Ezinsukwini ezithile ezedlule IGoogle imemezele ukuvulwa kwephrojekthi ye-Sandboxed API, ukuthi Ikuvumela ukuthi uguqule inqubo yokudala ye-sandbox yokwenza okukude kwemitapo yolwazi engaxubekile ku-C naku-C ++.
Uhlukanisa ikhodi yakho emitatsheni yolwazi ivumela ukuvikela ekuhlaselweni okungenzeka kwizibambo ezinikezwe imitapo yolwazi, kwakha isithiyo esingeziwe uma kungenzeka kube nobuthakathaka kukhodi yakho obungasetshenziswa ngokukhohlisa ngemininingwane yangaphandle engena kumtapo wezincwadi. Ikhodi ivulekile ngaphansi kwelayisense le-Apache 2.0.
Ukuhlukaniswanoma kwenziwa kusetshenziswa isikhathi sokusebenza seSandbox2, lapho kusetshenziswa khona izikhala zamagama, amaqoqo, kanye ne-seccomp-bpf.
Ikhodi ilethwa ku-sandbox esebenza ngenqubo ehlukile, lapho ukufinyelela khona izingcingo zesistimu nezinsizakusebenza, kanye namafayela nokuxhumeka kwenethiwekhi, kunqunyelwe.
Izinqubo zithola ukufinyelela kuphela kumakhono wesistimu adingeka ngqo ukwenza ikhodi ehlukanisiwe.
I-Sandbox2 ichaza izingxenye zokwenza inqubonoma, sebenzisa imithetho yokuzihlukanisa futhi usekele ukwenziwa okulandelayo.
I-Sandbox2 ingasetshenziswa ngokwehlukana ne-Sandbox API ukwahlukanisa imitapo yolwazi hhayi kuphela, kepha nezinqubo zokuphikisana.
Ngaphezu kokuvikelwa okwandayo, iphuzu elihle ekususweni kwekhodi ngezinqubo ezihlukile kungenzeka kube nokulawulwa okwehlukile kwemikhawulo ekusetshenzisweni kwememori yomtapo wezincwadi ne-CPU, kanye nokuvikelwa ekuhlulekeni: ukwehluleka umtapo wezincwadi awubangeli ukuthi lonke uhlelo lokusebenza luphazamiseke.
Mayelana ne-Sandboxed API
I-Sandboxed API iyi-plugin ye-Sandbox2 okwenza kube lula ukuthuthwa kwemitapo yolwazi ekhona ukuze isebenze ngemodi ehlukile.
I-Sandboxed API inikeza isikhombimsebenzisi esibonakalayo esikuvumela ukuthi usebenzise ikhodi yelabhulali endaweni ye-sandboxkanye nokuhlela ukubizelwa kumtapo wezincwadi endaweni eyi-sandbox nokuqinisekisa ukulethwa kwemiphumela yomtapo wolwazi ohlelweni oluyinhloko.
Se ifinyelela kulabhulali ehlukanisiwe nge-RPC ekhethekile esekwe kumthetho olandelwayo weProtoBuffs.
A onjiniyela belabhulali banikezwa isethi yezinketho ezivumela ukufinyelela kokuguquguqukayo, izincazelo zefayela, amabhafa nemisebenzi yelabhulali ehlukaniswe nohlelo lokusebenza oluyisisekelo, kufaka phakathi amathuluzi wokuvumelanisa imemori okuzenzakalelayo nokulawulwayo yokwabelana ngamalungu nokwakhiwa.
Lapho umtapo wolwazi wesoftware ohlaziya idatha enjalo uyinkimbinkimbi ngokwanele, ungaba yisisulu sezinhlobo ezithile zokuba sengozini kwezokuphepha: amaphutha enkohlakalo yenkumbulo noma ezinye izinhlobo zezinkinga ezihlobene nomqondo wokuhlaziya (ngokwesibonelo, izinkinga zokunqamula indlela).). Lokho kuba sengozini kungaba nemiphumela emibi kwezokuphepha.
Futhi, I-API inikezwa ukuqapha ukusebenza kwezinqubo ezizimele nokuziqala kabusha uma kwenzeka ukwehluleka.
Kumtapo wolwazi ongawodwa, ikhodi yezichasiselo yemisebenzi ehlukanisiwe yenziwa ngokuzenzakalela ohlelweni lweBazel Assembly kanye nohlelo lohlelo (SAPI) lokuxhumana phakathi kwezinqubo eziyisisekelo nezizimele.
Umthuthukisi kufanele futhi enze ifa eliyisihloko elinemithetho yokuzihlukanisa echaza zonke izingcingo zesistimu ezivunyelwe nokusebenza (funda, bhala, vula amafayela, ukufinyelela esikhathini, amandla okufaka abaphathi bezimpawu, ukusekelwa kokwabiwa kwememori nge-malloc, njll.).
Amafayela nezinkomba umtapo wezincwadi okufanele ufinyelele kuzo zinqunywa ngokwehlukana.
Ukufaka
Njengamanje, iphrojekthi itholakala kuphela ngeLinux, kepha ngokuzayo bathembisa ukufaka ukwesekwa kwezinhlelo zeMacOS neBSD, nangesikhathi eside, kanye neWindows. Yebo ufuna ukufaka i-sandboxed api ungalandela imiyalo enikeziwe kulesi sixhumanisi.
Kuzinhlelo, kuyabonakala futhi amandla okuhlukanisa imitapo yolwazi ngezilimi ezingezona ezika-C no-C ++, ukusekelwa okungeziwe kwesikhathi sokusebenza sokuhlukaniswa (isb. kususelwa ekubonakaleni kwehadiwe) kanye nekhono lokusebenzisa i-CMake nezinye izinhlelo zomhlangano (ukwesekwa manje kukhawulelwe ohlelweni lweBazel build).
Umthombo: https://security.googleblog.com