te putanga hou o te kete taputapu , i hangaia hei whakarite i ngā taiao motuhake i roto i te Linux, ā, ka mahi i te taumata tono a ngā kaiwhakamahi kāore i te whai mana. I roto i te mahi, ka whakamahia a Bubblewrap e te kaupapa Flatpak hei paparanga mō te wehe i ngā tono i whakarewahia mai i ngā mōkihi. Kua tuhia te waehere o te kaupapa ki te C me i raro i te raihana LGPLv2+.
Mo te wehe, ka whakamahia nga hangarau mariko ipu Linux tuku iho, i runga i te whakamahinga o nga roopu c, mokowā ingoa, Seccomp me SELinux. Hei mahi i nga mahi whai mana ki te whirihora i tetahi ipu, ka whakarewahia a Bubblewrap me nga motika pakiaka (he konae ka taea te whakahaere me te haki suid) katahi ka tautuhi ano i nga mana whai muri i te tiimata o te ipu.
Kāore e hiahiatia te whakahohe i ngā mokowā ingoa kaiwhakamahi i roto i te pūnaha, e āhei ai ngā ipu ki te whakamahi i ā rātou ake huinga tohu motuhake, mō te mahi, nā te mea kāore e mahi taunoa i roto i te maha o ngā tohatoha (kua tū a Bubblewrap hei whakatinanatanga iti o tētahi huinga iti o ngā āheinga mokowā ingoa kaiwhakamahi - ka whakamahia ngā aratau CLONE_NEWUSER me CLONE_NEWPID hei aukati i ngā tohu kaiwhakamahi me ngā tohu tukanga katoa mai i te taiao engari ko te mea o nāianei). Hei tiaki atu, ko ngā whakahaere i raro i
Ka rere ngā kaupapa Bubblewrap i te aratau PR_SET_NO_NEW_PRIVS, e aukati ana i te whiwhinga o ngā mana hou, hei tauira, mēnā kei reira te haki setuid.
Ko te wehe i te taumata o te punaha konae ka tutuki ma te hanga i tetahi mokowā ingoa maunga hou ma te taunoa, ka hangaia he wehenga pakiaka kau ma te whakamahi i te tmpfs. Mena e tika ana, ka piri nga waahanga FS o waho ki tenei waahanga i roto i te aratau "mount —bind" (hei tauira, ka whakarewahia me te "bwrap —ro-bind /usr /usr", ka tukuna te /usr wehewehe mai i te punaha matua. i roto i te aratau panui-anake). He iti te kaha o te whatunga ki te uru atu ki te atanga whakamuri me te whakamotuhake o te whatunga ma te haki CLONE_NEWNET me CLONE_NEWUTS.
Te rereketanga matua mai i tetahi kaupapa rite , e whakamahi ana hoki i te tauira whakarewatanga setuid, ko te mea i roto i te Bubblewrap, ko te paparanga waihanga ipu he iti noa iho ngā āheinga, ko ngā mahi matatau katoa e hiahiatia ana mō te whakahaere i ngā tono whakairoiro, te taunekeneke ki te papamahi, me te tātari i ngā karangatanga Pulseaudio ka tukuna ki waho ki Flatpak, ā, ka whakahaerehia i muri i te tango i ngā mana. Ko Firejail, i tētahi atu taha, ka whakakotahi i ngā mahi e pā ana ki roto i te kotahi whakahaere, ka uaua ki te arotake me te pupuri i te haumarutanga. .
He mea rongonui te tukunga hou mō tana tautoko i te tāpiri i ngā mokowā ingoa kaiwhakamahi me te ID tukanga (ngā mokowā ingoa pid). Kua tāpirihia ngā haki "--usersns," "--usersns2," me "--pidns" hei whakahaere i te tāpiritanga mokowā ingoa.
Kāore tēnei āhuatanga e mahi i te aratau setuid, ā, me whakamahi i tētahi aratau motuhake, ka taea te mahi me te kore e whiwhi mana pakiaka, engari me whakahohe.
ngā mokowā ingoa kaiwhakamahi i roto i te pūnaha (kua monoa taunoa i roto i te Debian me te RHEL/CentOS) ā, kāore e ārai i te tūponotanga hei karo i ngā here o "ngā mokowā ingoa kaiwhakamahi". Kei roto hoki i ngā āhuatanga hou o Bubblewrap 0.4 te kaha ki te hanga me te whare pukapuka musl C hei utu mō te glibc me te tautoko mō te tiaki i ngā mōhiohio mokowā ingoa ki tētahi kōnae tatauranga JSON.
Source: opennet.ru
