Kuburitswa kwezvishandiso zvekuronga basa renzvimbo dzakasarudzika Bubblewrap 0.6 inowanikwa, inowanzo shandiswa kudzora manyorerwo ega ega evashandisi vasina runako. Mukuita, Bubblewrap inoshandiswa neiyo Flatpak purojekiti sedhizaini yekuparadzanisa maapplication akatangwa kubva pamapakeji. Iyo kodhi yeprojekiti yakanyorwa muC uye inogoverwa pasi pe LGPLv2 + rezinesi.
Kuzviparadzanisa nevamwe, zvechinyakare Linux mudziyo virtualization matekinoroji anoshandiswa, zvichibva pakushandiswa kwemapoka, nzvimbo dzezita, Seccomp uye SELinux. Kuita mabasa ane rombo kugadzirisa mudziyo, Bubblewrap inotangwa ine midzi kodzero (faira rinogoneka rine suid mureza) uye wozogadzirisazve maropafadzo mushure mekunge mudziyo watangwa.
Kuita kwemazita emushandisi mune namespace system, iyo inokutendera iwe kuti ushandise yako yega seti yezviziviso mumidziyo, haidiwe kushanda, nekuti isingashande nekusarudzika mukugovera kwakawanda (Bubblewrap inomisikidzwa seyakaganhurirwa suid kuitiswa kwe subset yezvinzvimbo zvemazita emushandisi - kusasanganisa ese mushandisi uye magadzirirwo ekuzivisa kubva kune zvakatipoteredza, kunze kweiyo yazvino, iyo CLONE_NEWUSER uye CLONE_NEWPID modhi dzinoshandiswa). Kuti uwedzere dziviriro, zvirongwa zvinoitwa pasi peBubblewrap zvinotangwa muPR_SET_NO_NEW_PRIVS modhi, iyo inorambidza kutorwa kwemaropafadzo matsva, semuenzaniso, kana setuid mureza uripo.
Kuzviparadzanisa pane iyo faira system level inopedzwa nekugadzira nyowani yezita namespace nekusarudzika, umo isina chinhu midzi yekuparadzanisa inogadzirwa uchishandisa tmpfs. Kana zvichidikanwa, zvikamu zveFS zvekunze zvakasungirirwa kune ichi chikamu mu "mount -bind" modhi (semuenzaniso, payakatangwa ne "bwrap -ro-bind / usr / usr" sarudzo, iyo / usr chikamu chinotumirwa kubva kune huru system. mukuverenga-chete mode). Manetiweki masimba anogumira kuwana iyo loopback interface inetiweki stack yekuzviparadzanisa kuburikidza neCLONE_NEWNET uye CLONE_NEWUTS mireza.
Musiyano wakakosha kubva kune yakafanana Firejail purojekiti, iyo inoshandisawo setuid yekumisikidza modhi, ndeyekuti muBubblewrap dhizaini yekugadzira midziyo inosanganisira chete inodiwa mashoma kugona, uye ese epamberi mabasa anodiwa pakumhanyisa graphical application, kufambidzana nedesktop uye kusefa zvikumbiro. kuPulseaudio, yakachinjirwa kudivi reFlatpak uye ikaurayiwa mushure mekunge maropafadzo agadziriswazve. Firejail, kune rumwe rutivi, inosanganisa mabasa ese ane hukama mune imwe faira inogoneka, izvo zvinoita kuti zviome kuongorora uye kuchengetedza chengetedzo padanho rakakodzera.
Mukuburitswa kutsva:
- Yakawedzera rutsigiro rweMeson assembly system. Tsigiro yekuvaka neAutotools yakachengetwa ikozvino, asi ichabviswa mukuburitswa kunotevera.
- Yakaitwa "--add-seccomp" sarudzo yekuwedzera kupfuura imwe seccomp chirongwa. Yakawedzera yambiro yekuti kana iwe ukatsanangura iyo "--seccomp" sarudzo zvakare, iyo yekupedzisira paramende chete ndiyo ichashandiswa.
- Iyo master bazi mune git repository yakatumidzwa zita rekuti main.
- Yakawedzerwa chikamu chetsigiro yeREUSE yakatarwa, iyo inobatanidza maitiro ekutsanangura rezinesi uye ruzivo rwekodzero. Mazhinji mafaera ekodhi ane SPDX-License-Identifier misoro yakawedzerwa. Kutevera REUSE nhungamiro zvinoita kuti zvive nyore kungozvisarudzira kuti nderipi rezinesi rinoshanda kune zvikamu zvipi zvekodhi yekushandisa.
- Yakawedzerwa kutarisa kukosha kweiyo command line nharo counter (argc) uye kushandisa yekubuda nechimbichimbi kana counter iri zero. Shanduko iyi inobatsira kuvharisa nyaya dzekuchengetedza dzakakonzerwa nekubata zvisirizvo kweakapfuura command line nharo, seCVE-2021-4034 muPolkit.
Source: opennet.ru