kuburitswa kweprojekiti , mukati meiyo sisitimu iri kugadzirwa kuti iite yega yegraphical, console uye server application. Kushandisa Firejail kunobvumira kuti udzikise njodzi yekukanganisa iyo huru sisitimu kana uchimhanya usingavimbike kana zvingangoita zvirongwa zvine njodzi. Chirongwa chakanyorwa mumutauro weC, ine rezinesi pasi peGPLv2 uye inogona kumhanya pane chero Linux kugovera ine kernel yakakura kupfuura 3.0. Yakagadzirirwa-yakagadzirwa mapakeji neFirejail mu deb (Debian, Ubuntu) uye rpm (CentOS, Fedora) mafomati.
Zvekuzviparadzanisa nevamwe muFirejail namespaces, AppArmor, uye system yekufona kusefa (seccomp-bpf) muLinux. Kana yangotangwa, chirongwa uye ese maitirwo emwana anoshandisa maonero akasiyana ezviwanikwa zve kernel, senge network stack, process table, uye mount point. Zvishandiso zvinoenderana nemumwe zvinogona kusanganiswa kuita bhokisi rejecha rakajairika. Kana zvichidikanwa, Firejail inogona zvakare kushandiswa kumhanyisa Docker, LXC uye OpenVZ midziyo.
Kusiyana nemidziyo yekuisa midziyo, firejail yakanyanya mukugadzirisa uye haidi kugadzirirwa kwemufananidzo wesistimu - chimiro chemudziyo chinoumbwa pane nhunzi zvichienderana nezviri mukati meiyo yazvino faira system uye inobviswa mushure mekunge chikumbiro chapera. Flexible nzira dzekuisa mitemo yekuwana kune iyo faira system inopihwa; iwe unogona kuona kuti ndeapi mafaera nemadhairekitori anotenderwa kana kurambidzwa kupinda, batanidza yenguva faira masisitimu (tmpfs) yedata, ganhurira kuwana mafaera kana madhairekitori ekuverenga-chete, sanganisa madhairekitori kuburikidza. sunga-gomo uye overlayfs.
Kune nhamba huru yezvikumbiro zvakakurumbira, kusanganisira Firefox, Chromium, VLC uye Transmission, yakagadzirira-yakagadzirwa. system call isolation. Kuti uite chirongwa mune yekuzviparadzanisa nevamwe, ingo tsanangura zita rekushandisa senharo kune iyo firejail utility, semuenzaniso, "firejail firefox" kana "sudo firejail /etc/init.d/nginx kutanga".
Mukuburitswa kutsva:
- Kusagadzikana kunobvumira kuita kwakashata kudarika iyo system call restriction mechanism yakagadziriswa. Izvo zvakakosha zvekusagadzikana ndezvekuti Seccomp mafirita anokopwa ku / run/firejail/mnt dhairekitori, inonyorwa mukati menzvimbo yakasarudzika. Maitiro akashata anomhanya ari ega ega anogona kushandura mafaera aya, izvo zvinozoita kuti maitiro matsva anoshanda munzvimbo imwechete aitwe pasina kushandisa system yekufona sefa;
- Iyo memory-deny-write-execute sefa inovimbisa kuti "memfd_create" kufona kwakavharwa;
- Yakawedzera sarudzo nyowani "yakavanzika-cwd" yekushandura dhairekitori rekushanda rejeri;
- Yakawedzerwa "--nodbus" sarudzo yekuvhara D-Bhasi zvigadziko;
- Yakadzoserwa rutsigiro rweCentOS 6;
- rutsigiro rwepakeji mumafomati ΠΈ .
kuti mapakeji aya anofanirwa kushandisa zvishandiso zvawo; - Maprofiles matsva akawedzerwa kuparadzanisa makumi masere nenomwe zvirongwa, zvinosanganisira mypaint, nano, xfce87-mixer, gnome-keyring, redshift, font-maneja, gconf-editor, gsettings, freeciv, lincity-ng, openttd, torcs, tremulous, warsow, freemind, kid4, freecol, opencity, utox, freeoffice-planmaker, freeoffice-presentations, freeoffice-textmaker, inkview, meteo-qt, ktouch, yelp uye cantata.
Source: opennet.ru