Muva nje umbhali welabhulali ejwayelekile ye-Cosmopolitan C kanye nesiteji se-Redbean simenyezelwe ngokusebenzisa a kumenyezelwe, ukuqaliswa kwe-pledge() indlela yokuhlukanisa ye-Linux.
Fue eyasungulwa ekuqaleni iphrojekthi ye-OpenBSD y ikuvumela ukuthi unqabele ngokukhetha ukuthi izinhlelo zokusebenza finyelela izingcingo zesistimu ezingasetshenzisiwe (uhlobo lohlu olumhlophe lwezingcingo zesistimu kwakheka kuhlelo lokusebenza futhi ezinye izingcingo azivunyelwe). Ngokungafani nezinqubo zokulawula ukufinyelela kwe-syscall ezitholakala ku-Linux, njenge-seccomp, indlela yesibambiso iklanywe kusukela phansi kuya phezulu ukuze isebenziseke kalula ngangokunokwenzeka.
Isinyathelo esihlulekile sokuhlukanisa izinhlelo zokusebenza endaweni eyisisekelo ye-OpenBSD kusetshenziswa indlela ye-systrace kubonise ukuthi ukuhlukaniswa ezingeni lezingcingo zesistimu ngayinye kuyinkimbinkimbi kakhulu futhi kudla isikhathi.
Njengenye indlela, kwahlongozwa isithembiso, okuyinto kuvunyelwe ukudala imithetho yokuzihlukanisa ngaphandle kokungena emininingwaneni kanye nokukhohlisa amakilasi okufinyelela alungiselelwe.
Isibonelo, amakilasi ahlinzekwayo yi-stdio (okokufaka/okuphumayo), i-rpath (amafayela afundwayo kuphela), i-wpath (bhala amafayela), i-cpath (dala amafayela), i-tmppath (sebenza ngamafayela esikhashana), i-inet (inethiwekhi yamasokhethi), i-unix (amasokhethi angu-unix ), dns (DNS resolution), getpw (funda ukufinyelela kusizindalwazi somsebenzisi), ioctl (i-ioctl call), i-proc (ukulawula inqubo), khipha (izinqubo zokuqalisa), kanye ne-id (ukulawula imvume).
Imithetho yokusebenza ngezingcingo zesistimu acaciswe ngendlela yezichasiselo ezifaka uhlu lwezigaba ezivumelekile zezingcingo zesistimu kanye nohlu lwezindlela zefayela lapho ukufinyelela kuvunyelwe khona. Ngemva kokuhlanganisa nokusebenzisa uhlelo oluguquliwe, i-kernel ithatha umsebenzi wokuqapha ukuthotshelwa kwemithetho eshiwo.
Ngokwehlukana, ukuqaliswa kwesithembiso se-FreeBSD kuyathuthukiswa, okuhlukaniswa ikhono lokuhlukanisa izinhlelo zokusebenza ngaphandle kokwenza izinguquko kukhodi yazo, kuyilapho ku-OpenBSD ucingo lwesibambiso luhloselwe ukuhlanganiswa okuqinile nendawo eyisisekelo kanye nokwengezwa kwezichasiselo kukhodi. ngamunye ngamunye.
Isibambiso sifana nesithelo esinqatshelwe sonke esisifisayo lapho umphathi ethi kufanele sisebenzise izinto ezifana neLinux. Kubaluleke ngani lokho? Kungenxa yokuthi isibambiso() empeleni senza ukuphepha kuqondakala. I-Linux ayikaze ibe nesendlalelo sokuphepha esingaqondwa abantu abafayo.
Abathuthukisi bembobo yesibambiso se-Linux bathathe inkomba ku-FreeBSD futhi esikhundleni sokwenza izinguquko zekhodi, balungiselele insiza eyengeziwe evela ku-pledge.com ekuvumela ukuthi usebenzise imikhawulo ngaphandle kokushintsha ikhodi yesicelo. Isibonelo, ukusebenzisa insiza yokugoqa ngokufinyelela kuphela kumakilasi ekholi e-stdio, rpath, inet, nethreadstdio, vele usebenzise "./pledge.com -p 'stdio rpath linet thread' curl http://example.com » .
Insiza isebenza kukho konke ukusatshalaliswa kweLinux kusukela ku-RHEL6 futhi ayidingi ukufinyelela kwezimpande. Ukwengeza, ngokusekelwe kumtapo wezincwadi we-cosmopolitan, i-API ihlinzekwe ngokulawula imikhawulo kukhodi yezinhlelo zolimi C, evumela, phakathi kwezinye izinto, ukudala ama-enclaves ukuze ukhethe ngokukhetha ukukhawulela ukufinyelela okuhlobene nemisebenzi ethile yohlelo lokusebenza. .
Kube khona onjiniyela abambalwa esikhathini esidlule abazame lokhu. Ngeke ngiwasho amagama, ngoba iningi lala maphrojekthi alikaze liqedwe. Uma kuza ku-SECOMP, okokufundisa okuku-inthanethi kuchaza kuphela ukuthi ungagunyazwa kanjani amakholi wesistimu, ukuze abantu abaningi balahlekelwe isithakazelo ngaphambi kokuthola ukuthi zihlungwa kanjani izimpikiswano. Amaphrojekthi aqhubekele phambili nawo abe nokugada okufana nokuvumela i-setuid/setgid/sticky bits ukuthi ishintshwe. Ngakho-ke, akukho okunye kwamanje okufanele kusetshenziswe. Ngicabanga ukuthi lo mzamo usisondeza kakhulu ekubeni ne-pledge() kunangaphambili.
Ukuqaliswa akudingi izinguquko ze-kernel: izithiyo zokusetshenziswa zihunyushwa emithethweni ye-SECCOMP BPF futhi zicutshungulwe kusetshenziswa indlela ye-Linux yomdabu yokuhlukanisa ikholi. Isibonelo, ukubiza isithembiso("stdio rpath", 0) kuzoguqulela kusihlungi se-BPF
Ekugcineni, uma unentshisekelo yokwazi kabanzi ngakho, ungaxhumana nemininingwane Kulesi sixhumanisi esilandelayo.