Morero oa ho tsamaisa mokhoa oa ho itšehla thajana ho Linux

Mongoli oa laeborari ea Cosmopolitan standard C le sethala sa Redbean se phatlalalitse ts'ebetsong ea pledge() mochine oa ho itšehla thajana bakeng sa Linux. Pledge e qapiloe ke projeke ea OpenBSD 'me e u lumella hore u ikhethele ho thibela lits'ebetso ho fihlella mehala e sa sebelisoeng (ho etsoa lethathamo le lesoeu la mehala bakeng sa ts'ebeliso, mme mehala e meng e thibetsoe). Ho fapana le mekhoa ea thibelo ea mohala oa sistimi e fumanehang Linux, joalo ka seccomp, mochini oa boitlamo o ne o etselitsoe hore o be bonolo kamoo ho ka khonehang.

Bohato bo hlōlehileng ba ho arola lits'ebetso tikolohong ea motheo ea OpenBSD ho sebelisa mochine oa systrace o bontšitse hore ho itšehla thajana boemong ba mehala ea tsamaiso ea motho ka mong ho ne ho rarahane haholo ebile ho ja nako. Ka mokhoa o mong, ho ile ha etsoa tlhahiso ea boitlamo, e leng se entseng hore ho khonehe ho theha melao ea ho itšehla thajana ntle le ho kena lintlheng le ho laola litlelase tsa phihlello tse seng li entsoe. Mohlala, litlelase tse fanoang ke stdio (input/output), rpath (file-bala-feela), wpath (ngola lifaele), cpath (etsa lifaele), tmppath (sebetsa ka lifaele tsa nakoana), inet (network sockets), unix ( unix sockets), dns (DNS resolution), getpw (ho bala phihlello ho database ea mosebelisi), ioctl (ioctl call), proc (tsamaiso ea ts'ebetso), exec (ho qala ts'ebetso) le id (taolo ea litokelo tsa phihlello).

Melao ea ho sebetsa ka mehala ea sistimi e hlalositsoe ka mokhoa oa litlatsetso, ho kenyeletsoa lethathamo la lihlopha tse lumelletsoeng tsa mehala ea sistimi le mefuta e mengata ea lifaele moo phihlello e lumelletsoeng. Ka mor'a ho haha ​​​​le ho qala kopo e fetotsoeng, kernel e nka mosebetsi oa ho beha leihlo ho latela melao e boletsoeng.

Ts'ebetsong e arohaneng ea boitlamo e ntse e ntlafatsoa bakeng sa FreeBSD, e khetholloang ke bokhoni ba ho arola likopo ntle le ho etsa liphetoho khoutu ea bona, ha OpenBSD pitso ea boitlamo e reretsoe ho kopanya ka thata le tikoloho ea motheo le ho eketsa litlhaloso ho khoutu ea e 'ngoe le e' ngoe. kopo.

Bahlahisi ba boema-kepe ba pledge bakeng sa Linux ba nkile mohlala oa FreeBSD mme, ho fapana le ho etsa liphetoho khoutu, ba lokiselitse tlatsetso ea utility pledge.com e u lumellang hore u sebelise lithibelo ntle le ho fetola khoutu ea kopo. Mohlala, ho tsamaisa curl utility ka phihlello feela ho litlelase tsa mehala tsa stdio, rpath, inet le threadstdio, matha feela “./pledge.com -p 'stdio rpath inet thread' curl http://example.com”.

Ts'ebeliso ea boitlamo e sebetsa liphaellong tsohle tsa Linux ho qala ka RHEL6 mme ha e hloke phihlello ea metso. Ho phaella moo, ho itšetlehile ka laebrari ea cosmopolitan, API e fanoa bakeng sa ho laola lithibelo khoutu ea lenaneo ka puo ea C, e lumellang, har'a lintho tse ling, ho theha li-enclaves bakeng sa ho thibela ho fihlella ho amanang le mesebetsi e itseng ea kopo.

Ts'ebetsong ha e hloke liphetoho ho kernel - lithibelo tsa boitlamo li fetoleloa ho melao ea SECCOM BPF le ho sebetsoa ho sebelisoa mochine oa mohala oa ho itšehla thajana oa Linux. Mohlala, pitso pledge("stdio rpath", 0) e tla fetoleloa ho BPF filter static const struct sock_filter kFilter[] = {/* L0*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, syscall, 0, 14 - 1 ), / * L1*/ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, OFF(args[0])), /* L2*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 2, 4 - 3, 0), /* L3* / BPF_JUMP( BPF_JMP | BPF_JEQ | BPF_K, 10, 0, 13 - 4), /* L4*/ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, OFF(args[1])), /* L5*/ BPF_STMT(BPF_ALU | BPF_AND | BPF_K, ~0x80800), /* L6*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 1, 8 - 7, 0), /* L7*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 2, 0, 13 - 8) , /* L8*/ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, OFF(args[2])), /* L9*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0, 12 - 10, 0), /*L10*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 6, 12 - 11, 0), /*L11*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 17, 0, 13 - 11), /*L12*/ BPF_STMT |(BPF_STMT) SECCOMP_RET_ALLOW), /*L13*/ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, OFF(nr)), /*L14*/ /* sefe e latelang */ };

Source: opennet.ru