An buga sakin aikin Firejail 0.9.72, wanda ke haɓaka tsarin don keɓance aiwatar da aikace-aikacen hoto, wasan bidiyo da uwar garken, yana ba da damar rage haɗarin ɓata babban tsarin yayin gudanar da shirye-shirye marasa aminci ko yiwuwar rauni. An rubuta shirin a cikin C, wanda aka rarraba a ƙarƙashin lasisin GPLv2 kuma yana iya gudana akan kowane rarraba Linux tare da kernel wanda ya girmi 3.0. Shirye-shiryen fakitin Firejail an shirya su cikin tsarin deb (Debian, Ubuntu) da rpm (CentOS, Fedora).
Don keɓewa, Firejail yana amfani da wuraren suna, AppArmor, da tace kiran tsarin (seccomp-bpf) akan Linux. Da zarar an ƙaddamar da shi, shirin da duk tsarin tafiyar da yaran sa suna amfani da ra'ayi daban-daban na albarkatun kwaya, kamar tari na cibiyar sadarwa, tebur mai sarrafawa, da wuraren hawa. Ana iya haɗa aikace-aikacen da suka dogara da junansu cikin akwatin yashi na gama-gari. Idan ana so, Hakanan ana iya amfani da Firejail don gudanar da kwantena Docker, LXC da OpenVZ.
Ba kamar kayan aikin keɓewa na kwantena ba, gidan wuta yana da sauƙin daidaitawa kuma baya buƙatar shirye-shiryen hoton tsarin - an ƙirƙiri abun da ke ciki akan gardama bisa abubuwan da ke cikin tsarin fayil na yanzu kuma ana share su bayan kammala aikace-aikacen. Ana samar da hanyoyi masu sassauƙa na saita ƙa'idodin samun dama ga tsarin fayil; zaku iya tantance waɗanne fayiloli da kundayen adireshi aka ba su izini ko hana damar shiga, haɗa tsarin fayilolin wucin gadi (tmpfs) don bayanai, iyakance damar yin amfani da fayiloli ko kundayen adireshi don karantawa kawai, haɗa kundayen adireshi ta hanyar daure-mount da overlayfs.
Don ɗimbin shahararrun aikace-aikace, gami da Firefox, Chromium, VLC da Watsawa, an shirya bayanan bayanan keɓewar tsarin da aka yi. Don samun gatan da suka wajaba don saita mahalli mai yashi, ana shigar da aikin kashe gobara tare da Tushen SUID (an sake saita gata bayan farawa). Don gudanar da shirin a yanayin keɓe, kawai saka sunan aikace-aikacen azaman hujja ga kayan aikin gidan kashe gobara, misali, "firejail firefox" ko "sudo firejail /etc/init.d/nginx start".
A cikin sabon saki:
- Ƙara matatar seccomp don kiran tsarin da ke toshe ƙirƙirar wuraren suna (an ƙara zaɓin "--restrict-namespaces" don kunnawa). Sabunta tsarin kiran tebur da ƙungiyoyin seccomp.
- Ingantattun yanayin ƙarfi-noewprivs (NO_NEW_PRIVS), wanda ke hana sabbin matakai samun ƙarin gata.
- Ƙara ikon yin amfani da bayanan martaba na AppArmor (an ba da zaɓin "--apparmor" don haɗi).
- Tsarin sa ido na hanyar sadarwa na nettrace, wanda ke nuna bayanai game da IP da ƙarfin zirga-zirga daga kowane adireshin, yana aiwatar da tallafin ICMP kuma yana ba da zaɓuɓɓukan "--dnstrace", "--icmptrace" da "--snitrace".
- An cire umarnin --cgroup da --shell (tsoho shine --shell=babu). An dakatar da ginin Firetunnel ta tsohuwa. An kashe chroot, masu zaman kansu-lib da saitunan bincike a /etc/firejail/firejail.config. An dakatar da tallafin grsecurity.
source: budenet.ru