Hōʻike ka Fedora 40 i ka hoʻonohonoho ʻana i nā hoʻonohonoho kaʻawale no nā lawelawe ʻōnaehana systemd i hiki i ka paʻamau, a me nā lawelawe me nā noi koʻikoʻi e like me PostgreSQL, Apache httpd, Nginx, a me MariaDB. Manaʻo ʻia e hoʻonui nui ʻia ka hoʻololi i ka palekana o ka hāʻawi ʻana i ka hoʻonohonoho paʻamau a hiki ke hoʻopaʻa i nā nāwaliwali ʻike ʻole i nā lawelawe ʻōnaehana. ʻAʻole i noʻonoʻo ʻia ka manaʻo e ka FESCo (Fedora Engineering Steering Committee), nona ke kuleana no ka ʻenehana ʻenehana o ka hoʻomohala ʻana i ka hāʻawi Fedora. Hiki ke hōʻole ʻia kekahi manaʻo i ka wā o ka loiloi kaiāulu.
Manaʻo ʻia nā hoʻonohonoho e hiki ai:
- PrivateTmp=ʻae - hāʻawi i nā papa kuhikuhi kaʻawale me nā faila manawa.
- ProtectSystem=yes/full/strict — kau i ka ʻōnaehana waihona ma ke ʻano heluhelu-wale nō (ma ke ʻano "piha" - / etc /, ma ke ʻano koʻikoʻi - nā ʻōnaehana faila āpau koe wale nō / dev /, / proc / a me / sys /).
- ProtectHome=ʻae—hōʻole i ke komo ʻana i nā papa kuhikuhi home mea hoʻohana.
- PrivateDevices=ʻae - waiho wale i ke komo i /dev/null, /dev/zero a me /dev/random
- ProtectKernelTunables=ʻae - heluhelu-wale nō ke komo i /proc/sys/, /sys/, /proc/acpi, /proc/fs, /proc/irq, etc.
- ProtectKernelModules=ʻae - pāpā i ka hoʻouka ʻana i nā module kernel.
- ProtectKernelLogs=ʻae - pāpā i ke komo ʻana i ka buffer me nā lāʻau kernel.
- ProtectControlGroups=ʻae - hiki ke heluhelu-wale i /sys/fs/cgroup/
- NoNewPrivileges=ʻae - pāpā i ka hoʻokiʻekiʻe ʻana o nā pono ma o nā hae setuid, setgid a me nā kaha.
- PrivateNetwork=ʻae - hoʻokomo i kahi inoa inoa ʻokoʻa o ka waihona pūnaewele.
- ProtectClock=ʻae—papa i ka hoʻololi ʻana i ka manawa.
- ProtectHostname=ʻae - pāpā i ka hoʻololi ʻana i ka inoa host.
- ProtectProc=ʻike ʻole - hūnā i nā kaʻina hana a nā poʻe ʻē aʻe ma /proc.
- Mea hoʻohana= - hoʻololi i ka mea hoʻohana
Eia hou, hiki iā ʻoe ke noʻonoʻo e hoʻā i kēia mau hoʻonohonoho:
- CapabilityBoundingSet=
- DevicePolicy=pani
- KeyringMode=kūʻokoʻa
- LockPersonality=ʻae
- MemoryDenyWriteExecute=ʻae
- PrivateUsers=ʻae
- WeheIPC=ae
- RestrictAddressFamilies=
- RestrictNamespaces=ʻae
- RestrictRealtime=ʻae
- KaohiSUIDSGID=ʻae
- SystemCallFilter=
- SystemCallArchitectures= ʻōiwi
Source: opennet.ru