลΓͷΞΠσΞͷݩ @matsumotory ͞ΜͰ͢ʣ
ͬͯΈ·͠ΐ͏ •؆୯ͳϥούʔΛט·ͤɺmiehistöͰىಈɺseccompͰఀࢭ •μϯϓʹޭ͠ͳ͍
ptrace ͷΦϓγϣϯ͕όοςΟϯά͢Δʁ •seccompͰͷτϨʔεϓϩηεΛ ptrace(PTRACE_ATTACH) ͯ͠Ξ λονঢ়ଶʹ͠ɺఀࢭঢ়ଶΛݕ͢Δ •Ұํɺcriuͷ෦Ͱɺ ptrace(PTRACE_SEIZE) ͰΞλονঢ়ଶʹͯ͠ ptrace(PTRACE_INTERRUPT)
Ͱ໌ࣔతʹࢭΊ͍ͯΔɻ •ผʑͷΦϓγϣϯͰࢭΊ͍ͯΔͷʹͳ͍ͬͯΔՄೳੑ͕͋Δ •͜ͷลΓͷύονΛແཧʹcriuʹͯͯ... • ݁ہseccomp ctx͕ϓϩηε͔Βൈ͚ͳ͍ͨΊɺ2ճͷ listen() ͕ptrace tracee͕ଘࡏ͠ͳ͍ѻ͍ʹͳΓENOSYS ʹͳΔ?
ͪΐͬͱݟ௨͕͠ѱͦ͏ͩ... •ͱ͔ݴ͍ͬͯΔ͏ͪʹผ݅Ͱ͘͠ͳͬͨΓ͠ɺSwap outɻ •͜͜·Ͱɺ ࣮2018ʹݕূͨ͠ɻ IUUQTICNBUTVNPUPSKQFOUSZɹ
(ͬͱ) seccomp notification
Seccompʹ৽Φϓγϣϯ͕དྷͨ •SCMP_ACT_NOTIFY (seccomp notification) •Կऀͳͷ͔ɺ͜͜·ͰͷτʔΫͰօશཧղͨͣ͠... ຊൃදͷMJCTFDDPNQͷόʔδϣϯͰ͢ ΧʔωϧHFOFSJD6CVOUV(SPPWZ
Seccomp notificationͷ߹ʁ •ࢦఆͨ͠γεςϜίʔϧݺͼग़͠Λͨ͠ࡍʹɺผͷϓϩηεʹͲ͏ॲ ཧ͢Δ͔ΛҠৡ͢Δ͜ͱ͕Ͱ͖Δɻ •ͦͷؒɺݩͷϓϩηεϒϩοΫ͍ͯ͠Δ •ͭ·Γɺಉ͡Α͏ʹɺʮҙͷγεςϜίʔϧݺͼग़͠ʯͰఀࢭ͢Δ ͜ͱ͕Մೳʹ...ʁ
࣮ݧ͢Δ •ӈͷΑ͏ͳ seccomp notif receiver Λ࣮͢Δ
ϥούܦ༝Ͱىಈ͢Δ •ϥούࠨ •͜ΕΛט·ͤͯىಈ •ͪΌΜͱlistenલͰ ࢭ·Δ 3VMFOPUJGZͱ͍͏"1*Λ࣮ ɹ6/*9υϝΠϯιέοτΛ։͍ͯ ɹ4FDDPNQOPUJGZGEΛ ɹ4FOEP⒎Ͱ͖ΔΑ͏ʹ͍ͯ͠Δ
͜ͷͱ͖ࢭ·͍ͬͯΔϓϩηεͷstack •seccomp_do_user_notification ͱ͍͏ṖͷؔͰఀࢭ͍ͯ͠Δ •௨ৗͷΧʔωϧؔͷҰ෦ͰϒϩοΫ͍ͯ͠Δ •γάφϧɺptraceͳͲͰࢭ·͍ͬͯΔঢ়ଶͰͳ͍
͜ΕΛμϯϓϦετΞͯ͠... •μϯϓແࣄޭ͢Δɻ •ϦετΞͯ͠ɺENOSYS ͕ग़ͯ͠·͏ɻ
ਖ਼ৗʹμϯϓͰ͖Δ͕… •ϦετΞͨ͠λΠϛϯάͰɺ৽͍͠ϓϩηε Seccomp Context ͕ ਖ਼ৗʹϋϯυϧ͞Ε͍ͯͳ͍ঢ়ଶʹͳͬͯ͠·͏ •͜͏ͳΔͱɺSCMP_ACT_NOTIFYͰ௨͢Δ௨ઌ͕ͳ͍ͱ͍͏ঢ়ଶ ʹͳͬͯ͠·͏Α͏Ͱɺͦ͏͍͏߹ͷ༷Ͱ͋Δ ʮγεςϜίʔϧ͕ errno=ENOSYS
Ͱࣦഊ͢Δʯ ͱ͍͏݁Ռʹͳͬͨɻlisten(2)Λਖ਼ৗ࠶։͢Δํ๏͕ͳ͍ɻ
ͰͲ͏͢Δ͔ʁ •<దͳ͍Β͢ͱΛҾ༻͢Δ>
ͰͲ͏͢Δ͔ʁ •ʮޭࣦͯ͠ഊͯ͠ԿӨڹ͕ͳ͍ʯγεςϜίʔϧΛߟ͑Δ •ྫ͑ɺϦΞϧλΠϜγάφϧΛҰͭબΜͰ signal(s, SIG_IGN) •ͦͷγάφϧΛࣗʹૹΔͱɺԿ͠ͳ͍͕ɺ γάφϧ൪߸ͰಉఆՄೳͳ γεςϜίʔϧݺͼग़͠Λ࡞ΕΔ
ͦͷϚʔΧʔతγεςϜίʔϧΛ •libcͷlisten(3)ͷݺͼग़͠ͷલʹϑοΫͤ͞Δ •LD_PRELOADΛ༻͍ɺϥούؔΛఆٛ͢Δɻ •͜ΕͰɺ࣮࣭తʹ listen(2) ͷલʹ ϓϩάϥϜΛఀࢭͤ͞ɺ·ͨ࠶ੜ࣌ Өڹͳ͘ॲཧΛܧଓͰ͖Δͣɻ
࠷ޙͷ࣮ݧ •ϥούʔΛ͞Βʹࠨʹมߋ •ىಈˠ Notification receiver ܦ༝Ͱμϯϓ LJMM BOZ ͷݺͼग़͠Λτϥοϓ
4*(35."9 -%@13&-0"%ΛFYFD࣌ʹࢦఆ
ࠓճͷμϯϓɺϓϩηε࠶ੜʹޭ͢Δ
None
ͪͳΈʹ... •LD_PRELOADΛ࣋ͪग़ͨ࣌͠ͰͳΜͰΞϦ..... •ͱࢥͬͯɺͨͱ͑ӈͷΑ͏ʹίʔυΛม͑ͯΈͨɻ •݁Ռ →ίϯςφԽ(PID unshared)͍ͯ͠ΔͷͰɺ ͕ࣗࣗPID=1ʹͳͬͯSIGSTOPΛແࢹɻ • ݁ہίϯςφͷinit processΛ࣮֬ʹࢭΊΔʹseccomp͔͠ͳ͍Α͏ʹࢥΘΕͨɻ
ߟྀ࿙Ε͕͋Εڭ͍͑ͯͩ͘͞ɻ
·ͩݕ౼͍ͯ͠ͳ͍͜ͱ •ϚϧνεϨουΞϓϦέʔγϣϯ... Ͳ͏͍͏;͏ʹࢭ·Δͷ͔ •ͱݴͬͯ࠷ॳͷݺͼग़͠Ͱࢭ·Δʁ ͷ͔ͳʁ •LD_PRELOAD ͕Կ͔ͷཧ༝Ͱ͑ͳ͍࣌ •libcΛͦͦͬͯͳ͍࣌ʢಛʹGoʣ •syscall͕ݺͼग़͞ΕΔ࣌ ....
͓͜ͱΘΓ •ߥແܤͳ͜ͱΛ͍ͯ͠Δ͜ͱঝ͍ͯ͠·͢ɻ •໘നLinuxωλͱͯ͠ফඅ͍͚ͨͩΕ͍Ͱ͢ •ࣅͨΑ͏ͳ͜ͱΛͬͱ͏·͍ͬͯ͘Δྫ͕ΕͨΒخ͍͠ •ͱΓ͋͑ͣɺ2018ͷ಄͔Βஅଓతʹपลͷ࣮Λଓ͚͖ͯͨҰ࿈ͷ ݚڀΛɺ͜ͷػձʹڙཆͰ͖Εͱࢥ͍ɺ͓࣌ؒΛ͍͖ͨͩ·ͨ͠ɻ ͝ਗ਼ௌʹײँ
ࢀߟهࣄͳͲ •அଓతʹॻ͍ͯΔseccompͱMiehistöͷϒϩά • ʮmrubyͱseccompͱptraceͰγεςϜίʔϧΛͱʹ͔͍͔͚͘Δʯ(2017/04) • ʮGrenadine: ʮී௨ͷΞϓϦέʔγϣϯʯ͕νΣοΫϙΠϯτ/ϦετΞͷԸܙΛڗड͢Δʯ (2019/03) • ʮWSAݚڀձ
ୈ7ճ ͰCRIUͱMiehistöͷൃදΛ͠·ͨ͠ #WSAݚʯ(2020/11) • ʮҙͷϥΠϒϥϦίʔϧͰϓϩάϥϜΛఀࢭ͠ɺىಈ༻ͷCRIUΠϝʔδΛ࡞͢ΔΞϓ ϩʔνʹ͍ͭͯʯ(2020/12) IUUQTVE[VSBIBUFOBCMPHKQ