Hoʻokuʻu ʻia ʻo Firejail Application Isolation System 0.9.60
ʻIke i ka mālamalama hoʻokuʻu papahana Halepaahao Ahi 0.9.60, i loko kahi e hoʻomohala ʻia ai kahi ʻōnaehana no ka hoʻokō kaʻawale ʻana i nā noi kiʻi, console a me nā kikowaena. ʻO ka hoʻohana ʻana iā Firejail hiki iā ʻoe ke hōʻemi i ka pilikia o ka hoʻololi ʻana i ka ʻōnaehana nui i ka wā e holo ana i nā polokalamu hilinaʻi ʻole a i ʻole nā polokalamu pilikia. Ua kākau ʻia ka papahana ma ka ʻōlelo C, mahele ʻia e laikini ʻia ma lalo o GPLv2 a hiki ke holo ma kekahi mahele Linux me kahi kernel i ʻoi aku ma mua o 3.0. ʻO nā pūʻolo i hana ʻia me Firejail hoomakaukauia i ka deb (Debian, Ubuntu) a me rpm (CentOS, Fedora).
No ka noho kaʻawale ʻana ma ka hale paʻahao ahi hoʻohana ʻia namespaces, AppArmor, a me ka kānana kelepona ʻōnaehana (seccomp-bpf) ma Linux. I ka wā i hoʻokuʻu ʻia ai, hoʻohana ka papahana a me kāna kaʻina hana a pau i nā manaʻo ʻokoʻa o nā kumuwaiwai kernel, e like me ka waihona pūnaewele, ka papa hana, a me nā wahi mauna. Hiki ke hoʻohui ʻia nā noi e hilinaʻi ana i kekahi i hoʻokahi pahu one maʻamau. Inā makemake ʻia, hiki ke hoʻohana ʻia ʻo Firejail e holo i nā pahu Docker, LXC a me OpenVZ.
ʻAʻole like me nā mea hana insulation container, ʻoi loa ka hale paʻahao māmā i ka hoʻonohonoho ʻana a ʻaʻole koi i ka hoʻomākaukau ʻana i kahi kiʻi ʻōnaehana - ua hoʻokumu ʻia ka hoʻokumu ʻana o ka ipu i ka lele e pili ana i nā mea o ka ʻōnaehana faila o kēia manawa a holoi ʻia ma hope o ka pau ʻana o ka noi. Hāʻawi ʻia nā ala maʻalahi o ka hoʻonohonoho ʻana i nā lula komo i ka ʻōnaehana faila; hiki iā ʻoe ke hoʻoholo i nā faila a me nā papa kuhikuhi i ʻae ʻia a hōʻole ʻia ke komo ʻana, e hoʻopili i nā ʻōnaehana faila manawaleʻa (tmpfs) no ka ʻikepili, e kaupalena i ke komo ʻana i nā faila a i ʻole nā papa kuhikuhi i ka heluhelu-wale, hoʻohui i nā papa kuhikuhi ma o hoʻopaʻa-mauna a me nā uhi.
No ka nui o nā noi kaulana, me Firefox, Chromium, VLC a me Transmission, mākaukau nā ʻikepili kaʻawale kelepona ʻōnaehana. No ka holo ʻana i kahi papahana ma ke ʻano kaʻawale, e kuhikuhi wale i ka inoa noi ma ke ʻano he hoʻopaʻapaʻa i ka pono hale paʻahao, no ka laʻana, "firejail firefox" a i ʻole "sudo firejail /etc/init.d/nginx start".
I ka hoʻokuʻu hou:
Ua hoʻopaʻa ʻia kahi haʻahaʻa e hiki ai i kahi kaʻina hana ʻino ke kāʻalo i ka ʻōnaehana kelepona kelepona. ʻO ke kumu o ka nāwaliwali ʻo ia ka kope ʻana o nā kānana Seccomp i ka papa kuhikuhi /run/firejail/mnt, hiki ke kākau ʻia i loko o ke kaiapuni kaʻawale. Hiki i nā kaʻina hana ʻino e holo ana ma ke ʻano kaʻawale ke hoʻololi i kēia mau faila, kahi e hoʻokō ʻia ai nā kaʻina hana hou e holo ana ma ka ʻāina like me ka hoʻohana ʻole ʻana i ka kānana kelepona ʻōnaehana;
ʻO ke kānana memo-deny-write-execute e hoʻopaʻa ʻia ke kelepona "memfd_create";
Hoʻohui hou i kahi koho "private-cwd" e hoʻololi i ka papa kuhikuhi hana no ka hale paʻahao;
Hoʻohui ʻia ke koho "--nodbus" e ālai i nā kumu D-Bus;