Sakin kayan aikin don tsara aikin keɓaɓɓen mahalli Bubblewrap 0.8 yana samuwa, yawanci ana amfani da su don taƙaita aikace-aikacen mutum ɗaya na masu amfani marasa gata. A aikace, aikin Flatpak yana amfani da Bubblewrap azaman Layer don ware aikace-aikacen da aka ƙaddamar daga fakiti. An rubuta lambar aikin a cikin C kuma an rarraba a ƙarƙashin lasisin LGPLv2+.
Don keɓewa, ana amfani da fasahar sarrafa kwantena na gargajiya na Linux, dangane da amfani da ƙungiyoyi, wuraren suna, Seccomp da SELinux. Don aiwatar da ayyuka masu gata don saita akwati, an ƙaddamar da Bubblewrap tare da haƙƙoƙin tushen (fayil ɗin da za a iya aiwatarwa tare da tuta ta suid) sannan a sake saita gata bayan an ƙaddamar da akwati.
Kunna wuraren sunan mai amfani a cikin tsarin suna, wanda ke ba ku damar amfani da saitin abubuwan gano naku daban a cikin kwantena, ba a buƙata don aiki, tunda ba ya aiki ta tsohuwa a yawancin rarrabawa (An sanya Bubblewrap azaman ƙayyadaddun aiwatar da suid). juzu'in ikon filayen sunayen mai amfani - don keɓance duk mai amfani da sarrafa abubuwan ganowa daga muhalli, sai dai na yanzu, ana amfani da yanayin CLONE_NEWUSER da CLONE_NEWPID). Don ƙarin kariya, shirye-shiryen da aka aiwatar a ƙarƙashin Bubblewrap ana ƙaddamar da su a cikin yanayin PR_SET_NO_NEW_PRIVS, wanda ya hana samun sabbin gata, misali, idan tutar saitin tana nan.
Warewa a matakin tsarin fayil yana cika ta hanyar ƙirƙirar sabon filin suna ta tsohuwa, wanda aka ƙirƙiri ɓangaren tushen mara amfani ta amfani da tmpfs. Idan ya cancanta, ɓangarori na FS na waje suna haɗe zuwa wannan ɓangaren a cikin yanayin “mount —bind” (misali, lokacin da aka ƙaddamar da zaɓin “bwrap —ro-bind / usr / usr”, ana tura sashin / usr daga babban tsarin. cikin yanayin karantawa kawai). Ƙarfin hanyar sadarwa yana iyakance ga samun dama ga mahaɗar madauki tare da keɓance tari na cibiyar sadarwa ta tutocin CLONE_NEWNET da CLONE_NEWUTS.
Babban bambanci daga irin wannan aikin Firejail, wanda kuma ke amfani da ƙirar ƙaddamar da saiti, shine cewa a cikin Bubblewrap ƙirar ƙirar kwantena ta ƙunshi kawai mafi ƙarancin damar da ake buƙata, da duk ayyukan ci gaba waɗanda suka wajaba don gudanar da aikace-aikacen hoto, hulɗa tare da tebur da buƙatun tacewa. zuwa Pulseaudio, an canza shi zuwa gefen Flatpak kuma an aiwatar da shi bayan an sake saita gatan. Firejail, a gefe guda, yana haɗa duk ayyukan da ke da alaƙa a cikin fayil guda ɗaya wanda za'a iya aiwatarwa, wanda ke haifar da wahalar tantancewa da kiyaye tsaro a matakin da ya dace.
A cikin sabon saki:
- Ƙara zaɓin "--disable-users" don musaki ƙirƙira na gidan sunan mai amfani a cikin mahallin akwatin yashi.
- Ƙara "--assert-userns-disabled" zaɓi don bincika cewa ta amfani da zaɓin "--disable-users" yana amfani da sarari ID na mai amfani.
- Abubuwan da ke cikin bayanan saƙonnin kuskure masu alaƙa da kashe saitunan CONFIG_SECOMP da CONFIG_SECOMP_FILTER a cikin kernel an ƙara su.
source: budenet.ru