ProHoster > Pūnaewele > nūhou pūnaewele > Hoʻolālā ʻo Fedora 40 e hiki ke hoʻokaʻawale i ka lawelawe ʻōnaehana

Hoʻolālā ʻo Fedora 40 e hiki ke hoʻokaʻawale i ka lawelawe ʻōnaehana

Hōʻike ka Fedora 40 i ka hoʻonohonoho ʻana i nā hoʻonohonoho kaʻawale no nā lawelawe ʻōnaehana systemd i hiki i ka paʻamau, a me nā lawelawe me nā noi koʻikoʻi e like me PostgreSQL, Apache httpd, Nginx, a me MariaDB. Manaʻo ʻia e hoʻonui nui ʻia ka hoʻololi i ka palekana o ka hāʻawi ʻana i ka hoʻonohonoho paʻamau a hiki ke hoʻopaʻa i nā nāwaliwali ʻike ʻole i nā lawelawe ʻōnaehana. ʻAʻole i noʻonoʻo ʻia ka manaʻo e ka FESCo (Fedora Engineering Steering Committee), nona ke kuleana no ka ʻenehana ʻenehana o ka hoʻomohala ʻana i ka hāʻawi Fedora. Hiki ke hōʻole ʻia kekahi manaʻo i ka wā o ka loiloi kaiāulu.

Manaʻo ʻia nā hoʻonohonoho e hiki ai:

  • PrivateTmp=ʻae - hāʻawi i nā papa kuhikuhi kaʻawale me nā faila manawa.
  • ProtectSystem=yes/full/strict — kau i ka ʻōnaehana waihona ma ke ʻano heluhelu-wale nō (ma ke ʻano "piha" - / etc /, ma ke ʻano koʻikoʻi - nā ʻōnaehana faila āpau koe wale nō / dev /, / proc / a me / sys /).
  • ProtectHome=ʻae—hōʻole i ke komo ʻana i nā papa kuhikuhi home mea hoʻohana.
  • PrivateDevices=ʻae - waiho wale i ke komo i /dev/null, /dev/zero a me /dev/random
  • ProtectKernelTunables=ʻae - heluhelu-wale nō ke komo i /proc/sys/, /sys/, /proc/acpi, /proc/fs, /proc/irq, etc.
  • ProtectKernelModules=ʻae - pāpā i ka hoʻouka ʻana i nā module kernel.
  • ProtectKernelLogs=ʻae - pāpā i ke komo ʻana i ka buffer me nā lāʻau kernel.
  • ProtectControlGroups=ʻae - hiki ke heluhelu-wale i /sys/fs/cgroup/
  • NoNewPrivileges=ʻae - pāpā i ka hoʻokiʻekiʻe ʻana o nā pono ma o nā hae setuid, setgid a me nā kaha.
  • PrivateNetwork=ʻae - hoʻokomo i kahi inoa inoa ʻokoʻa o ka waihona pūnaewele.
  • ProtectClock=ʻae—papa i ka hoʻololi ʻana i ka manawa.
  • ProtectHostname=ʻae - pāpā i ka hoʻololi ʻana i ka inoa host.
  • ProtectProc=ʻike ʻole - hūnā i nā kaʻina hana a nā poʻe ʻē aʻe ma /proc.
  • Mea hoʻohana= - hoʻololi i ka mea hoʻohana

Eia hou, hiki iā ʻoe ke noʻonoʻo e hoʻā i kēia mau hoʻonohonoho:

  • CapabilityBoundingSet=
  • DevicePolicy=pani
  • KeyringMode=kūʻokoʻa
  • LockPersonality=ʻae
  • MemoryDenyWriteExecute=ʻae
  • PrivateUsers=ʻae
  • WeheIPC=ae
  • RestrictAddressFamilies=
  • RestrictNamespaces=ʻae
  • RestrictRealtime=ʻae
  • KaohiSUIDSGID=ʻae
  • SystemCallFilter=
  • SystemCallArchitectures= ʻōiwi

Source: opennet.ru

Pākuʻi i ka manaʻo hoʻopuka