Munguva pfupi yapfuura munyori weCosmopolitan C standard library uye chikuva cheRedbean chakaziviswa kuburikidza ne yakazivisa, kuitwa kwechipikirwa () yekuzviparadzanisa nzira yeLinux.
Waive yakatanga kugadzirwa neOpenBSD chirongwa y inokubvumira kusarudza kurambidza kuti iyo maapplication anowana asina kushandiswa system mafoni (rudzi rwe whitelist yekufona system inoumbwa yekushandisa uye mamwe mafoni anorambidzwa). Kusiyana neiyo syscall yekuwana yekudzora nzira dziripo paLinux, senge seccomp, iyo pledge mechanism yakagadzirirwa kubva pasi kuti ive mushandisi-ane hushamwari sezvinobvira.
Iyo yakakundikana danho rekuparadzanisa maapplication munzvimbo yeOpenBSD base uchishandisa iyo systrace meshini yakaratidza kuti kuzviparadzanisa padanho rekufona kwega kwega kwakaoma uye kunotora nguva.
Seimwe nzira, chitsidzo chakarongwa, icho inobvumirwa kugadzira mitemo yekuzviparadzanisa pasina kupinda mune zvese uye kugadzirisa akagadzirirwa makirasi ekuwana.
Semuyenzaniso, makirasi anopiwa stdio (yekupinza/zvinobuda), rpath (kuverenga mafaira chete), wpath (nyora mafaera), cpath (gadzira mafaera), tmppath (basa nemafaira enguva pfupi), inet (socket network), unix (unix sockets. ), dns (DNS resolution), getpw (verenga kupinda kune mushandisi dhatabhesi), ioctl (ioctl kufona), proc (maitiro ekudzora), exec (matanho ekutanga), uye id (kudzora mvumo).
Mitemo yekushanda nehurongwa hwekufona zvinotsanangurwa muchimiro chezvirevo zvinosanganisira runyoro rweanobvumidzwa system call makirasi uye nhevedzano yenzira dzefaira uko kuwana kunobvumidzwa. Mushure mekunyora uye kuita iyo yakagadziridzwa application, iyo kernel inotora basa rekutarisa kutevedza nemitemo yakatarwa.
Neparutivi, kuisirwa chitsidzo cheFreeBSD kuri kugadzirwa, iyo inosiyaniswa nekugona kuparadzanisa zvikumbiro pasina kuita shanduko kune yavo kodhi, nepo muOpenBSD runhare rwechipikirwa rwakanangana nekubatanidzwa kwakasimba nenzvimbo yepasi uye nekuwedzera zvirevo kune kodhi. yeumwe neumwe.
Pledge yakafanana nemuchero wakarambidzwa isu tese tinochiva kana mukuru akati tinofanira kushandisa zvinhu zvakaita seLinux. Nei izvozvo zvine basa? Imhaka yekuti pledge() inoita kuti chengetedzo inzwisise. Linux haina kumbobvira yave neyakagadzika yekuchengetedza iyo vanhuwo zvavo vanogona kunzwisisa.
Iyo Linux pledge port vanogadzira vakatora cue kubva kuFreeBSD uye pachinzvimbo chekuchinja kodhi, vakagadzirira imwe yekushandisa kubva pledge.com iyo inokutendera kuti uise zvirambidzo pasina kushandura kodhi yekushandisa. Semuenzaniso, kumhanyisa curl utility nekuwana chete kune stdio, rpath, inet, uye threadstdio system call makirasi, ingomhanya "./pledge.com -p 'stdio rpath inet thread' curl http://example.com » .
Iyo yekushandisa inoshanda pane ese Linux kugoverwa kubva RHEL6 uye haidi kuwana midzi. Pamusoro pezvo, zvichibva paraibhurari yecosmopolitan, API inopihwa kutonga zvirambidzo mukodhi yemitauro yemitauro yeC, iyo inobvumira, pakati pezvimwe zvinhu, kugadzira enclaves yekusarudza kurambidza kupinda zvine chekuita nemamwe mabasa echishandiso. .
Pave paine vashoma vanogadzira munguva yakapfuura vakaedza izvi. Handisi kuzotaura mazita, nekuti zvizhinji zvezvirongwa izvi hazvina kumbopera. Kana zvasvika kune SECOMP, zvidzidzo zvepamhepo zvinongotsanangura maitiro ekuita whitelist system mafoni, saka vanhu vazhinji vanorasikirwa nekufarira vasati vafunga nzira yekusefa nharo. Iwo mapurojekiti akafambira mberi aivewo nekutarisisa sekubvumira setuid/setgid/sticky bits kuti ichinje. Naizvozvo, hapana kana imwe yedzimwe nzira dzazvino dzinofanirwa kushandiswa. Ini ndinofunga kuedza uku kunotiswededza pedyo nekuva nepledge() kupfuura nakare kose.
Kuita hakudi shanduko yekernel: zvipingamupinyi zvekushandisa zvinoshandurirwa muSECCOM BPF mitemo uye inogadziriswa uchishandisa Linux's native system call isolation mechanism. Semuenzaniso, kufona vimbiso ("stdio rpath", 0) inoshandura kuita BPF sefa
Chekupedzisira, kana iwe uchifarira kuziva zvakawanda nezvazvo, unogona kutarisa ruzivo Mune inotevera chinongedzo.