An shirya jigilar tsarin keɓewar alkawari zuwa Linux

Kwanan nan marubucin ɗakin karatu na Cosmopolitan C da Redbean dandamali sanar ta hanyar a an sanar, aiwatar da tsarin keɓewa na jingina () don Linux.

Yayi farkon aikin OpenBSD ya haɓaka y ba ka damar selectively ban cewa aikace-aikace suna samun damar kiran tsarin da ba a yi amfani da su ba (an kirkiro wani nau'in lissafin kira na tsarin don aikace-aikacen kuma an hana wasu kira). Ba kamar hanyoyin sarrafa damar samun damar syscall da ake samu akan Linux ba, kamar seccomp, tsarin jingina an tsara shi daga ƙasa har ya zama mai sauƙin amfani gwargwadon yiwuwa.

Ƙaddamar da gazawar da aka yi don ware aikace-aikace a cikin tushen tushen OpenBSD ta amfani da tsarin systrace ya nuna cewa keɓewa a matakin kiran tsarin mutum yana da rikitarwa kuma yana ɗaukar lokaci.

A matsayin madadin, an ba da shawara, wanda an ba da izinin ƙirƙirar ƙa'idodin keɓewa ba tare da shiga cikin cikakkun bayanai da sarrafa azuzuwan isa ga shirye-shiryen ba.

Misali, azuzuwan da aka bayar sune stdio (shigarwa/fitarwa), rpath (karanta fayiloli kawai), wpath (rubuta fayiloli), cpath (ƙirƙirar fayiloli), tmppath (aiki tare da fayilolin wucin gadi), inet (cibiyar sockets), unix (unix sockets). ), dns ( ƙudurin DNS), getpw (karanta damar zuwa bayanan mai amfani), ioctl (kiran ioctl), proc (sarrafa tsari), exec (tsarin farawa), da id (ikon izini).

Dokokin aiki tare da kiran tsarin an kayyade su a cikin nau'i na bayanai waɗanda suka haɗa da jerin azuzuwan kiran tsarin da aka yarda da tarin hanyoyin fayil inda aka ba da izinin shiga. Bayan tattarawa da gudanar da aikace-aikacen da aka gyara, kernel ɗin yana ɗaukar aikin sa ido kan ƙayyadaddun ƙa'idodin.

Na dabam, ana haɓaka aiwatar da alƙawarin na FreeBSD, wanda ke bambanta ta ikon ware aikace-aikacen ba tare da yin canje-canje ga lambar su ba, yayin da a cikin OpenBSD kiran alƙawarin yana da nufin haɗa kai tare da yanayin tushe da ƙari na annotations ga lambar. na kowane daya.

Alkawari kamar haramun 'ya'yan itace ne duk muna sha'awar lokacin da shugaban ya ce ya kamata mu yi amfani da abubuwa kamar Linux. Me yasa hakan ke da mahimmanci? Domin alƙawarin () a zahiri yana sa a iya fahimtar tsaro. Linux bai taɓa samun ingantaccen tsaro wanda ƴan adam kawai za su iya fahimta ba.

Masu haɓaka tashar tashar jiragen ruwa ta Linux sun ɗauki ra'ayi daga FreeBSD kuma maimakon yin canje-canje na lamba, sun shirya ƙarin kayan aiki daga pledge.com wanda ke ba ku damar amfani da ƙuntatawa ba tare da canza lambar aikace-aikacen ba. Misali, don gudanar da kayan aikin curl tare da samun dama ga azuzuwan kiran stdio, rpath, inet, da threadstdio tsarin, kawai gudu "./pledge.com -p 'stdio rpath inet thread' curl http://example.com » .

Mai amfani yana aiki akan duk rarrabawar Linux tun RHEL6 kuma baya buƙatar samun tushen tushen. Bugu da ƙari, dangane da ɗakin karatu na ko'ina, an tanadar API don sarrafa ƙuntatawa a cikin lambar shirye-shiryen harshen C, wanda ke ba da damar, a tsakanin sauran abubuwa, don ƙirƙirar ƙayyadaddun ƙayyadaddun ƙayyadaddun damar shiga dangane da wasu ayyukan aikace-aikacen. .

Akwai ƴan haɓakawa a baya waɗanda suka gwada wannan. Ba zan fadi suna ba, saboda yawancin wadannan ayyukan ba a taba kammala su ba. Idan ya zo ga SECOMP, koyaswar kan layi suna bayyana yadda ake yin kiraye-kirayen tsarin kira, don haka yawancin mutane sun rasa sha'awa kafin su gano yadda ake tace gardama. Ayyukan da suka ci gaba kuma suna da sa ido kamar ƙyale a canza setuid/setgid/sticky bits. Don haka, bai kamata a yi amfani da ɗaya daga cikin hanyoyin yanzu ba. Ina tsammanin wannan yunƙurin yana kawo mana kusanci da yin alkawari () fiye da kowane lokaci.

Aiwatar da babu canje-canjen kwaya: ana fassara ƙayyadaddun amfani zuwa dokokin SECCOMP BPF kuma ana sarrafa su ta amfani da tsarin keɓewar tsarin asalin Linux. Misali, kiran alkawari ("stdio rpath", 0) zai canza zuwa tace BPF

A ƙarshe, idan kuna sha'awar ƙarin sani game da shi, zaku iya tuntuɓar cikakkun bayanai A cikin mahaɗin mai zuwa.


Kasance na farko don yin sharhi

Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Wanda ke da alhakin bayanan: Miguel Ángel Gatón
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.