Wasu kwanaki da suka gabata Google ya sanar da buɗe aikin Sandboxed API, cewa Yana ba ka damar sarrafa aikin sarrafa sandbox don aiwatar da ɗakunan karatu ba bisa ka'ida ba a C da C ++.
Ware lambarka daga dakunan karatu yana ba da damar kariya daga yuwuwar hare-hare a kan abubuwan da ɗakunan karatu ke bayarwa, ƙirƙirar ƙarin shamaki idan akwai laulayi a cikin lambar ka waɗanda za a iya amfani da su ta hanyar magudi tare da bayanan waje wanda ya shiga laburaren. An buɗe lambar a ƙarƙashin lasisin Apache 2.0.
Kadaiciko ana yin ta ta amfani da lokacin Sandbox2, wanda a ciki ake amfani da wuraren suna, cgroups, da seccomp-bpf.
Lambar da aka aika zuwa sandbox ɗin da ke gudana a cikin wani tsari daban, wanda samun damar tsarin kira da albarkatu, kazalika da fayiloli da haɗin hanyar sadarwa, an iyakance.
Matakan suna samun damar ne kawai zuwa damar tsarin da ake buƙata kai tsaye don aiwatar da keɓaɓɓen lamba.
Sandbox2 ya bayyana abubuwanda aka gyara don gudanar da aikinko, yi amfani da ƙa'idojin keɓewa da tallafawa aiwatar da hakan.
sandbox2 ana iya amfani da shi daban daga Sandbox API don keɓance ba ɗakunan karatu kawai ba, har ma da hanyoyin sabani.
Baya ga ƙarin kariya, wani tabbataccen abu a cikin kawar da lambar a cikin matakai daban-daban shine yiwuwar keɓance ƙa'idodi na iyakokin amfani da ƙwaƙwalwar ajiya na ɗakin karatu da CPU, da kariya daga gazawa: rashin nasara a laburaren ba ya sa ɗaukacin aikace-aikacen ya faɗi.
Game da Sandboxed API
Sandboxed API kayan aikin Sandbox2 ne wanda ke sauƙaƙe jigilar ɗakunan karatu na yanzu don gudana a keɓance hanya.
API na Sandboxed yana ba da tsaka-tsakin software wanda ke ba ku damar gudanar da lambar laburare a cikin yanayin sandboxkazalika da shirya kira zuwa laburare a cikin yanayin sandbox da tabbatar da isar da sakamakon laburare zuwa babban shirin.
Se Yana samun damar keɓaɓɓun ɗakin karatu ta hanyar RPC ta musamman bisa yarjejeniyar ProtoBuffs.
A ana ba masu haɓaka ɗakunan karatu saitin zaɓuɓɓuka waɗanda ke ba da damar isa ga masu canji.
Lokacin da laburaren software da ke nazarin irin waɗannan bayanai suka kasance masu rikitarwa, zai iya faɗawa cikin wasu nau'ikan raunin tsaro: kurakurai na lalata ƙwaƙwalwar ajiya ko wasu nau'ikan matsalolin da suka danganci dabarun nazari (misali, matsalolin ƙetare hanya).). Waɗannan lamuran na iya haifar da tasirin tsaro mai tsanani.
Har ila yau, An samar da API don saka idanu kan aikin keɓaɓɓun matakai kuma sake farawa su idan akwai gazawa.
Don keɓaɓɓun laburaren, lambar sanarwa daga ayyukan da aka keɓance ana ƙirƙira ta atomatik don tsarin taron Bazel da tsarin shirin (SAPI) don hulɗa tsakanin mahimman tsari da keɓance.
Dole ne mai haɓaka ya ƙirƙiri fayil ɗin kai tsaye tare da dokokin keɓewa waɗanda ke bayyana duk kiran tsarin da aka yarda da shi (karanta, rubuta, buɗe fayiloli, samun lokaci, damar shigar da masu sarrafa sigina, tallafi don rabon ƙwaƙwalwar ta hanyar malloc, da sauransu).
Fayil da kundin adireshi waɗanda ɗakunan karatu yakamata su sami dama an ƙayyade su daban.
Girkawa
A halin yanzu, ana samun aikin ne kawai don Linux, amma a nan gaba sun yi alƙawarin ƙara tallafi ga tsarin macOS da BSD, kuma a cikin dogon lokaci, da na Windows. Ee kana so ka girka sandoxed api zaka iya bin umarnin da aka baka a cikin wannan haɗin.
Na tsare-tsaren, an kuma lura ikon keɓance ɗakunan karatu a cikin yaren ban da C da C ++, ƙarin lokacin gudu don warewa (misali dangane da ƙwarewar kayan aiki) da ikon amfani da CMake da sauran tsarin taro (tallafi yanzu an iyakance shi ga tsarin gina Bazel).
Source: https://security.googleblog.com