sii daynta mashruuca , kaas oo nidaam lagu soo saarayo fulinta go'doonsan ee garaafyada, console-ka iyo codsiyada server-ka. Isticmaalka Firejail wuxuu kuu ogolaanayaa inaad yareyso khatarta ah inaad waxyeeleyso nidaamka ugu muhiimsan marka aad wado barnaamijyo aan la aamini karin ama suurtagal ah. Barnaamijku wuxuu ku qoran yahay luqadda C, shati u haysta GPLv2 oo ku shaqayn kara qaybinta Linux kasta oo leh kernel ka weyn 3.0. Xirmooyinka diyaarsan ee Firejail qaab deb (Debian, Ubuntu) iyo rpm (CentOS, Fedora).
Go'doomintii Firejeil meelaha magacyada, AppArmor, iyo nidaamka shaandhaynta wacitaanka (seccomp-bpf) ee Linux. Marka la bilaabo, barnaamijka iyo dhammaan geeddi-socodyada carruurtu waxay isticmaalaan aragtiyo kala duwan oo ku saabsan ilaha kernel-ka, sida xirmooyinka shabakadda, miiska habka, iyo dhibcaha korka. Codsiyada midba midka kale ku tiirsan ayaa lagu dari karaa hal sanduuq oo caadi ah. Haddii la rabo, Firejail waxa kale oo loo isticmaali karaa in lagu socodsiiyo weelasha Docker, LXC iyo OpenVZ.
Si ka duwan qalabka weelka lagu daboolo, jeelku aad buu u weyn yahay in qaabeynta oo aan u baahnayn diyaarinta image nidaamka - Halabuurka weelka waxaa la sameeyey on Daqsi ku salaysan waxa ku jira nidaamka file hadda oo la tirtiro ka dib marka codsiga la dhammeeyo. Hab dabacsan oo lagu dejiyo shuruucda gelitaanka nidaamka faylka ayaa la bixiyaa; waxaad go'aamin kartaa faylalka iyo hagayaasha la oggol yahay ama loo diiday inay galaan, ku xidh nidaamka faylka ku meel gaadhka ah (tmpfs) ee xogta, xaddid gelitaanka faylalka ama hagayaasha si loo akhriyo-kaliya, isku dar hagayaasha iyada oo loo marayo isku-xidhka iyo dul-saaryada.
Codsiyada tirada badan ee caanka ah, oo ay ku jiraan Firefox, Chromium, VLC iyo Gudbinta, diyaarsan system call go'doon. Si aad barnaamijka ugu socodsiiso qaabka goonida ah, si fudud u sheeg magaca codsiga dood ahaan utility jail, tusaale ahaan, "firejail firefox" ama "sudo firejail /etc/init.d/nginx start".
Siideynta cusub:
- Nuglaanta u oggolaanaysa hab-socod xaasidnimo ah inuu dhaafo habka xaddidaadda wicitaanka ayaa la hagaajiyay. Nuxurka nuglaanta ayaa ah in filtarrada Seccomp lagu koobiyeeyo buugga /run/firejail/mnt, kaas oo lagu qori karo gudaha deegaanka go'doonsan. Nidaamyada xaasidnimada leh ee ku socda habka go'doominta ayaa wax ka beddeli kara faylashaas, taas oo keeni doonta habab cusub oo ka socda isla deegaanka in la fuliyo iyada oo aan la adeegsan nidaamka shaandhada wacitaanka;
- shaandhada xusuusta-diiday-qor-fulinta waxay hubisaa in wicitaanka "memfd_create" la xannibay;
- Doorasho cusub oo lagu daray "private-cwd" si loo beddelo tusaha shaqada ee xabsiga;
- Lagu daray "--nodbus" ikhtiyaarka ah in la xannibo saldhigyada D-Bus;
- Taageerada loo soo celiyay CentOS 6;
- taageerada baakadaha qaabab ahaan ΠΈ .
in xirmooyinkani ay isticmaalaan qalabkooda; - profiles cusub ayaa lagu daray si loo karantiilo 87 barnaamij oo dheeri ah, oo ay ku jiraan mypaint, nano, xfce4-mixer, gnome-keyring, redshift, font- manager, gconf-editor, gsettings, freeciv, lincity-ng, openttd, torcs, tremulous, warsow, freemind, kid3, freecol, opencity, utox, freeoffice-planmaker, freeoffice-presentations, freeoffice-textmaker, inkview, meteo-qt, ktuch, yelp iyo cantata.
Source: opennet.ru