Mva nje umbhali wethala leencwadi elisemgangathweni leCosmopolitan C kwaye iqonga leembotyi eziBomvu labhengezwa nge ibhengezwe, ukuphunyezwa kwesibambiso () sokwahlulwa kwendlela yeLinux.
Kwakunjalo yaphuhliswa ekuqaleni yiprojekthi ye-OpenBSD y ivumela uthintelo olukhethiweyo ukuba izicelo ukufikelela kwiifowuni ezingasetyenziswanga inkqubo (uhlobo loluhlu olumhlophe lweefowuni zesixokelelwano lwenziwa ukwenzela isicelo kwaye ezinye iifowuni azivumelekanga). Ngokungafaniyo neendlela zolawulo lofikelelo lwe-syscall ezikhoyo kwi-Linux, njenge-seccomp, indlela yesibambiso iyilwe ukusuka phantsi ukuya phezulu ukuze ibelula ukuyisebenzisa kangangoko kunokwenzeka.
Inyathelo elingaphumeleliyo lokwahlula izicelo kwindawo ye-OpenBSD esisiseko kusetyenziswa indlela ye-systrace ibonise ukuba ukwahlulwa kwinqanaba leefowuni zenkqubo nganye kunzima kakhulu kwaye kudla ixesha.
Njengenye indlela, kwacetywa isibhambathiso, esathi kuvunyelwe ukudala imithetho yokuzahlula ngaphandle kokungena kwiinkcukacha kunye nokukhohlisa iiklasi zokufikelela ezilungiselelwe.
Ngokomzekelo, iiklasi ezinikezelwayo zi-stdio (igalelo / isiphumo), i-rpath (ukufundwa kwefayile kuphela), i-wpath (ukubhala ifayile), i-cpath (ukudala ifayile), i-tmppath (ukusebenza ngeefayile zesikhashana), inet (iziseko zedatha). unix (unix sockets), dns (DNS resolution), getpw (read access to user database), ioctl (ioctl call), proc (process control), exec (ukuqala iinkqubo) kunye ne-id (ulawulo lwemvume).
Imigaqo yokusebenza ngeefowuni zenkqubo zikhankanyiwe ngendlela yezichasiselo ezibandakanya uluhlu lweendlela ezivunyelweyo kwiiklasi zokufowuna kunye noluhlu lweendlela zefayile apho ufikelelo luvunyelwe. Emva kokuqulunqa kunye nokuqhuba isicelo esilungisiweyo, i-kernel ithatha umsebenzi wokubeka iliso ukuthotyelwa kwemigaqo echaziweyo.
Ngokwahlukileyo, ukuphunyezwa kwesibambiso kuphuhliswa kwi-FreeBSD, eyahlulwa ngokukwazi ukwahlula izicelo ngaphandle kokwenza utshintsho kwikhowudi yazo, ngelixa kwi-OpenBSD umnxeba wesibambiso ujolise ekudityanisweni okuqinileyo kunye nesiseko esisingqongileyo kunye nokongezwa kwezichasiselo kumntu ngamnye. ikhowudi.
Isibambiso sifana nesiqhamo esalelweyo sonke esibawelayo xa umphathi esithi kufuneka sisebenzise izinto ezifana neLinux. Kutheni ibalulekile nje loo nto? Kungenxa yokuba isibambiso () eneneni senza ukhuseleko luqondeke. I-Linux ayizange ikhe ibe nokhuseleko olunokuthi luqondwe ngabantu nje.
Abaphuhlisi be-Linux pledge port bathathe umzekelo weFreeBSD kwaye endaweni yokwenza utshintsho kwikhowudi, balungiselela into eyongezelelweyo ye-pledge.com evumela ukuba usebenzise izithintelo ngaphandle kokutshintsha ikhowudi yesicelo. Umzekelo, ukusebenzisa i-curl eluncedo ngofikelelo kuphela kwi-stdio, rpath, inet, kunye neeklasi zokufowunela inkqubo ye threadstdio, sebenzisa ngokulula "./pledge.com -p 'stdio rpath intambo inet' curl http://example.com » .
Isixhobo sisebenza kuzo zonke izinikezelo zeLinux ukusukela kwiRHEL6 kwaye ayifuni ukufikelela kweengcambu. Ukongezelela, ngokusekelwe kwilayibrari ye-cosmopolitan, i-API inikezelwa ukulawula izithintelo kwikhowudi yeenkqubo zolwimi lwe-C, evumela, phakathi kwezinye izinto, ukudala i-enclaves ngokukhetha ukukhawulela ukufikelela ngokumalunga nemisebenzi ethile yesicelo.
Bekukho abaphuhlisi abambalwa kwixesha elidlulileyo abaye bazama oku. Andizowabiza amagama, kuba uninzi lwezi projekthi zange zigqitywe. Xa kuziwa kwi-SECOMP, ii-tutorials ze-intanethi zichaza kuphela indlela yokubiza iifowuni ze-whitelist, ngoko ke abantu abaninzi balahlekelwa ngumdla ngaphambi kokuba baqonde indlela yokucoca iingxabano. Iiprojekthi eziye zahambela phambili zikwanokongamela okufana nokuvumela i-setuid/setgid/sticky bits ukuba itshintshwe. Ke ngoko, akukho nanye kwezi ndlela zangoku ekufuneka isetyenziswe. Ndicinga ukuba lo mzamo usisondeza kakhulu ekubeni ne-pledge() kunangaphambili.
Uzalisekiso alufuni lutshintsho kwikernel: imiqobo yoncedo iguqulelwa kwimithetho ye-SECCOMP ye-BPF kwaye iqhutywe kusetyenziswa inkqubo ye-Linux yendalo yokufowuna indlela yokwahlula. Umzekelo, ukufowuna isithembiso("stdio rpath", 0) iya kuba sisihluzo se-BPF
Okokugqibela, ukuba unomdla wokwazi okungakumbi ngayo, unokujonga kwiinkcukacha Kule khonkco ilandelayo.