Kutulutsidwa kwa zida zokonzekera ntchito zamalo akutali Bubblewrap 0.6 ikupezeka, yomwe nthawi zambiri imagwiritsidwa ntchito kuletsa kugwiritsa ntchito kwa anthu omwe alibe mwayi. M'malo mwake, Bubblewrap imagwiritsidwa ntchito ndi Flatpak pulojekiti ngati gawo lopatula mapulogalamu omwe akhazikitsidwa pamaphukusi. Khodi ya polojekitiyi idalembedwa mu C ndipo imagawidwa pansi pa layisensi ya LGPLv2+.
Podzipatula, matekinoloje amtundu wa Linux amagwiritsidwa ntchito, kutengera kugwiritsa ntchito magulu, malo a mayina, Seccomp ndi SELinux. Kuti mugwiritse ntchito mwayi wokonza chidebe, Bubblewrap imayambitsidwa ndi maufulu a mizu (fayilo yotheka yokhala ndi mbendera ya suid) ndikukhazikitsanso mwayi chidebecho chikakhazikitsidwa.
Kutsegula kwa malo ogwiritsira ntchito mayina mu namespace system, yomwe imakupatsani mwayi wogwiritsa ntchito zizindikiritso zanu zosiyana m'mitsuko, sikofunikira kuti mugwire ntchito, chifukwa siigwira ntchito mwachisawawa m'magawo ambiri (Bubblewrap imayikidwa ngati njira yochepetsera ya suid ya kagawo kakang'ono ka malo a mayina a ogwiritsa ntchito - kusaphatikiza zozindikiritsa onse ogwiritsa ntchito ndi ma process kuchokera ku chilengedwe, kupatula panopo, mitundu ya CLONE_NEWUSER ndi CLONE_NEWPID imagwiritsidwa ntchito). Kuti mupeze chitetezo chowonjezera, mapulogalamu opangidwa pansi pa Bubblewrap amayambitsidwa mu PR_SET_NO_NEW_PRIVS mode, yomwe imaletsa kupeza mwayi watsopano, mwachitsanzo, ngati mbendera ya setuid ilipo.
Kudzipatula pamtundu wamafayilo kumakwaniritsidwa ndikupanga malo atsopano okwera mwachisawawa, momwe magawo opanda mizu amapangidwa pogwiritsa ntchito tmpfs. Ngati ndi kotheka, magawo akunja a FS amalumikizidwa ku gawoli munjira ya "mount -bind" (mwachitsanzo, ikayambitsidwa ndi njira ya "bwrap -ro-bind / usr / usr", gawo la / usr limatumizidwa kuchokera kudongosolo lalikulu. munjira yowerengera-yokha). Kuthekera kwa netiweki kumangokhala ndi mwayi wolumikizana ndi loopback yokhala ndi netiweki stack payokha kudzera pa CLONE_NEWNET ndi CLONE_NEWUTS mbendera.
Kusiyana kwakukulu kuchokera ku projekiti yofananira ya Firejail, yomwe imagwiritsanso ntchito mawonekedwe oyambitsa setuid, ndikuti mu Bubblewrap gawo lopanga ziwiya limaphatikizanso zofunikira zochepa, ndi ntchito zonse zapamwamba zofunika pakuyendetsa ntchito zowonetsera, kulumikizana ndi desktop ndi zopempha zosefera. ku Pulseaudio, idasamutsidwa ku mbali ya Flatpak ndikuphedwa maudindowo atakhazikitsidwanso. Kumbali ina, Firejail imaphatikiza ntchito zonse zokhudzana ndi fayilo imodzi yomwe ingathe kuchitidwa, zomwe zimapangitsa kuti zikhale zovuta kufufuza ndi kusunga chitetezo pamlingo woyenera.
M'kutulutsa kwatsopano:
- Thandizo lowonjezera la dongosolo la msonkhano wa Meson. Thandizo lomanga ndi Autotools lasungidwa pakadali pano, koma lidzachotsedwa kumasulidwa mtsogolo.
- Kukhazikitsa "--add-seccomp" njira yowonjezerera ma seccomp opitilira pulogalamu imodzi. Anawonjezera chenjezo kuti ngati mungatchulenso njira ya "--seccomp", gawo lomaliza lokha lidzagwiritsidwa ntchito.
- Nthambi yayikulu mu git repository yasinthidwa kukhala main.
- Thandizo lowonjezera pang'ono pamatchulidwe a REUSE, omwe amagwirizanitsa njira yofotokozera laisensi ndi chidziwitso cha kukopera. Mafayilo ambiri amakhodi ali ndi mitu ya SPDX-License-Identifier yowonjezedwa. Kutsatira malangizo a REUSE kumapangitsa kuti zikhale zosavuta kudziwa kuti ndi laisensi iti yomwe ikugwira ntchito pagawo liti la code yofunsira.
- Yowonjezedwa kuwunika kufunikira kwa kauntala ya mzere wolamula (argc) ndikukhazikitsa njira yotuluka mwadzidzidzi ngati kauntala ndi ziro. Kusinthaku kumathandizira kuletsa zovuta zachitetezo zomwe zimayambitsidwa ndi kusamalidwa kolakwika kwa mikangano yamalamulo odutsa, monga CVE-2021-4034 mu Polkit.
Source: opennet.ru