Munyori weCosmopolitan standard C raibhurari uye Redbean chikuva akazivisa kuitwa kwechipikirwa() chekuzviparadzanisa nevamwe cheLinux. Pledge yakatanga kugadzirwa neOpenBSD purojekiti uye inokutendera iwe kuti usarudze kurambidza zvikumbiro kubva pakuwana zvisina kushandiswa nharembozha (rudzi rweruchena runyoro rwemasystem mafoni anogadzirwa kuapp, uye dzimwe nhare dzinorambidzwa). Kusiyana neiyo system yekufona yekudzora nzira inowanikwa muLinux, senge seccomp, iyo pledge mechanism yakatanga kugadzirwa kuti ive nyore sezvinobvira.
Iyo yakatadza danho rekuparadzanisa maapplication munzvimbo yeOpenBSD base uchishandisa iyo systrace meshini yakaratidza kuti kuzviparadzanisa nevamwe pamwero wekufona kwega kwega kwaive kwakaomarara uye kuchitora nguva. Seimwe nzira, chitsidzo chakarongwa, icho chakaita kuti zvikwanise kugadzira mitemo yekuzviparadzanisa nevamwe pasina kupinda mune zvakadzama uye nekugadzirisa makirasi ekuwana akagadzirira. Semuyenzaniso, makirasi anopihwa ndee stdio (yekupinza/zvinobuda), rpath (mafaira ekuverenga chete), wpath (nyora mafaera), cpath (gadzira mafaera), tmppath (basa nemafaira enguva pfupi), inet (network sockets), unix ( unix sockets), dns (DNS resolution), getpw (verenga kupinda kune mushandisi dhatabhesi), ioctl (ioctl kufona), proc (maitiro manejimendi), exec (maitiro kuvhurwa) uye id (kuwana kodzero manejimendi).
Mitemo yekushanda nenharembozha inotsanangurwa muchimiro chezvirevo, kusanganisira runyoro rwemakirasi anotenderwa enharembozha uye hurongwa hwemafaira nzira uko kupinda kunobvumidzwa. Mushure mekuvaka uye kuvhura iyo yakagadziridzwa application, iyo kernel inotora basa rekutarisa kutevedza nemitemo yakatarwa.
Kuitwa kwakasiyana kwechipikirwa kuri kugadzirwa yeFreeBSD, iyo inosiyaniswa nekugona kutsaura zvikumbiro pasina kuita shanduko kune yavo kodhi, nepo muOpenBSD runhare rwechipikirwa rwakanangana nekubatanidzwa kwakasimba nenzvimbo yepasi uye kuwedzera zvirevo kune kodhi yega yega. application.
Vagadziri vechiteshi chezvipo cheLinux vakatora muenzaniso weFreeBSD uye, pachinzvimbo chekuchinja kodhi, vakagadzirira yekuwedzera-utility pledge.com iyo inokutendera kuti uise zvirambidzo pasina kushandura kodhi yekushandisa. Semuenzaniso, kumhanyisa curl utility nekuwana chete kune stdio, rpath, inet uye threadstdio system yekufona makirasi, ingomhanya "./pledge.com -p 'stdio rpath inet thread' curl http://example.com".
Iyo pledge utility inoshanda pane ese Linux kugoverwa kutanga neRHEL6 uye haidi midzi yekuwana. Pamusoro pezvo, zvichibva paraibhurari yecosmopolitan, API inopihwa kutonga zvirambidzo mukodhi yepurogiramu mumutauro weC, iyo inobvumira, pakati pezvimwe zvinhu, kugadzira enclaves yekusarudza kurambidza kupinda zvine chekuita nemamwe mabasa ekushandisa.
Kuitwa hakudi shanduko kune kernel - zvirambidzo zvemhiko zvinoshandurirwa muSECCOM BPF mitemo uye inogadziriswa uchishandisa iyo yemuno Linux system yekufona yekuzviparadzanisa nevamwe. Semuyenzaniso, chitsidzo chekufona("stdio rpath", 0) chichashandurwa kuita BPF filter static const struct sock_filter kFilter[] = {/* L0*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, syscall, 0, 14 - 1 ), / * L1*/ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, OFF(args[0])), /* L2*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 2, 4 - 3, 0), /* L3* / BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, 10, 0, 13 - 4), /* L4*/ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, OFF(args[1])), /* L5*/ BPF_STMT(BPF_ALU | BPF_ALU | BPF_ALU | | BPF_K, ~0x80800), /* L6*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 1, 8 - 7, 0), /* L7*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 2, 0, 13 - 8) , /* L8*/ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, OFF(args[2])), /* L9*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0, 12 - 10, 0), /*L10*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 6, 12 - 11, 0), /*L11*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 17, 0, 13 - 11), /*L12*/ BPF_STMT |(BPF_STMT,(BPF_STMT) SECCOMP_RET_ALLOW), /*L13*/ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, OFF(nr)), /*L14*/ /* sefa inotevera */ };
Source: opennet.ru