Kwiintsuku ezithile ezidlulileyo UGoogle ubhengeze ukuvulwa kweprojekthi ye-Sandboxed API, que Ikuvumela ukuba wenze ngokuzenzekelayo inkqubo yokuyilwa kwebhokisi yesanti yokuphunyezwa okungagungqiyo kwamathala eencwadi kwi-C nakwi-C ++.
Ukuhlukanisa ikhowudi yakho kumathala eencwadi ivumela ukukhusela ngokuchasene nokuhlaselwa okunokubakho kwizibambo ezibonelelwe ngamathala eencwadi, Ukudala isithintelo esongeziweyo kwimeko apho kukho ubungozi kwikhowudi yakho enokusetyenziswa ngokukhohlisa idatha yangaphandle engena kwilayibrari. Ikhowudi ivulekile phantsi kwelayisenisi ye-Apache 2.0.
Ukuzahlulaokanye yenziwe ngaphakathi kwexesha lokubaleka leSandbox2, apho kusetyenziswa khona izithuba zamagama, amaqelana kunye seccomp-bpf.
Ikhowudi eziswe kwibhokisi yesanti ebaleka yinkqubo eyahlukileyo, apho ukufikelela kwiifowuni zenkqubo kunye nezixhobo, kunye neefayile kunye nokunxibelelana kwenethiwekhi, kuncinci.
Iinkqubo zifumana ukufikelela kuphela kubuchule benkqubo obufuneka ngokuthe ngqo ukwenza ikhowudi eyodwa.
I-Sandbox2 ichaza izinto eziza kuqhuba inkqubookanye, sebenzisa imigaqo yokuzahlula kwaye uxhase ukwenziwa okulandelayo.
Isandbox2 Ingasetyenziselwa ngokwahlukeneyo kwi-Sandbox API ukwahlula kungekuphela amathala eencwadi, kodwa kunye neenkqubo zokuchasana.
Ukongeza kokhuselo olwandayo, inqaku elifanelekileyo ekususeni ikhowudi kwiinkqubo ezahlukeneyo kukumiselwa kommiselo owahlukileyo wemida ekusetyenzisweni kwememori kwithala leencwadi kunye ne-CPU, kunye nokukhuselwa ekusileleni: ukusilela ithala lencwadi alibangeli ukuba sonke isicelo sichaphazele.
Malunga neSandboxed API
I-Sandboxed API yiplagi yeSandbox2 elenza lula ukuhanjiswa kwamathala eencwadi akhoyo ukuba asebenze kwimodi eyahlukileyo.
Isandboxed API inikeza ujongano lwesoftware ephakathi ekuvumela ukuba usebenze ikhowudi yelayibrari kwindawo yesandboxkunye nokulungiselela umnxeba kwithala leencwadi kwindawo yeesandbox kunye nokuqinisekisa ukuhanjiswa kweziphumo zethala leencwadi kwinkqubo ephambili.
Se ifikelela kwithala leencwadi elizimeleyo ngokusebenzisa i-RPC ekhethekileyo esekwe kwiprotoBuffs protocol.
A Abaphuhlisi bamathala eencwadi banikwa iseti yokhetho evumela ukufikelela kwizinto eziguquguqukayo, iinkcazo zefayile, i-buffers kunye nemisebenzi yelayibrari eyahlukileyo kwisicelo sesiseko, kubandakanya izixhobo zokwenza ulungelelwaniso lwenkumbulo oluzenzekelayo nolulawulwayo ngokwabelana uluhlu kunye nolwakhiwo
Xa ilayibrari yesoftware ehlalutya idatha enjalo inzima ngokwaneleyo, inokuba lixhoba leentlobo ezithile zokuba sesichengeni kwezokhuseleko: iimpazamo zenkohliso yenkumbulo okanye ezinye iintlobo zeengxaki ezinxulumene nengcinga yohlalutyo (umzekelo, iingxaki zendlela enqamlezileyo). Obo buthathaka bunokuba nefuthe elibi kukhuseleko.
Kwakhona, Kukhutshwa i-API yokubeka iliso ekusebenzeni kweenkqubo ezizodwa kunye nokuziqala ngokutsha kwimeko yokungaphumeleli.
Kwithala leencwadi elizimeleyo, iikhowudi zezichaso zemisebenzi ezizimeleyo zenziwa ngokuzenzekelayo kwinkqubo yeNdibano yeBazel kunye nenkqubo yenkqubo (SAPI) yokunxibelelana phakathi kweenkqubo ezisisiseko nezizimeleyo.
Umphuhlisi kufuneka enze ifayile yentloko kunye nemithetho yokuzahlula echaza zonke iifowuni zenkqubo kunye nemisebenzi (funda, bhala, vula iifayile, ukufikelela kwixesha, ukukwazi ukufaka abaphathi beempawu, inkxaso yokwabiwa kwememori nge-malloc, njl.
Iifayile kunye nemikhombandlela ekufuneka ithala leencwadi lifikelele kuyo zichazwe ngokwahlukeneyo.
Ukufakwa
Okwangoku, iprojekthi ifumaneka kuphela kwiLinux, kodwa kwixa elizayo bathembisa ukongeza inkxaso kwiinkqubo zeMacOS kunye neBSD, nakwixesha elide, nakwiWindows. Ewe ufuna ukufaka i-sandboxed api ungalandela le miyalelo inikiweyo kule khonkco.
Kwezicwangciso, kuyaphawulwa Ukukwazi ukwahlula amathala eencwadi ngeelwimi ezingezizo ezika-C no-C ++, ixesha elongezelelweyo lenkxaso yokubaleka (umz. esekwe kulwakhiwo lwehardware) kunye nokukwazi ukusebenzisa i-CMake kunye nezinye iinkqubo zebandla (inkxaso ngoku inikwe umda kwinkqubo yeBazel yokwakha).
Umthombo: https://security.googleblog.com