kuburitswa kutsva kweturusi rekushandisa , yakagadzirirwa kuronga basa renzvimbo dzakasununguka muLinux uye kushanda pamwero wekushandiswa kwevashandisi vasina kodzero. Mukuita, Bubblewrap inoshandiswa neiyo Flatpak purojekiti sedhizaini yekuparadzanisa maapplication akatangwa kubva pamapakeji. Iyo kodhi yeprojekiti yakanyorwa muC uye ine rezinesi pasi pe LGPLv2+.
Kuzviparadzanisa nevamwe, zvechinyakare Linux mudziyo virtualization matekinoroji anoshandiswa, zvichibva pakushandiswa kwemapoka, nzvimbo dzezita, Seccomp uye SELinux. Kuita mabasa ane rombo kugadzirisa mudziyo, Bubblewrap inotangwa ine midzi kodzero (faira rinogoneka rine suid mureza) uye wozogadzirisazve maropafadzo mushure mekunge mudziyo watangwa.
Kuita kwemazita emushandisi mune namespace system, iyo inokutendera iwe kuti ushandise yako yega seti yezviziviso mumidziyo, haidiwe kushanda, nekuti isingashande nekusarudzika mukugovera kwakawanda (Bubblewrap inomisikidzwa seyakaganhurirwa suid kuitiswa kwe subset yezvinzvimbo zvemazita emushandisi - kusasanganisa ese mushandisi uye magadzirirwo ekuzivisa kubva kune zvakatipoteredza, kunze kweiyo yazvino, iyo CLONE_NEWUSER uye CLONE_NEWPID modhi dzinoshandiswa). Kuwedzera dziviriro, executable pasi pekutonga
Zvirongwa zveBubblewrap zvinotangwa muPR_SET_NO_NEW_PRIVS modhi, iyo inorambidza kuwana rombo idzva, semuenzaniso, kana iyo setuid mureza iripo.
Kuzviparadzanisa pane iyo faira system level inopedzwa nekugadzira nyowani yezita namespace nekusarudzika, umo isina chinhu midzi yekuparadzanisa inogadzirwa uchishandisa tmpfs. Kana zvichidikanwa, zvikamu zveFS zvekunze zvakasungirirwa kune ichi chikamu mu "mount -bind" modhi (semuenzaniso, payakatangwa ne "bwrap -ro-bind / usr / usr" sarudzo, iyo / usr chikamu chinotumirwa kubva kune huru system. mukuverenga-chete mode). Manetiweki masimba anogumira kuwana iyo loopback interface inetiweki stack yekuzviparadzanisa kuburikidza neCLONE_NEWNET uye CLONE_NEWUTS mireza.
Musiyano wakakosha kubva kune yakafanana purojekiti , iyo inoshandisawo setuid yekumisikidza modhi, ndeyekuti muBubblewrap dhizaini yekugadzira midziyo inosanganisira chete inodiwa mashoma kugona, uye ese epamberi mabasa anodiwa pakumhanyisa graphical application, kupindirana nedesktop uye kusefa mafoni kuPulseaudio anoburitswa kunze Flatpak uye anourayiwa. mushure mekunge maropafadzo aitwa patsva. Firejail, kune rumwe rutivi, inosanganisa mabasa ese ane hukama mune rimwe faira rinoitwa, izvo zvinoita kuti zviome kuongorora nekuchengetedza chengetedzo pa. .
Kuburitswa kutsva kwakakosha pakuitwa kwerutsigiro rwekujoinha nzvimbo dziripo dzemushandisi uye kugadzirisa pid namespaces. Kudzora kubatanidzwa kwemazita, iwo "--userns", "--userns2" uye "-pidns" mireza akawedzerwa.
Ichi chimiro hachishande mune setuid modhi uye chinoda kushandiswa kweimwe modhi iyo inogona kushanda isina kuwana midzi kodzero, asi inoda activation.
nzvimbo dzemushandisi pane sisitimu (yakaremara nekusarudzika paDebian uye RHEL/CentOS) uye haisanganisi mukana. ye "mazita emushandisi" zvirambidzo rim. Zvinyowani zveBubblewrap 0.4 zvinosanganisirawo kugona kuvaka ne musl C raibhurari pachinzvimbo che glibc uye rutsigiro rwekuchengetedza namespace ruzivo kufaira rine nhamba muJSON fomati.
Source: opennet.ru