Qoraaga maktabadda heerka C ee Cosmopolitan iyo goobta Redbean ayaa ku dhawaaqay hirgelinta ballanqaadka () habka go'doominta Linux. Ballanqaadka waxaa markii hore soo saaray mashruuca OpenBSD wuxuuna kuu ogolaanayaa inaad si door ah uga mamnuucdo codsiyada gelitaanka wicitaannada nidaamka aan la isticmaalin (nooc ka mid ah liis cad oo wicitaannada nidaamka ah ayaa loo sameeyay arjiga, wicitaannada kalena waa mamnuuc). Si ka duwan hababka xaddidaadda wicitaanka ee laga heli karo Linux, sida seccomp, habka ballan qaadka waxaa markii hore loo qorsheeyay inuu noqdo sida ugu fudud ee suurtogalka ah.
Hindisaha fashilmay ee lagu go'doomin lahaa codsiyada jawiga saldhiga OpenBSD iyadoo la adeegsanayo habka systrace waxay muujisay in go'doominta heerka wicitaanada nidaamka shakhsi ahaaneed ay tahay mid aad u adag oo waqti badan qaadanaysa. Beddel ahaan, ballan-qaad ayaa la soo jeediyay, kaas oo suurtageliyay in la abuuro xeerar go'doomin ah iyada oo aan tafaasiil laga bixin oo aan la maareynin fasallada gelitaanka ee diyaarsan. Tusaale ahaan, fasallada la bixiyo waa stdio (wax-soo-galin/wax-soo-saar), rpath (faylal-akhris-kaliya), wpath (faylal qor), cpath (abuuro faylal), tmppath (ku-shaqeynta faylalka ku-meel-gaarka ah), inet (goobaha shabakadda), unix ( unix sockets), dns (xallinta DNS), getpw (akhri gelida xogta macluumaadka isticmaalaha), ioctl (ioctl call), proc (maamulka habraaca), exec (bilawga habraaca) iyo id (maamulida xuquuqda gelitaanka).
Xeerarka ku shaqaynta wicitaanada nidaamka waxa lagu qeexaa qaab tafsiir ah, oo ay ku jiraan liiska fasalada la ogolyahay ee wicitaanada nidaamka iyo habab faylal ah oo la ogol yahay. Ka dib markii la dhiso oo la bilaabo arjiga la beddelay, kernel-ku wuxuu la wareegayaa shaqada la socodka u hoggaansanaanta qawaaniinta la cayimay.
Dhaqan-gelin gaar ah oo ballan-qaad ah ayaa loo sameeyay FreeBSD, taas oo lagu kala saaro awoodda lagu go'doomiyo codsiyada iyada oo aan isbeddel lagu sameynin koodkooda, halka OpenBSD wacitaanka ballan-qaadka looga golleeyahay is-dhexgalka adag ee deegaanka saldhigga iyo ku darida sharraxaadda koodka mid kasta codsi.
Soo-saareyaasha dekedda dammaanadda Linux waxay qaateen tusaalaha FreeBSD, halkii ay wax ka beddeli lahaayeen koodhka, waxay diyaariyeen ku-dar-ku-galka utility pledge.com kaasoo kuu oggolaanaya inaad dalbato xannibaado adigoon beddelin koodka codsiga. Tusaale ahaan, si aad u socodsiiso utility curlka iyada oo la gelayo kaliya stdio, rpath, inet iyo threadstdio system class call, kaliya orod "./pledge.com -p 'stdio rpath inet thread' curl http://example.com".
Utility ballanqaadku wuxuu ka shaqeeyaa dhammaan qaybinta Linux oo ka bilaabma RHEL6 oo uma baahna marin xidid. Intaa waxaa dheer, iyada oo ku saleysan maktabadda adduunka, API ayaa la bixiyaa si loo maareeyo xaddidaadaha koodka barnaamijka ee luqadda C, kaas oo u oggolaanaya, waxyaabo kale, in la abuuro meelo si xushmad leh loo xaddido gelitaanka ee la xiriirta shaqooyinka codsiyada qaarkood.
Hirgelintu uma baahna isbeddel ku yimaadda kernel-ka xannibaadaha ballan qaadka waxaa loo turjumay xeerarka SECCOMP BPF waxaana lagu farsameeyaa iyada oo la adeegsanayo nidaamka Linux ee asalka ah ee loogu yeero habka go'doominta. Tusaale ahaan, ballan-qaadka wacitaanka ("stdio rpath", 0) waxa loo rogi doonaa BPF filter static const struct sock_filter kFilter[] = {/* L0*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, syscall, 0, 14 - 1) ), / * L1*/ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, OFF(args[0])), /* L2*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 2, 4 - 3, 0), /* L3* / BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, 10, 0, 13 - 4), /* L4*/ BPF_STMT(BPF_LD | BPF_W | BPF_K, ~1x5), /* L0*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 80800, 6 - 1, 8), /* L7*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0, 7, 2 - 0) , /* L13*/ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, OFF(args[8])), /* L8*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 2, 9 - 0, 12), /*L10*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0, 10 - 6, 12), /*L11*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0, 11, 17 - 0), /*L13*/ BPF_STMT(BPF_K) SECCOMP_RET_ALLOW), /* L11*/ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, OFF(nr)), /*L12*/ /* filter soo socda */};
Source: opennet.ru