ʻO ka mea kākau o ka Cosmopolitan C standard library a me ka Redbean platform i hoʻolaha i ka hoʻokō ʻana i ka ʻōnaehana hoʻokaʻawale () no Linux. Ua hoʻokumu mua ʻia ka ʻōlelo hoʻohiki e ka papahana OpenBSD a hiki iā ʻoe ke pāpā koho i nā noi mai ke komo ʻana i nā kelepona ʻōnaehana i hoʻohana ʻole ʻia (ua hoʻokumu ʻia kahi ʻano papa inoa keʻokeʻo o nā kelepona pūnaewele no ka noi, a ua pāpā ʻia nā kelepona ʻē aʻe). ʻAʻole e like me nā ʻōnaehana mana hoʻokele syscall i loaʻa ma Linux, e like me seccomp, ua hoʻolālā ʻia ka mīkini hoʻohiki mai ka honua a hiki ke maʻalahi e hoʻohana.
Ua hōʻike ʻia ka hana ʻole e hoʻokaʻawale i nā noi ma ke kahua kahua OpenBSD me ka hoʻohana ʻana i ka ʻōnaehana systrace i ka hoʻokaʻawale ʻana ma ke kiʻekiʻe o nā kelepona ʻōnaehana pākahi he paʻakikī a hoʻopau manawa. Ma ke ʻano he ʻokoʻa, ua noi ʻia kahi ʻōlelo hoʻohiki, e ʻae ai i ka hana ʻana i nā lula kaʻawale me ka ʻole o ka hele ʻana i nā kikoʻī a me ka hoʻopunipuni ʻana i nā papa komo i mākaukau. No ka laʻana, ʻo nā papa i hāʻawi ʻia he stdio (input / output), rpath (heluhelu wale i nā faila), wpath (kākau i nā faila), cpath (hana i nā faila), tmppath (hana me nā faila manawa), inet (nā kumu pūnaewele), unix (unix). sockets), dns (DNS resolution), getpw (heluhelu i ke komo ʻana i ka waihona mea hoʻohana), ioctl (kahea ioctl), proc (ka hoʻoponopono kaʻina hana), exec (hoʻomaka i nā kaʻina hana), a me ka id (ka mana ʻae).
Hōʻike ʻia nā lula no ka hana ʻana me nā kelepona ʻōnaehana ma ke ʻano o nā annotation e loaʻa ana kahi papa inoa o nā papa kelepona ʻōnaehana i ʻae ʻia a me kahi ʻano o nā ala faila kahi e ʻae ʻia ai. Ma hope o ke kūkulu ʻana a me ka holo ʻana i ka noi i hoʻololi ʻia, lawe ka kernel i ka hana o ka nānā ʻana i ka mālama ʻana i nā lula i kuhikuhi ʻia.
Hoʻokaʻawale ʻia, hoʻomohala ʻia ka hoʻokō hoʻohiki no FreeBSD, kahi i ʻike ʻia e ka hiki ke hoʻokaʻawale i nā noi me ka ʻole o ka hoʻololi ʻana i kā lākou code, ʻoiai ma OpenBSD ka hoʻohiki ʻana e pili ana i ka hoʻopili paʻa ʻana me ka pae kumu a me ka hoʻohui ʻana i nā annotations i ke code o kēlā me kēia. palapala noi.
Ua lawe nā mea hoʻomohala o ke awa Linux o ka hoʻohiki ʻana i ka hiʻohiʻona FreeBSD a, ma kahi o ka hoʻololi ʻana i ke code, ua hoʻomākaukau i kahi pono hoʻohui pledge.com e hiki ai iā ʻoe ke hoʻopili i nā palena me ka hoʻololi ʻole i ka code noi. No ka laʻana, no ka holo ʻana i ka pono curl me ke komo wale ʻana i nā papa kelepona ʻōnaehana stdio, rpath, inet, a me threadstdio, holo wale "./pledge.com -p 'stdio rpath inet thread' curl http://example.com" .
Hoʻohana ka pono hoʻohiki ma nā māhele Linux āpau mai RHEL6 a ʻaʻole koi i ke aʻa. Hoʻohui ʻia, ma muli o ka hale waihona puke cosmopolitan, ua hāʻawi ʻia kahi API no ka hoʻokele ʻana i nā kapu i loko o ke code o nā papahana ma ka ʻōlelo C, kahi e hiki ai, ma waena o nā mea ʻē aʻe, ke hana i nā enclaves no ka hoʻopaʻa ʻana i ke komo ʻana e pili ana i kekahi mau hana noi.
ʻAʻole pono ka hoʻokō ʻana i nā loli i ka kernel - ua unuhi ʻia nā palena hoʻohiki i loko o nā lula SECCOMP BPF a hana ʻia me ka hoʻohana ʻana i ka ʻōnaehana hoʻokaʻawale kelepona ʻo Linux. No ka laʻana, e hoʻololi ʻia ke kelepona ʻana ("stdio rpath", 0) i kahi kānana BPF static const struct sock_filter kFilter[] = { /* L0*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, syscall, 0, 14 - 1) , / * L1*/ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, OFF(args[0])), /* L2*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 2, 4 - 3, 0), /* L3*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 10, 0, 13 - 4), /* L4*/ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, OFF(args[1])), /* L5*/ BPF_STMT(BPF_ALU | BPF_AND BPF_K, ~0x80800), /* L6*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 1, 8 - 7, 0), /* L7*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 2, 0, 13 - 8), 8 - 2 /* L9*/ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, OFF(args[0])), /* L12*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 10, 0 - 10, 6), /*L12*/ BPF_JUMP (BPF_JMP | BPF_JEQ | BPF_K, 11, 0 - 11, 17), /*L0*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 13, 11, 12 - 13) ), /*L14*/ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, OFF(nr)), /*LXNUMX*/ /* kānana aʻe */ };
Source: opennet.ru