Kutulutsidwa kwa zida zokonzekera ntchito zamalo akutali Bubblewrap 0.6 ikupezeka, yomwe nthawi zambiri imagwiritsidwa ntchito kuletsa kugwiritsa ntchito kwa anthu omwe alibe mwayi. M'malo mwake, Bubblewrap imagwiritsidwa ntchito ndi Flatpak pulojekiti ngati gawo lopatula mapulogalamu omwe akhazikitsidwa pamaphukusi. Khodi ya polojekitiyi idalembedwa mu C ndipo imagawidwa pansi pa layisensi ya LGPLv2+.
Podzipatula, matekinoloje amtundu wa Linux amagwiritsidwa ntchito, kutengera kugwiritsa ntchito magulu, malo a mayina, Seccomp ndi SELinux. Kuti mugwiritse ntchito mwayi wokonza chidebe, Bubblewrap imayambitsidwa ndi maufulu a mizu (fayilo yotheka yokhala ndi mbendera ya suid) ndikukhazikitsanso mwayi chidebecho chikakhazikitsidwa.
Kutsegula kwa malo ogwiritsira ntchito mayina mu namespace system, yomwe imakupatsani mwayi wogwiritsa ntchito zizindikiritso zanu zosiyana m'mitsuko, sikofunikira kuti mugwire ntchito, chifukwa siigwira ntchito mwachisawawa m'magawo ambiri (Bubblewrap imayikidwa ngati njira yochepetsera ya suid ya kagawo kakang'ono ka malo a mayina a ogwiritsa ntchito - kusaphatikiza zozindikiritsa onse ogwiritsa ntchito ndi ma process kuchokera ku chilengedwe, kupatula panopo, mitundu ya CLONE_NEWUSER ndi CLONE_NEWPID imagwiritsidwa ntchito). Kuti mupeze chitetezo chowonjezera, mapulogalamu opangidwa pansi pa Bubblewrap amayambitsidwa mu PR_SET_NO_NEW_PRIVS mode, yomwe imaletsa kupeza mwayi watsopano, mwachitsanzo, ngati mbendera ya setuid ilipo.
Kudzipatula pamtundu wamafayilo kumakwaniritsidwa ndikupanga malo atsopano okwera mwachisawawa, momwe magawo opanda mizu amapangidwa pogwiritsa ntchito tmpfs. Ngati ndi kotheka, magawo akunja a FS amalumikizidwa ku gawoli munjira ya "mount -bind" (mwachitsanzo, ikayambitsidwa ndi njira ya "bwrap -ro-bind / usr / usr", gawo la / usr limatumizidwa kuchokera kudongosolo lalikulu. munjira yowerengera-yokha). Kuthekera kwa netiweki kumangokhala ndi mwayi wolumikizana ndi loopback yokhala ndi netiweki stack payokha kudzera pa CLONE_NEWNET ndi CLONE_NEWUTS mbendera.
Kusiyana kwakukulu kuchokera ku projekiti yofananira ya Firejail, yomwe imagwiritsanso ntchito mawonekedwe oyambitsa setuid, ndikuti mu Bubblewrap gawo lopanga ziwiya limaphatikizanso zofunikira zochepa, ndi ntchito zonse zapamwamba zofunika pakuyendetsa ntchito zowonetsera, kulumikizana ndi desktop ndi zopempha zosefera. ku Pulseaudio, idasamutsidwa ku mbali ya Flatpak ndikuphedwa maudindowo atakhazikitsidwanso. Kumbali ina, Firejail imaphatikiza ntchito zonse zokhudzana ndi fayilo imodzi yomwe ingathe kuchitidwa, zomwe zimapangitsa kuti zikhale zovuta kufufuza ndi kusunga chitetezo pamlingo woyenera.
M'kutulutsa kwatsopano:
- ΠΠΎΠ±Π°Π²Π»Π΅Π½Π° ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΊΠ° ΡΠ±ΠΎΡΠΎΡΠ½ΠΎΠΉ ΡΠΈΡΡΠ΅ΠΌΡ Meson. ΠΠΎΠ΄Π΄Π΅ΡΠΆΠΊΠ° ΡΠ±ΠΎΡΠΊΠΈ ΠΏΡΠΈ ΠΏΠΎΠΌΠΎΡΠΈ Autotools ΠΏΠΎΠΊΠ° ΡΠΎΡ ΡΠ°Π½Π΅Π½Π°, Π½ΠΎ Π±ΡΠ΄Π΅Ρ ΡΠ΄Π°Π»Π΅Π½Π° Π² ΠΎΠ΄Π½ΠΎΠΌ ΠΈΠ· ΡΠ»Π΅Π΄ΡΡΡΠΈΡ Π²ΡΠΏΡΡΠΊΠΎΠ².
- Π Π΅Π°Π»ΠΈΠ·ΠΎΠ²Π°Π½Π° ΠΎΠΏΡΠΈΡ Β«βadd-seccompΒ» Π΄Π»Ρ Π΄ΠΎΠ±Π°Π²Π»Π΅Π½ΠΈΡ Π±ΠΎΠ»Π΅Π΅ ΡΠ΅ΠΌ ΠΎΠ΄Π½ΠΎΠΉ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΡ seccomp. ΠΠΎΠ±Π°Π²Π»Π΅Π½ΠΎ ΠΏΡΠ΅Π΄ΡΠΏΡΠ΅ΠΆΠ΄Π΅Π½ΠΈΠ΅ ΠΎ ΡΠΎΠΌ, ΡΡΠΎ ΠΏΡΠΈ ΠΏΠΎΠ²ΡΠΎΡΠ½ΠΎΠΌ ΡΠΊΠ°Π·Π°Π½ΠΈΠΈ ΠΎΠΏΡΠΈΠΈ Β«βseccompΒ» Π±ΡΠ΄Π΅Ρ ΠΏΡΠΈΠΌΠ΅Π½ΡΠ½ ΡΠΎΠ»ΡΠΊΠΎ ΠΏΠΎΡΠ»Π΅Π΄Π½ΠΈΠΉ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡ.
- ΠΠ΅ΡΠΊΠ° master Π² git-ΡΠ΅ΠΏΠΎΠ·ΠΈΡΠΎΡΠΈΠΈ ΠΏΠ΅ΡΠ΅ΠΈΠΌΠ΅Π½ΠΎΠ²Π°Π½Π° Π² main.
- ΠΠΎΠ±Π°Π²Π»Π΅Π½Π° ΡΠ°ΡΡΠΈΡΠ½Π°Ρ ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΊΠ° ΡΠΏΠ΅ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ REUSE, ΡΠ½ΠΈΡΠΈΡΠΈΡΡΡΡΠ΅ΠΉ ΠΏΡΠΎΡΠ΅ΡΡ ΡΠΊΠ°Π·Π°Π½ΠΈΡ ΡΠ²Π΅Π΄Π΅Π½ΠΈΠΉ ΠΎ Π»ΠΈΡΠ΅Π½Π·ΠΈΡΡ ΠΈ Π°Π²ΡΠΎΡΡΠΊΠΈΡ ΠΏΡΠ°Π²Π°Ρ . ΠΠΎ ΠΌΠ½ΠΎΠ³ΠΈΠ΅ ΡΠ°ΠΉΠ»Ρ Ρ ΠΊΠΎΠ΄ΠΎΠΌ Π΄ΠΎΠ±Π°Π²Π»Π΅Π½Ρ Π·Π°Π³ΠΎΠ»ΠΎΠ²ΠΊΠΈ SPDX-License-Identifier. Π‘Π»Π΅Π΄ΠΎΠ²Π°Π½ΠΈΠ΅ ΡΠ΅ΠΊΠΎΠΌΠ΅Π½Π΄Π°ΡΠΈΡΠΌ REUSE ΠΏΠΎΠ·Π²ΠΎΠ»ΡΠ΅Ρ ΡΠΏΡΠΎΡΡΠΈΡΡ Π°Π²ΡΠΎΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠ΅ ΠΎΠΏΡΠ΅Π΄Π΅Π»Π΅Π½ΠΈΠ΅ ΠΊΠ°ΠΊΠ°Ρ Π»ΠΈΡΠ΅Π½Π·ΠΈΡ ΠΏΡΠΈΠΌΠ΅Π½ΡΠ΅ΡΡΡ ΠΊ ΠΊΠ°ΠΊΠΈΠΌ ΠΈΠ· ΡΠ°ΡΡΠ΅ΠΉ ΠΊΠΎΠ΄Π° ΠΏΡΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΡ.
- ΠΠΎΠ±Π°Π²Π»Π΅Π½Π° ΠΏΡΠΎΠ²Π΅ΡΠΊΠ° Π·Π½Π°ΡΠ΅Π½ΠΈΡ ΡΡΡΡΡΠΈΠΊΠ° Π°ΡΠ³ΡΠΌΠ΅Π½ΡΠΎΠ² ΠΊΠΎΠΌΠ°Π½Π΄Π½ΠΎΠΉ ΡΡΡΠΎΠΊΠΈ (argc) ΠΈ ΡΠ΅Π°Π»ΠΈΠ·ΠΎΠ²Π°Π½ ΡΠΊΡΡΡΠ΅Π½Π½ΡΠΉ Π²ΡΡ ΠΎΠ΄ Π² ΡΠ»ΡΡΠ°Π΅ Π΅ΡΠ»ΠΈ ΡΡΡΡΡΠΈΠΊ ΡΠ°Π²Π΅Π½ Π½ΡΠ»Ρ. ΠΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΠ΅ ΠΏΠΎΠ·Π²ΠΎΠ»ΡΠ΅Ρ Π±Π»ΠΎΠΊΠΈΡΠΎΠ²Π°ΡΡ ΠΏΡΠΎΠ±Π»Π΅ΠΌΡ Ρ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΡΡ, Π²ΡΠ·Π²Π°Π½Π½ΡΠ΅ Π½Π΅ΠΊΠΎΡΡΠ΅ΠΊΡΠ½ΠΎΠΉ ΠΎΠ±ΡΠ°Π±ΠΎΡΠΊΠΎΠΉ ΠΏΠ΅ΡΠ΅Π΄Π°Π²Π°Π΅ΠΌΡΡ Π°ΡΠ³ΡΠΌΠ΅Π½ΡΠΎΠ² ΠΊΠΎΠΌΠ°Π½Π΄Π½ΠΎΠΉ ΡΡΡΠΎΠΊΠΈ, ΡΠ°ΠΊΠΈΠ΅ ΠΊΠ°ΠΊ CVE-2021-4034 Π² Polkit.
Source: opennet.ru