Firejail 0.9.78 yatulutsidwa. Imapanga njira yogwiritsira ntchito zithunzi, ma console, ndi mapulogalamu a seva, kuchepetsa chiopsezo choika pachiwopsezo dongosolo la host pamene likugwiritsa ntchito mapulogalamu osadalirika kapena omwe angakhale pachiwopsezo. Pulogalamuyi imalembedwa mu C, imagawidwa pansi pa layisensi ya GPLv2, ndipo imagwira ntchito pa kugawa kulikonse. Linux ndi kernel yakale kuposa 3.0. Ma phukusi opangidwa okonzeka ndi Firejail amakonzedwa mu mawonekedwe a deb (Debian, Ubuntu) ndi rpm (CentOS, Fedora).
Firejail imagwiritsa ntchito malo osungira mayina, AppArmor, ndi kusefa mafoni a dongosolo (seccomp-bpf) kuti ipatule. LinuxPulogalamu ikangoyambitsidwa, ndi njira zake zonse zoyambira zimagwiritsa ntchito mawonekedwe osiyana a zinthu za kernel, monga network stack, process table, ndi mount points. Mapulogalamu ogwirizana amatha kuphatikizidwa kukhala sandbox imodzi yogawana. Firejail ingagwiritsidwenso ntchito kuyendetsa zotengera za Docker, LXC, ndi OpenVZ.
Mosiyana ndi zida zodzipatula pa chidebe, Firejail ndi yosavuta kwambiri kuyikonza ndipo siifuna kukonzekera chithunzi cha dongosolo—zomwe zili mu chidebecho zimapangidwa nthawi yomweyo kutengera zomwe zili mu fayilo yapano ndipo zimachotsedwa pulogalamuyo ikatha. Malamulo osinthika olowera mu fayilo amaperekedwa, amakulolani kuti mufotokoze mafayilo ndi ma directory omwe amaloledwa kapena kukanidwa kulowa, kuyika machitidwe a fayilo osakhalitsa (tmpfs) a deta, kuletsa mwayi wolowa mu mafayilo kapena ma directory kuti awerengedwe okha, ndikusakaniza ma directory pogwiritsa ntchito bind-mount ndi overlayfs.
Pazinthu zambiri zodziwika bwino, kuphatikiza Firefox, Chromium, VLC ndi Transmission, ma profiles odzipatula opangidwa okonzeka akonzedwa. Kuti mupeze mwayi wofunikira kukhazikitsa malo okhala ndi mchenga, chowotcha moto chimayikidwa ndi mbendera ya mizu ya SUID (mwayi umakhazikitsidwanso pambuyo poyambitsa). Kuti mugwiritse ntchito pulogalamu yodzipatula, ingotchulani dzina la pulogalamuyo ngati mtsutso ku zida zamoto, mwachitsanzo, "firejail firefox" kapena "sudo firejail /etc/init.d/nginx start".
M'kutulutsa kwatsopano:
- В файл конфигурации firejail.config добавлены опции arg-max-count, arg-max-len, env-max-count и env-max-len для изменения лимитов на число и размер опций командной строки и переменных окружения. По умолчанию число аргументов ограничено 128, число переменных окружения 256, а размер каждого аргумента — PATH_MAX из limits.h (в Linux 40196) + 32.
- Yawonjezera njira ya "--xephyr-extra-params" yofotokozera njira zina ku Xephyr (yogwiritsidwa ntchito popanga malo a sandbox a X11 ndi seva yawo ya X yomwe ikuyenda pawindo) pamzere wolamula popanda kusintha firejail.config.
- Chothandizira cha bwrap (bubblewrap) chomwe chayikidwa mu sandbox chasinthidwa ndi fbwrap middleware, yomwe imayambitsa mapulogalamu opanda sandboxing kuti athetse mavuto ndi Firefox, Thunderbird, ndi GIMP chifukwa cha glycin 2.0.0 yomwe imatchedwa kuchokera ku gdk-pixbuf2 pogwiritsa ntchito bwrap. Njira ya "--allow-bwrap" yawonjezedwa kuti ikope bwrap m'malo mwa middleware.
- Ma tebulo oyitanitsa a system asinthidwa a seccomp. Ma call atsopano a system, monga epoll_pwait2 ndi futex_wait, awonjezedwa.
- Njira yopangira "--disable-globalcfg" yachotsedwa, ndipo chithandizo cha overlayfs ("--overlay") ndi IDS (Intrusion Detection System, "--ids") chayimitsidwa.
- Kuwonjezera ma profiles odzipatula a ne text editor (text editor), Trivalent browser, ndi OpenRA, quakesspasm, gzdoom, lzdoom, ndi uzdoom game engines.
- Ma profiles atsopano a thunderbird, wine, qutebrowser, firefox, godot, wusc, mullvad-browser, blink, steam, ssh, brave ndi hashcat.
Source: opennet.ru
