Marubucin ɗakin karatu na Cosmopolitan misali C da dandamali na Redbean sun ba da sanarwar aiwatar da tsarin keɓewa () don Linux. Aikin OpenBSD ne ya samar da alƙawari da farko kuma yana ba ku damar zaɓin hana aikace-aikace daga samun damar kiran tsarin da ba a yi amfani da shi ba (an yi wani nau'in farin jerin kiran tsarin don aikace-aikacen, kuma an hana wasu kira). Sabanin hanyoyin hana kiran tsarin da ake samu a cikin Linux, kamar seccomp, tsarin jingina an tsara shi ne don zama mai sauƙi kamar yadda zai yiwu.
Ƙaddamar da gazawar da aka yi don ware aikace-aikace a cikin tushen tushen OpenBSD ta amfani da tsarin systrace ya nuna cewa keɓewa a matakin kiran tsarin mutum ya kasance mai rikitarwa kuma yana ɗaukar lokaci. A matsayin madadin, an ba da shawarar yin alkawari, wanda ya ba da damar ƙirƙirar ƙa'idodin keɓancewa ba tare da yin cikakken bayani ba tare da yin amfani da azuzuwan isa ga shirye-shiryen. Misali, azuzuwan da aka bayar sune stdio (shigarwa / fitarwa), rpath (fayilolin karanta kawai), wpath (rubuta fayiloli), cpath (ƙirƙirar fayiloli), tmppath (aiki tare da fayilolin wucin gadi), inet (sockets na cibiyar sadarwa), unix ( unix sockets), dns (ƙudurin DNS), getpw (karanta damar zuwa bayanan mai amfani), ioctl (kiran ioctl), proc (Gudanar da tsari), exec (ƙaddamar da tsari) da id (gudanar da haƙƙin shiga).
An ƙayyadaddun ƙa'idodin aiki tare da kiran tsarin a cikin nau'ikan bayanai, gami da jerin azuzuwan da aka yarda da kiran tsarin da jerin hanyoyin fayil inda aka ba da izinin shiga. Bayan ginawa da ƙaddamar da aikace-aikacen da aka gyara, kernel ɗin yana ɗaukar aikin sa ido kan ƙayyadaddun ƙa'idodin.
Ana haɓaka aiwatar da alƙawarin na FreeBSD daban, wanda ke bambanta ta ikon keɓe aikace-aikacen ba tare da yin canje-canje ga lambar su ba, yayin da a cikin OpenBSD kiran alƙawarin yana da nufin haɗa kai tare da yanayin tushe da ƙara bayanai zuwa lambar kowane aikace-aikacen. .
Masu haɓaka tashar alƙawarin don Linux sun ɗauki misalin FreeBSD kuma, maimakon yin canje-canje ga lambar, sun shirya wani ƙari-on utility pledge.com wanda ke ba ku damar aiwatar da hani ba tare da canza lambar aikace-aikacen ba. Misali, don gudanar da kayan aikin curl tare da isa ga stdio, rpath, inet da azuzuwan kiran tsarin threadstdio, kawai gudu “./pledge.com -p 'stdio rpath inet thread' curl http://example.com”.
Amfanin jingina yana aiki akan duk rarrabawar Linux wanda ya fara da RHEL6 kuma baya buƙatar samun tushen tushe. Bugu da ƙari, dangane da ɗakin karatu na duniya, an tanadar API don sarrafa hane-hane a lambar shirin a cikin yaren C, wanda ke ba da damar, a tsakanin sauran abubuwa, don ƙirƙirar ƙaƙƙarfan ƙayyadaddun damar shiga dangane da wasu ayyukan aikace-aikacen.
Aiwatar ba ta buƙatar canje-canje ga kernel - an fassara hane-hane na alƙawarin zuwa ka'idojin SECCOMP BPF kuma ana sarrafa su ta amfani da tsarin keɓewar tsarin Linux na asali. Misali, alkawarin kiran ("stdio rpath", 0) za a canza zuwa wani BPF filter static const struct sock_filter kFilter[] = {/* L0*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, syscall, 0, 14 - 1 ), / * L1*/ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, KASHE(args[0])), /* L2*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 2, 4 - 3, 0), /* L3* / BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, 10, 0, 13 - 4), /* L4*/ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, KASHE(args[1])), /* L5*/ BPF_STMT(BPF_ALU | BPF_ | BPF_K, ~0x80800), /* L6*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 1, 8 - 7, 0), /* L7*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 2, 0, 13 - 8) , /* L8*/ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, KASHE(args[2])), /* L9*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0, 12 - 10, 0), /*L10*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 6, 12 - 11, 0), /*L11*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 17, 0, 13 - 11), /*L12*/ BPF_STMT(BPF_K) SECCOMP_RET_ALLOW), /*L13*/ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, KASHE(nr)), /*L14*/ /* tace na gaba */ };
source: budenet.ru