Kuzviparadzanisa nevamwe, zvechinyakare Linux mudziyo virtualization matekinoroji anoshandiswa, zvichibva pakushandiswa kwemapoka, nzvimbo dzezita, Seccomp uye SELinux. Kuita mabasa ane rombo kugadzirisa mudziyo, Bubblewrap inotangwa ine midzi kodzero (faira rinogoneka rine suid mureza) uye wozogadzirisazve maropafadzo mushure mekunge mudziyo watangwa.
Kuita kwemazita emushandisi mune namespace system, iyo inokutendera iwe kuti ushandise yako yega seti yezviziviso mumidziyo, haidiwe kushanda, nekuti isingashande nekusarudzika mukugovera kwakawanda (Bubblewrap inomisikidzwa seyakaganhurirwa suid kuitiswa kwe subset yezvinzvimbo zvemazita emushandisi - kusasanganisa ese mushandisi uye magadzirirwo ekuzivisa kubva kune zvakatipoteredza, kunze kweiyo yazvino, iyo CLONE_NEWUSER uye CLONE_NEWPID modhi dzinoshandiswa). Kuwedzera dziviriro, executable pasi pekutonga
Zvirongwa zveBubblewrap zvinotangwa muPR_SET_NO_NEW_PRIVS modhi, iyo inorambidza kuwana rombo idzva, semuenzaniso, kana iyo setuid mureza iripo.
Kuzviparadzanisa pane iyo faira system level inopedzwa nekugadzira nyowani yezita namespace nekusarudzika, umo isina chinhu midzi yekuparadzanisa inogadzirwa uchishandisa tmpfs. Kana zvichidikanwa, zvikamu zveFS zvekunze zvakasungirirwa kune ichi chikamu mu "mount -bind" modhi (semuenzaniso, payakatangwa ne "bwrap -ro-bind / usr / usr" sarudzo, iyo / usr chikamu chinotumirwa kubva kune huru system. mukuverenga-chete mode). Manetiweki masimba anogumira kuwana iyo loopback interface inetiweki stack yekuzviparadzanisa kuburikidza neCLONE_NEWNET uye CLONE_NEWUTS mireza.
Musiyano wakakosha kubva kune yakafanana purojekiti
Kuburitswa kutsva kwakakosha pakuitwa kwerutsigiro rwekujoinha nzvimbo dziripo dzemushandisi uye kugadzirisa pid namespaces. Kudzora kubatanidzwa kwemazita, iwo "--userns", "--userns2" uye "-pidns" mireza akawedzerwa.
Ichi chimiro hachishande mune setuid modhi uye chinoda kushandiswa kweimwe modhi iyo inogona kushanda isina kuwana midzi kodzero, asi inoda activation.
nzvimbo dzemushandisi pane sisitimu (yakaremara nekusarudzika paDebian uye RHEL/CentOS) uye haisanganisi mukana.
Source: opennet.ru