Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
CRIUとSeccomp / criu-and-seccomp-and-me
Search
KONDO Uchio
April 17, 2021
Technology
1
790
CRIUとSeccomp / criu-and-seccomp-and-me
第14回 コンテナ技術の情報交換会@オンライン
https://ct-study.connpass.com/event/205571
KONDO Uchio
April 17, 2021
Tweet
Share
More Decks by KONDO Uchio
See All by KONDO Uchio
大規模レガシーテストを 倒すための CI基盤の作り方 / #CICD2023
udzura
5
2.4k
Ruby x BPF in Action / RubyKaigi 2022
udzura
0
240
Narrative of Ruby & Rust
udzura
0
210
開発者生産性指標の可視化 / pepabo-four-keys
udzura
3
1.7k
Talk of RBS
udzura
0
440
Re: みなさん最近どうですか? / FGN tech meetup in 2021
udzura
0
770
Dockerとやわらかい仮想化 - ProSec-IT/SECKUN 2021 edition -
udzura
2
720
Device access filtering in cgroup v2
udzura
1
880
"Story of Rucy" on RubyKaigi takeout 2021
udzura
0
810
Other Decks in Technology
See All in Technology
大規模PaaSにおける監視基盤の構築と効率化の道のり
lycorptech_jp
PRO
0
160
AIのための オンボーディングドキュメントを整備する - hirotea
hirotea
9
2.2k
Swiftは最高だよの話
yuukiw00w
2
270
RDRA3.0を知ろう
kanzaki
2
400
プロジェクトマネジメント実践論|現役エンジニアが語る!~チームでモノづくりをする時のコツとは?~
mixi_engineers
PRO
3
150
初めてのGoogle Cloud by AWS出身者
harukasakihara
1
720
【5分でわかる】セーフィー エンジニア向け会社紹介
safie_recruit
0
24k
Introduction to Bill One Development Engineer
sansan33
PRO
0
230
やさしいClaude Code入門
minorun365
PRO
4
1.5k
Roo Codeにすべてを委ねるためのルール運用
pharma_x_tech
1
130
名刺メーカーDevグループ 紹介資料
sansan33
PRO
0
740
Scale Security Programs with Scorecarding
ramimac
0
380
Featured
See All Featured
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
The Straight Up "How To Draw Better" Workshop
denniskardys
233
140k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
32
5.8k
The Pragmatic Product Professional
lauravandoore
35
6.7k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
Intergalactic Javascript Robots from Outer Space
tanoku
271
27k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
15
880
Balancing Empowerment & Direction
lara
1
81
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
45
7.3k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
252
21k
Music & Morning Musume
bryan
47
6.5k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.3k
Transcript
ۙ౻Ӊஐ࿕ / GMO Pepabo, Inc. ୈ14ճ ίϯςφٕज़ͷใަձ@ΦϯϥΠϯ 2021/04/17 CRIUͱseccompͱ ֨ಆͨ͠
ʙશͯരىಈͷͨΊͩͬͨʙ *NBHFIUUQTQJYBCBZDPNJNBHFTJECZ"OUSBOJBT
γχΞɾϓϦϯγύϧΤϯδχΞ ۙ౻ Ӊஐ࿕ / @udzura https://blog.udzura.jp/ Uchio Kondo ٕज़෦ ٕज़ج൫νʔϜ
@ GMOϖύϘ ΤϯδχΞΧϑΣʢԬࢢẂנจԽձؗʣ αϙʔλʔ #Ruby #mruby #Rust #Containers #eBPF #CRIU #Seccomp #RubyKaigi #CloudNativeDays #Zumba #γϨϯ #FitBoxing2 --- ͖ͳγεςϜίʔϧʁ ͬͺΓ unshare(2) Ͱ͢Ͷɻ
αϙʔλʔͯ͠·͢ !ΤϯδχΞΧϑΣ ԬࢢẂנจԽؗ
ToC •࡞CRIUϥούʔ “Miehistö” ʹ͍ͭͯ •ҙͷΞϓϦέʔγϣϯΛҙͷՕॴͰμϯϓ͢Δٕज़ͷ࣮ݱ •seccomp + SCMP_ACT_TRACE ʹΑΔख๏ •seccomp
+ SCMP_ACT_NOTIFY ʹΑΔख๏ wͦͯ͠આ
ɹɹ(Caveats) •Seccomp ͕ςʔϚͳͷʹ͙Β͍CRIUͷ͍ํͷΛ͠·͢ •·ͱΊͯൃද͢Δػձ͕ͣͬͱͳ͔ͬͨͷͰ... •ॻ͍ͯ͋Δ͜ͱࣗମɺ ͍͍ͩͨ͜ͷϒϩάͷ༰Ͱ͢ • CRIUʹؔ͢Δ࣮༰ͷίΞ2019ʹ ॻ͍͓ͯΓɺ͔ͨ͠͠Β࠷৽ͷ࠷৽ มԽ͋Δ͔ɻ
CRIU
CRIUͬͯ •Linuxʹ͓͍ͯɺϓϩηεͷνΣοΫϙΠϯτɾϦετΞΛ࡞͢Δͨ ΊͷϢʔβϥϯυͰͷπʔϧ (Checkpoint-Restore In Userspace) •ίϯςφϓϩηεͳͷͰɺίϯςφͷνΣοΫϙΠϯτɾϦετΞ Λ࣮ݱ͢ΔͨΊओʹ͏Α͏ʹͳͬͨ https://criu.org/Main_Page
۩ମతʹ •͜͏͍͏༻్Λఆͯ͠ΔΒ͍͠ɻ (https://criu.org/Usage_scenarios) •ίϯςφͷϥΠϒϚΠάϨʔγϣϯ •ىಈ͕͍ΞϓϦέʔγϣϯͷߴԽ •σεΫτοϓڥͷαεϖϯυɾϨδϡʔϜ •ແఀࢭʢʹݟ͔͚ͤΔʣΧʔωϧΞοϓάϨʔυ •ͳͲͳͲ...
࠷ۙͷCRIU •3.13(Sep 11, 2019) ... libcriu.a ͕ϏϧυͰ͖ΔΑ͏ʹͳͬͨ by @udzura •3.14(π,
Apr 29, 2020) ... clone3(2)ͱTime NS support, ଞ •3.15(Nov 04, 2020) ... MIPS support, cgroup v2 support, PID NS෦ ͷϦετΞ, ... ଞ •Still developing... ຊൃදͷ$3*6ͷόʔδϣϯͰ͢
CRIU͍͍Ͷʂ •ૣͬͯΈΑ͏ʂ... ❓ ❓❓ $3*6ͰҰԠ ͜ΕͰ0,ɻ͔͠͠ ଓ
CRIUͬͯͲ͏͏ͷ...ʁ •CRIUɺͦͦʮͪΌΜͱಈ͔͢ʯͷ͕͍͠ •ϝϞϦͷଞʹɺFile Descriptor/tty/socket ͦͷଞͷѻ͍... •ϦετΞޙʹPID͕ॏෳͯ͠Δͱ࠶ੜͰ͖ͳ͍ •͜ͷʮΠϝʔδʯతͳͭͬͯͲ͏ཧ͢Ε͍͍Μͩʁ
طʹΈࠐ·ΕͨCRIUΛ͏ʁ •ίϯςφϥϯλΠϜʹΈࠐ·Εͨcheckpoint/retoreΛ͏ख͋Δ ͕ɺϥϯλΠϜʹΑΓૢ࡞͕ҧ͏֮͑͠ΒΕͳ͍... •ͦͦطଘͷ σʔϞϯ͕ ίϯςφ͡Όͳ͍ɺͱ͔ IUUQTTQFBLFSEFDLDPNVE[VSBNJFIJTUPBSFDPNNFOEFETUBDLUPJOUFHSBUFDSJVJOUPFYJTUJOHTZTUFNT TMJEF
ͳͷͰॻ͍ͨ
Miehistö (Έ͑ͻͯ͢) • (ex. Grenadine) • Miehistö = “CREW” in
Finnish NJF 㷺IJTU
Miehistö ͱ •CRIUΛͳΔ͘ී௨ͷϓϩηεʹରͯ͠ద༻͘͢͢͠ΔɺҰ࿈ͷ πʔϧϥούʔ •miehistod: αʔϏεΠϝʔδΛ ཧ͢ΔதԝσʔϞϯ •mhctl: ΫϥΠΞϯτ •runmh:
CRIU͍͢͠ϓϩηεΛ ࡞ΔҰछͷϥϯλΠϜ Έ͑ͻͯ͢Ͱ͌ʔ Ήʔ͜ΜͱΖʔΔ ΒΜΉʔ
runmh ͕͍ͯ͠Δ͜ͱ •ͳΔ͘ʮී௨ʹVMʹ্ཱͪ͛ͨϓϩηεʯͱಉ͡ڥͰ্ཱͪ ͕͍ͬͯΔঢ়ଶͷϓϩηεΛ࡞Δ •ͦͷ্ͰɺCRIUͰͷμϯϓ/ϦετΞͷোนʹͳΔΑ͏ͳ݅Λ֎ ͠ɺCRIU-readyͳঢ়ଶʹ͢ΔҰ࿈ͷૢ࡞Λߦ͏
۩ମతʹ... •·ͣɺPID Namespace Λ͠ɺPIDΛ1͔Β࢝ΊΔඞཁ͕͋Δ •→ clone(2) ʹΑΓִ͠ɺ /proc ϑΝΠϧγεςϜΛࣗͰϚϯτ •→
ͦͷͨΊɺMount namespaceִ
Mount namespace/root ͷ •/proc ΛϚϯτ͢͠ͷͰMount NSunshared •ಠཱͨ͠ɺ͔ͭϗετͱେମಉ͡root filesystem͕ඞཁ •࡞Γํ: •ԾͷσΟϨΫτϦʹ
/ Λbind mountɺ/devͳͲݸผʹbind mount •ͦ͜ʹpivot_root͢Δ(chroot μϝɺͦͷMount NSͰೝࣝ͞ΕΔ rootΛૠ͛ସ͑Δඞཁ͕͋ΔͨΊ)
ͦͷଞ •ttyɺrootͷ֎ʹ͋ΔϑΝΠϧΛࢀর͍ͯ͠Δͱμϝ: •stderr/outrootͷϑΝΠϧΛ։͖͢ •ʢϩάϑΝΠϧ O_WRONLY|O_APPEND Ͱ։͍͍ͯͳ͍ͱμϝʣ •setsid() ΛݺΜͩηογϣϯϦʔμʔ͕process treeͷrootͰ͋Δඞཁ ͕͋ΔͷͰݺͿ
࣮ͷΠϝʔδ /&8/4 /&81*%ͷϑϥάΛ༩͑ͯDMPOF )PTUSPPU ΛผͷՕॴʹCJOENPVOU TFUTJE QJWPU@SPPU GEΛEFWOVMM
GE ΛݱࡏͷSPPU෦ͷϑΝΠϧʹ͠ 0@830/-:c0@"11&/%Ͱ։͘ ରϓϩάϥϜʹFYFD
͜ΕͰμϯϓ࣮֬ʹޭ™͢Δɻ •ߟྀͰ͖͍ͯͳ͍͜ͱ·͍ͩͬͯΔ͔ɻ
μϯϓ·Ͱ҆ఆ͚ͨ͠Ͳ... •ϦετΞɺͲ͏͠·͠ΐ͏ͱ͍͏ •ૉʹɺͰ͖ͨΠϝʔδΛ༻͍ͯCRIUίϚϯυΛୟ͚ݩͷϓϩη ε͕ϦετΞ͞ΕΔ͕... •miehistodαʔϏεͰϦετΞલ/ϦετΞޙͷϓϩηεΛ౷Ұతʹ ཧ͍ͨ͠ɻͳͷͰɺϦετΞޙͷϓϩηεΛmiehistodͷԼʹͿΒԼ ͍͛ͨɻͲ͏͢Ε͑͑ͶΜɻ
ϦετΞʹ͍ͭͯ •Miehistöͷཁ্݅ɺϦετΞ͞Εͨϓϩηεmiehistod(runmh)Ͱ ཧ͍ͨ͠ɻͳͷͰҙͷϓϩηεͷࢠϓϩηεͱͯ͠ϦετΞ͢Δඞ ཁ͕͋Δ... ͦΜͳͷͰ͖Δʁ •ӈͷΑ͏ͳ͜ͱΛ͢Δࡍɺ runmh -> criu ->
ruby criu͕ফ͑ͨΒ... μϝ ࢦ͍ͯ͠ΔϓϩηεπϦʔ
miehistö ͰͷϦετΞ࣮ •miehistod ͷԼͰ criu restore ΛݺͿ •ͦͷࡍʹɺ --exec-cmd ͱ͍͏ΦϓγϣϯΛར༻͠ɺ
ϦετΞޙʹcriuίϚϯυࣗΛrunmhϓϩάϥϜʹexec͢Δ • ΛrunmhɺࢠΛϦετΞޙͷίϚϯυͱ͍͏ϓϩηεπϦʔΛ࡞͍ͨͨ͠Ί •·ͨɺbind mountͷѻ͍ʹ͍ͭͯcriu restoreʹ͢ඞཁ͕͋Δ •--external Φϓγϣϯʹ͍ͭͯ
͜͏͍͏criuίϚϯυΛੜ࣮ͯ͠ߦ͢Δ •ͪͳΈʹCRIUʹΫϥΠΞϯταʔόಈ࡞(libcriuܦ༝)ͱɺίϚϯυ ىಈʹΑΔಈ࡞ͷϞʔυ͕ଘࡏ͢Δɻࠓճͷέʔεɺϓϩηε μϯϓΫϥαόͰOKɺϓϩηε࠶ੜίϚϯυͰͳ͍ͱෆՄɻ
--exec-cmd •criuίϚϯυͰɺϓϩηεΛϦετΞ͠spwanͨ͠ޙʹɺݩͷcriuίϚ ϯυࣗମΛผͷϓϩάϥϜʹexecͯ͠͠·͏͜ͱ͕Ͱ͖Δɻ •ͦ͏͢ΔͱʮϦετΞޙͷϓϩηεΛwait͢ΔϓϩάϥϜʯΛࠩ ͠ସ͑ΒΕΔͷͰɺࠓճͷΑ͏ʹεʔύόΠβʔతͳϓϩάϥϜΛ࡞ ͢Δ্Ͱศརɻ •miehistod -> runmh ->
(ϦετΞޙϓϩηε) ͷπϦʔ͕
ͷ͛͢ସ͑ͷΠϝʔδਤ IUUQTTQFBLFSEFDLDPNVE[VSBNZDSJVMJGFJOQSPHSFTT TMJEFɹ
External bind mounts •root͔Βݟͯ֎෦σΟϨΫτϦΛBind mount͍ͯ͠Δใɺdump/ restore࣌ʹࣗಈݕ͞Εͳ͍ͷͰɺ໌ࣔతʹࢦఆ͢Δඞཁ͕͋Δɻ •dump࣌ʹˠ ֎෦Bind mountઌΛنͰܾΊ͍ͯΔͷͰɺͦΕΒͷ ใΛ
--external ૬ͷΦϓγϣϯͱͯ͠criuαʔϏεʹ͢ •restore࣌ʹˠ ҎԼͷΑ͏ͳܗࣜͰίϚϯυʹ͢ --external mnt[__pids-d05739ddd0a12dd5040494c20461a197]:/sys/fs/cgroup/pids IUUQTDSJVPSH&YUFSOBM@CJOE@NPVOUT
͜ΕͰϦετΞͰ͖ΔΑ͏ʹɻ
ࠓCRIUͰ͍ͯ͠ͳ͍͜ͱ •MiehistöͰະ༻ͷΦϓγϣϯ: --cgroup-root, --action-script ͳͲ •swrkϞʔυͷ ͍͔ͭ͢ػձ͕དྷΔΜͰ͠ΐ͏͔ Ϣʔεέʔε͕ͲΕχονͳΜͰ͚͢Ͳ Ұ෦ʮ$3*6ΛϗεςΟϯάͰࢼ͍ͯ͘͠IPTUJOHDBTVBMʯ Ͱ͍ͯ͠·͢IUUQTTQFBLFSEFDLDPNVE[VSBNZDSJVMJGFJOQSPHSFTT
ΞϓϦέʔγϣϯΛࢭΊΔ
Γ͍ͨʢ͔ͬͨʣ͜ͱ •ʮΞΫηε࣌ʹॳΊͯىಈ͢ΔʯΞʔΩςΫνϟͰɺॳճىಈͷΦʔ όϔουΛۃݶ·Ͱݮ͍ͨ͠ •FastContainer (ref: https://rand.pepabo.com/article/2017/06/28/iot38-matsumotory/) •ۙͳͷͰHerokuͱ͔Cloud Runͱ͔
ϓϩηεͷࣄલμϯϓͱ͍͏ख๏ •ࣄલʹίϯςφͷϝϞϦμϯϓΛ࡞ͬͯɺ͔ͦ͜Βىಈ͢Εɺ ྫ͑εΫϦϓτݴޠʹΑΔϑϧελοΫϑϨʔϜϫʔΫͷΑ͏ʹɺ ىಈϓϩηεʹ͕͔͔࣌ؒΔΞϓϦέʔγϣϯͰ ىಈͷΦʔόϔουΛݮͰ͖ΔͷͰͳ͍͔ɺͱߟ͑ͨɻ •ʢϗεςΟϯάαʔϏε෦Ͱ͍͔ͨͬͨͷͰɺͳΔ͘ΞϓϦͷ ੑ࣭ʹΑΒͳ͍൚༻తͳํ๏ʹ͔ͨͬͨ͠എܠ͋Δʣ
cf. strace -c rails s •rails newͯ͠΄΅CRUDͻͱͭՃ͚ͨͩ͠ͷΞϓϦɺͷىಈ RAILS_ENV=production •΄΅openͱstat ϑΝΠϧૢ࡞
•͜ΕΒͷopenΛશ෦ εΩοϓͰ͖Εͦ͏
͍ͭࢭΊΔʁ •ͳΔ͘ʮঢ়ଶ͕ͳ͍ʯλΠϛϯάͰࢭΊ͍ͨ •ͨ͘͞ΜޙΖͷDBͱestablishͯ͠ɺଓΊͬͪΌड͚ࢭΊͯͯ... ͳঢ়ଶͰɺCRIUͰνΣοΫϙΠϯτͰ͖ΔͩΖ͏͕ɺෆཁͳτϥ ϒϧͱͦͷγϡʔτ͕ى͜Γͦ͏ɻ •͋ΔఔػցతʹࢭΊΔλΠϛϯάΛܾఆ͍ͨ͠ •ྫ͑ɺॳճͷ listen(2) ͳͲͷλΠϛϯάͰఀࢭ͢ΔͷͲ͏͔ɻ
seccomp (SCMP_ACT_TRACE)
listen(2) ʹϑοΫͯ͠ͳΜ͔͍ͨ͠ •͍ͭʹseccomp͕ग़ͯ͘Δ... •seccompɺ୯७ͳallowlist/denylistͷ΄͔ɺࢦఆͨ͠γεςϜίʔϧ ݺͼग़͠ͷࡍʹptrace(2)ܦ༝Ͱ௨ΛૹΔΦϓγϣϯ͕͋Δ (SCMP_ACT_TRACE) •ʢͪͳΈʹݺͼग़͢γεςϜίʔϧ൪߸ࣗମΛมߋͰ͖ΔΦϓγϣϯ Ͱɺ͔֬gVisorͳͲͰΘΕ͍ͯΔɺΜͰ͢ΑͶ??ʣ
SCMP_ACT_TRACE ͍ํ • fork͢Δ • [] ptrace(PTRACE_ATTACH); ptrace(PTRACE_O_TRACESECCOMP) ͢Δ •
[] ptrace(PTRACE_CONT) ͢Δ • [] waitpid(-1, &status, WUNTRACED | WCONTINUED | __WALL) ͢Δ (-1 ͳͷtraceͯ͠Δ͞ΒʹࢠϓϩηεɾεϨουΛ͏ͨΊ) • [ࢠ] SCMP_ACT_TRACE ͳseccomp ctxΛϩʔυ͢Δ • [] ࢠͰ֘γεςϜίʔϧ͕ݺΕΔͱɺ֘ϓϩηεͷใ͕waitpidͷΓɺ ptrace(PTRACE_GETEVENTMSG)ɺptrace(PTRACE_GETREGS)ͳͲͰऔಘͰ͖Δ
͍͜͠ͷͰmrubyͰϥοϓͨ͠ •https://github.com/haconiwa/mruby-seccomp/blob/master/examples/ tracing.rb
seccomp + ptrace •SCMP_ACT_TRACEγεςϜίʔϧΛݺͼग़͢લʹτϨʔεݩϓ ϩηεΛఀࢭ͠ɺτϨʔεઌͷϓϩηεʹ௨ΛૹΓɺͦͷ༰ʹԠ ͡ҙͷॲཧΛͤ͞Δ͜ͱ͕Ͱ͖Δɻ •͕ͨͬͯ͠ɺlisten(2)ͳͲͷγεςϜίʔϧͷݺͼग़͠લʹϑοΫɺ criuʹΑΔϓϩηεμϯϓΛ࣮ࢪ͢Εɺͦͷϓϩηεͷ listen(2)લͷঢ়ଶͷμϯϓΛػցతʹऔಘͰ͖Δ... ͣʁ
•ʢ͜ͷลΓͷΞΠσΞͷݩ @matsumotory ͞ΜͰ͢ʣ
ͬͯΈ·͠ΐ͏ •؆୯ͳϥούʔΛט·ͤɺmiehistöͰىಈɺseccompͰఀࢭ •μϯϓʹޭ͠ͳ͍
ptrace ͷΦϓγϣϯ͕όοςΟϯά͢Δʁ •seccompͰͷτϨʔεϓϩηεΛ ptrace(PTRACE_ATTACH) ͯ͠Ξ λονঢ়ଶʹ͠ɺఀࢭঢ়ଶΛݕ͢Δ •Ұํɺcriuͷ෦Ͱɺ ptrace(PTRACE_SEIZE) ͰΞλονঢ়ଶʹͯ͠ ptrace(PTRACE_INTERRUPT)
Ͱ໌ࣔతʹࢭΊ͍ͯΔɻ •ผʑͷΦϓγϣϯͰࢭΊ͍ͯΔͷʹͳ͍ͬͯΔՄೳੑ͕͋Δ •͜ͷลΓͷύονΛແཧʹcriuʹͯͯ... • ݁ہseccomp ctx͕ϓϩηε͔Βൈ͚ͳ͍ͨΊɺ2ճͷ listen() ͕ptrace tracee͕ଘࡏ͠ͳ͍ѻ͍ʹͳΓENOSYS ʹͳΔ?
ͪΐͬͱݟ௨͕͠ѱͦ͏ͩ... •ͱ͔ݴ͍ͬͯΔ͏ͪʹผ݅Ͱ͘͠ͳͬͨΓ͠ɺSwap outɻ •͜͜·Ͱɺ ࣮2018ʹݕূͨ͠ɻ IUUQTICNBUTVNPUPSKQFOUSZɹ
(ͬͱ) seccomp notification
Seccompʹ৽Φϓγϣϯ͕དྷͨ •SCMP_ACT_NOTIFY (seccomp notification) •Կऀͳͷ͔ɺ͜͜·ͰͷτʔΫͰօશཧղͨͣ͠... ຊൃදͷMJCTFDDPNQͷόʔδϣϯͰ͢ ΧʔωϧHFOFSJD6CVOUV(SPPWZ
Seccomp notificationͷ߹ʁ •ࢦఆͨ͠γεςϜίʔϧݺͼग़͠Λͨ͠ࡍʹɺผͷϓϩηεʹͲ͏ॲ ཧ͢Δ͔ΛҠৡ͢Δ͜ͱ͕Ͱ͖Δɻ •ͦͷؒɺݩͷϓϩηεϒϩοΫ͍ͯ͠Δ •ͭ·Γɺಉ͡Α͏ʹɺʮҙͷγεςϜίʔϧݺͼग़͠ʯͰఀࢭ͢Δ ͜ͱ͕Մೳʹ...ʁ
࣮ݧ͢Δ •ӈͷΑ͏ͳ seccomp notif receiver Λ࣮͢Δ
ϥούܦ༝Ͱىಈ͢Δ •ϥούࠨ •͜ΕΛט·ͤͯىಈ •ͪΌΜͱlistenલͰ ࢭ·Δ 3VMFOPUJGZͱ͍͏"1*Λ࣮ ɹ6/*9υϝΠϯιέοτΛ։͍ͯ ɹ4FDDPNQOPUJGZGEΛ ɹ4FOEP⒎Ͱ͖ΔΑ͏ʹ͍ͯ͠Δ
͜ͷͱ͖ࢭ·͍ͬͯΔϓϩηεͷstack •seccomp_do_user_notification ͱ͍͏ṖͷؔͰఀࢭ͍ͯ͠Δ •௨ৗͷΧʔωϧؔͷҰ෦ͰϒϩοΫ͍ͯ͠Δ •γάφϧɺptraceͳͲͰࢭ·͍ͬͯΔঢ়ଶͰͳ͍
͜ΕΛμϯϓϦετΞͯ͠... •μϯϓແࣄޭ͢Δɻ •ϦετΞͯ͠ɺENOSYS ͕ग़ͯ͠·͏ɻ
ਖ਼ৗʹμϯϓͰ͖Δ͕… •ϦετΞͨ͠λΠϛϯάͰɺ৽͍͠ϓϩηε Seccomp Context ͕ ਖ਼ৗʹϋϯυϧ͞Ε͍ͯͳ͍ঢ়ଶʹͳͬͯ͠·͏ •͜͏ͳΔͱɺSCMP_ACT_NOTIFYͰ௨͢Δ௨ઌ͕ͳ͍ͱ͍͏ঢ়ଶ ʹͳͬͯ͠·͏Α͏Ͱɺͦ͏͍͏߹ͷ༷Ͱ͋Δ ʮγεςϜίʔϧ͕ errno=ENOSYS
Ͱࣦഊ͢Δʯ ͱ͍͏݁Ռʹͳͬͨɻlisten(2)Λਖ਼ৗ࠶։͢Δํ๏͕ͳ͍ɻ
ͰͲ͏͢Δ͔ʁ •<దͳ͍Β͢ͱΛҾ༻͢Δ>
ͰͲ͏͢Δ͔ʁ •ʮޭࣦͯ͠ഊͯ͠ԿӨڹ͕ͳ͍ʯγεςϜίʔϧΛߟ͑Δ •ྫ͑ɺϦΞϧλΠϜγάφϧΛҰͭબΜͰ signal(s, SIG_IGN) •ͦͷγάφϧΛࣗʹૹΔͱɺԿ͠ͳ͍͕ɺ γάφϧ൪߸ͰಉఆՄೳͳ γεςϜίʔϧݺͼग़͠Λ࡞ΕΔ
ͦͷϚʔΧʔతγεςϜίʔϧΛ •libcͷlisten(3)ͷݺͼग़͠ͷલʹϑοΫͤ͞Δ •LD_PRELOADΛ༻͍ɺϥούؔΛఆٛ͢Δɻ •͜ΕͰɺ࣮࣭తʹ listen(2) ͷલʹ ϓϩάϥϜΛఀࢭͤ͞ɺ·ͨ࠶ੜ࣌ Өڹͳ͘ॲཧΛܧଓͰ͖Δͣɻ
࠷ޙͷ࣮ݧ •ϥούʔΛ͞Βʹࠨʹมߋ •ىಈˠ Notification receiver ܦ༝Ͱμϯϓ LJMM BOZ ͷݺͼग़͠Λτϥοϓ
4*(35."9 -%@13&-0"%ΛFYFD࣌ʹࢦఆ
ࠓճͷμϯϓɺϓϩηε࠶ੜʹޭ͢Δ
None
ͪͳΈʹ... •LD_PRELOADΛ࣋ͪग़ͨ࣌͠ͰͳΜͰΞϦ..... •ͱࢥͬͯɺͨͱ͑ӈͷΑ͏ʹίʔυΛม͑ͯΈͨɻ •݁Ռ →ίϯςφԽ(PID unshared)͍ͯ͠ΔͷͰɺ ͕ࣗࣗPID=1ʹͳͬͯSIGSTOPΛແࢹɻ • ݁ہίϯςφͷinit processΛ࣮֬ʹࢭΊΔʹseccomp͔͠ͳ͍Α͏ʹࢥΘΕͨɻ
ߟྀ࿙Ε͕͋Εڭ͍͑ͯͩ͘͞ɻ
·ͩݕ౼͍ͯ͠ͳ͍͜ͱ •ϚϧνεϨουΞϓϦέʔγϣϯ... Ͳ͏͍͏;͏ʹࢭ·Δͷ͔ •ͱݴͬͯ࠷ॳͷݺͼग़͠Ͱࢭ·Δʁ ͷ͔ͳʁ •LD_PRELOAD ͕Կ͔ͷཧ༝Ͱ͑ͳ͍࣌ •libcΛͦͦͬͯͳ͍࣌ʢಛʹGoʣ •syscall͕ݺͼग़͞ΕΔ࣌ ....
͓͜ͱΘΓ •ߥແܤͳ͜ͱΛ͍ͯ͠Δ͜ͱঝ͍ͯ͠·͢ɻ •໘നLinuxωλͱͯ͠ফඅ͍͚ͨͩΕ͍Ͱ͢ •ࣅͨΑ͏ͳ͜ͱΛͬͱ͏·͍ͬͯ͘Δྫ͕ΕͨΒخ͍͠ •ͱΓ͋͑ͣɺ2018ͷ಄͔Βஅଓతʹपลͷ࣮Λଓ͚͖ͯͨҰ࿈ͷ ݚڀΛɺ͜ͷػձʹڙཆͰ͖Εͱࢥ͍ɺ͓࣌ؒΛ͍͖ͨͩ·ͨ͠ɻ ͝ਗ਼ௌʹײँ
ࢀߟهࣄͳͲ •அଓతʹॻ͍ͯΔseccompͱMiehistöͷϒϩά • ʮmrubyͱseccompͱptraceͰγεςϜίʔϧΛͱʹ͔͍͔͚͘Δʯ(2017/04) • ʮGrenadine: ʮී௨ͷΞϓϦέʔγϣϯʯ͕νΣοΫϙΠϯτ/ϦετΞͷԸܙΛڗड͢Δʯ (2019/03) • ʮWSAݚڀձ
ୈ7ճ ͰCRIUͱMiehistöͷൃදΛ͠·ͨ͠ #WSAݚʯ(2020/11) • ʮҙͷϥΠϒϥϦίʔϧͰϓϩάϥϜΛఀࢭ͠ɺىಈ༻ͷCRIUΠϝʔδΛ࡞͢ΔΞϓ ϩʔνʹ͍ͭͯʯ(2020/12) IUUQTVE[VSBIBUFOBCMPHKQ