kutulutsidwa kwatsopano kwa zida , yokonzedwa kuti ikonzekere ntchito ya malo akutali mu Linux ndikugwira ntchito pamlingo wa ogwiritsa ntchito opanda mwayi. M'malo mwake, Bubblewrap imagwiritsidwa ntchito ndi Flatpak pulojekiti ngati gawo lopatula mapulogalamu omwe akhazikitsidwa pamaphukusi. Khodi ya polojekitiyi yalembedwa mu C ndi zololedwa pansi pa LGPLv2+.
Podzipatula, matekinoloje amtundu wa Linux amagwiritsidwa ntchito, kutengera kugwiritsa ntchito magulu, malo a mayina, Seccomp ndi SELinux. Kuti mugwiritse ntchito mwayi wokonza chidebe, Bubblewrap imayambitsidwa ndi maufulu a mizu (fayilo yotheka yokhala ndi mbendera ya suid) ndikukhazikitsanso mwayi chidebecho chikakhazikitsidwa.
Kutsegula kwa malo ogwiritsira ntchito pa namespace system, yomwe imakupatsani mwayi wogwiritsa ntchito zizindikiritso zanu zosiyana m'mitsuko, sikofunikira kuti mugwire ntchito, chifukwa siigwira ntchito mwachisawawa m'magawo ambiri (Bubblewrap imayikidwa ngati njira yochepetsera yogwiritsira ntchito suid kagawo kakang'ono ka malo a mayina a ogwiritsa ntchito - kuchotsa zozindikiritsa zonse za ogwiritsa ntchito ndi ma process kuchokera ku chilengedwe, kupatula panopo, mitundu ya CLONE_NEWUSER ndi CLONE_NEWPID imagwiritsidwa ntchito). Kuti muwonjezere chitetezo, mutha kuwongolera
Mapulogalamu a Bubblewrap amayambitsidwa mu PR_SET_NO_NEW_PRIVS mode, yomwe imaletsa kupeza mwayi watsopano, mwachitsanzo, ngati mbendera ya setuid ilipo.
Kudzipatula pamtundu wamafayilo kumakwaniritsidwa ndikupanga malo atsopano okwera mwachisawawa, momwe magawo opanda mizu amapangidwa pogwiritsa ntchito tmpfs. Ngati ndi kotheka, magawo akunja a FS amalumikizidwa ku gawoli munjira ya "mount -bind" (mwachitsanzo, ikayambitsidwa ndi njira ya "bwrap -ro-bind / usr / usr", gawo la / usr limatumizidwa kuchokera kudongosolo lalikulu. munjira yowerengera-yokha). Kuthekera kwa netiweki kumangokhala ndi mwayi wolumikizana ndi loopback yokhala ndi netiweki stack payokha kudzera pa CLONE_NEWNET ndi CLONE_NEWUTS mbendera.
Kusiyana kwakukulu kuchokera ku polojekiti yofanana , yomwe imagwiritsanso ntchito mawonekedwe oyambitsa setuid, ndikuti mu Bubblewrap gawo lopanga ziwiya limaphatikizapo kuthekera kocheperako, ndipo ntchito zonse zapamwamba zomwe zimafunikira kuti mugwiritse ntchito zithunzi, kulumikizana ndi desktop ndikuyimbira mafoni ku Pulseaudio ndi Flatpak ndipo amachitidwa. pambuyo mwayi wakhazikitsidwanso. Kumbali ina, Firejail imaphatikiza ntchito zonse zokhudzana ndi fayilo imodzi yomwe ingagwiritsidwe ntchito, zomwe zimapangitsa kuti zikhale zovuta kuwunika ndikusunga chitetezo pa. .
Kutulutsidwa kwatsopanoko ndikodziwika pakukhazikitsa chithandizo cholumikizira malo omwe alipo ogwiritsa ntchito ndikukonza ma pid. Kuti muwongolere kulumikizana kwa malo, mbendera za "--userns", "--userns2" ndi "-pidns" zawonjezedwa.
Izi sizikugwira ntchito mu setuid mode ndipo zimafuna kugwiritsa ntchito njira ina yomwe ingagwire ntchito popanda kupeza ufulu wa mizu, koma imafuna kutsegula.
malo ogwiritsira ntchito pamakina (oyimitsidwa mwachisawawa pa Debian ndi RHEL/CentOS) ndipo samapatula kuthekera kwa "osuta namespaces" zoletsa rim. Zatsopano za Bubblewrap 0.4 zikuphatikizanso luso lomanga ndi laibulale ya musl C m'malo mwa glibc ndikuthandizira kusunga chidziwitso cha namespace pafayilo yokhala ndi ziwerengero zamtundu wa JSON.
Source: opennet.ru
