Kuburitswa kweiyo Firejail 0.9.72 purojekiti yakadhindwa, iyo inovandudza hurongwa hwekuita kwega kwegraphical, console uye server application, iyo inobvumira kuderedza njodzi yekukanganisa iyo huru sisitimu kana uchimhanya usingavimbike kana zvingangoita zvirongwa zvine njodzi. Chirongwa ichi chakanyorwa muC, chakagoverwa pasi peGPLv2 rezinesi uye chinogona kumhanya pane chero kugoverwa kweLinux nekernel yakakura kupfuura 3.0. Mapakeji akagadzirira ane Firejail anogadzirirwa mudeb (Debian, Ubuntu) uye rpm (CentOS, Fedora) mafomati.
Kuzviparadzanisa nevamwe, Firejail inoshandisa nzvimbo dzezita (mazita), AppArmor uye system yekufona kusefa (seccomp-bpf) muLinux. Kana yangotanga, chirongwa uye ese maitirwo emwana anoshandisa akasiyana anomiririra ezviwanikwa zve kernel senge network stack, process tafura, uye mapoinzi. Zvishandiso zvinoenderana nemumwe zvinogona kusanganiswa kuita bhokisi rejecha rakajairika. Kana zvichidikanwa, Firejail inogona zvakare kushandiswa kumhanya Docker, LXC uye OpenVZ midziyo.
Kusiyana nemidziyo yekuzvisarudzira maturusi, firejail iri nyore kwazvo kugadzirisa uye haidi gadziriro yemufananidzo wesystem - kuumbwa kwemudziyo kunoumbwa panhunzi zvichienderana nezviri mukati meiyo yazvino faira system uye inobviswa mushure mekunge application yapera. Zvishandiso zvinochinjika zvinopihwa kumisikidza faira system yekuwana mitemo, unogona kuona kuti ndeapi mafaera uye madhairekitori anotenderwa kana kurambidzwa kupinda, batanidza yenguva faira masisitimu (tmpfs) yedata, rambidza kupinda kwemafaira kana madhairekitori kuti averenge chete, sanganisa madhairekitori kuburikidza nebhaind-mount. uye overlayfs.
Huwandu hukuru hweanozivikanwa maapplication, anosanganisira Firefox, Chromium, VLC, uye Transmission, vane pre-yakagadzirirwa system yekufona yekuzviparadzanisa profiles. Kuti uwane ropafadzo dzinodiwa kumisikidza nzvimbo yebhokisi rejecha, iyo firejail inogadziriswa inoiswa neiyo SUID mudzi mureza (maropafadzo anoiswa patsva mushure mekutanga). Kuita chirongwa mune yekuzviparadzanisa mode, zvakakwana kutsanangura zita rechikumbiro senharo kune firejail utility, semuenzaniso, "firejail firefox" kana "sudo firejail /etc/init.d/nginx kutanga".
Mukuburitswa kutsva:
- Yakawedzera seccomp system yekufona sefa kuvharisa namespace zvisikwa (yakawedzera "--restrict-namespaces" sarudzo yekugonesa). Yakagadziridzwa system yekufona matafura uye seccomp mapoka.
- Yakavandudzwa yekumanikidza-nonewprivs (NO_NEW_PRIVS) maitiro ekudzivirira maitiro matsva kubva kuwana mamwe maropafadzo.
- Yakawedzera kugona kushandisa yako yega AppArmor profiles (iyo "--apparmor" sarudzo inopihwa yekubatanidza).
- Iyo nettrace network traffic tracking system, iyo inoratidza ruzivo nezve IP uye traffic kusimba kubva kune imwe neimwe kero, inotsigira ICMP uye inopa "-dnstrace", "--icmptrace" uye "--snitrace" sarudzo.
- Yakabviswa --cgroup uye --shell mirairo (default ndeye --shell = hapana). Firetunnel kuvaka inomiswa nekukasira. Yakaremara chroot, yakavanzika-lib uye tracelog marongero mukati /etc/firejail/firejail.config. Yakabviswa tsigiro yegrsecurity.
Source: opennet.ru