ProHoster > Π‘Π»ΠΎΠ³ > xov xwm hauv internet > Tso tawm ntawm Bubblewrap 0.8, txheej txheej rau kev tsim cov chaw nyob ib puag ncig

Tso tawm ntawm Bubblewrap 0.8, txheej txheej rau kev tsim cov chaw nyob ib puag ncig

Kev tso tawm cov cuab yeej rau kev teeb tsa kev ua haujlwm ntawm ib puag ncig kev sib cais Bubblewrap 0.8 muaj, feem ntau yog siv los txwv ib tus neeg siv ntawm cov neeg siv tsis muaj cai. Hauv kev xyaum, Bubblewrap yog siv los ntawm Flatpak qhov project ua ib txheej los cais cov ntawv thov tau pib los ntawm pob khoom. Txoj haujlwm code yog sau hauv C thiab muab faib raws li daim ntawv tso cai LGPLv2+.

Rau kev sib cais, ib txwm siv Linux ntim virtualization technologies, raws li kev siv cgroups, namespaces, Seccomp thiab SELinux. Txhawm rau ua cov haujlwm tsim nyog los teeb tsa lub thawv, Bubblewrap tau pib nrog cov cai hauv paus (ib daim ntawv ua tiav nrog tus chij suid) thiab tom qab ntawd rov pib tsim nyog tom qab lub thawv pib.

Kev ua kom cov neeg siv lub npe chaw nyob hauv lub npe qhov chaw, uas tso cai rau koj siv koj tus kheej cov txheej txheem sib cais ntawm cov cim hauv cov thawv, tsis tas yuav tsum tau ua haujlwm, vim nws tsis ua haujlwm los ntawm lub neej ntawd hauv ntau qhov kev faib tawm (Bubblewrap yog positioned raws li ib tug txwv suid siv ntawm a subset ntawm usernamespaces peev xwm - kom tshem tawm tag nrho cov neeg siv thiab cov txheej txheem kev txheeb xyuas los ntawm ib puag ncig, tshwj tsis yog tam sim no, CLONE_NEWUSER thiab CLONE_NEWPID hom siv). Rau kev tiv thaiv ntxiv, cov kev pabcuam raug ua raws li Bubblewrap tau pib hauv PR_SET_NO_NEW_PRIVS hom, uas txwv tsis pub txais cov cai tshiab, piv txwv li, yog tias tus chij setuid tam sim no.

Kev rho tawm ntawm cov ntaub ntawv qib yog ua tiav los ntawm kev tsim lub npe tshiab mount namespace los ntawm lub neej ntawd, nyob rau hauv uas ib qho khoob hauv paus muab faib yog tsim siv tmpfs. Yog tias tsim nyog, sab nraud FS partitions txuas rau qhov kev faib tawm no hauv "mount β€” khi" hom (piv txwv li, thaum pib nrog "bwrap β€”ro-bind / usr / usr" kev xaiv, / usr muab faib yog xa los ntawm lub ntsiab system. hauv hom nyeem nkaus xwb). Kev muaj peev xwm hauv lub network tau txwv rau kev nkag mus rau lub voj voog rov qab nrog kev sib cais ntawm lub network ntawm CLONE_NEWNET thiab CLONE_NEWUTS chij.

Qhov tseem ceeb sib txawv los ntawm qhov zoo sib xws Firejail project, uas kuj siv lub setuid launch qauv, yog hais tias nyob rau hauv Bubblewrap lub thawv tsim txheej tsuas yog tsim nyog yam tsawg kawg nkaus muaj peev xwm, thiab tag nrho cov advanced functions tsim nyog rau khiav graphical daim ntaub ntawv, interacting nrog lub desktop thiab filtering thov. mus rau Pulseaudio, pauv mus rau Flatpak sab thiab tua tom qab cov cai tau rov pib dua. Firejail, ntawm qhov tod tes, sib txuas tag nrho cov haujlwm muaj feem xyuam hauv ib daim ntawv ua tiav, uas ua rau nws nyuaj rau kev tshuaj xyuas thiab tswj kev ruaj ntseg ntawm qib tsim nyog.

Hauv qhov kev tso tawm tshiab:

  • Ntxiv qhov "--disable-users" kev xaiv los lov tes taw kev tsim ntawm nws tus kheej nested usernamespace hauv sandbox ib puag ncig.
  • Ntxiv "--assert-userns-disabled" kev xaiv los xyuas tias qhov chaw siv ID uas twb muaj lawm yog siv thaum siv qhov kev xaiv "--disable-users".
  • Cov ntaub ntawv cov ntsiab lus ntawm cov lus yuam kev cuam tshuam txog kev cuam tshuam CONFIG_SECCOMP thiab CONFIG_SECCOMP_FILTER nqis hauv cov ntsiav tau nce ntxiv.

Tau qhov twg los: opennet.ru

Ntxiv ib saib