Ho lokolloa ha morero oa Firejail 0.9.72 ho phatlalalitsoe, e leng se hlahisang tsamaiso ea ts'ebetso e ikemetseng ea li-graphical, console le lisebelisoa tsa seva, e leng se lumellang ho fokotsa kotsi ea ho senya tsamaiso ea mantlha ha ho sebetsa mananeo a sa tšepahaleng kapa a ka bang kotsing. Lenaneo le ngotsoe ka C, le ajoa tlas'a laesense ea GPLv2 mme le ka sebetsa ho phepelong efe kapa efe ea Linux ka kernel ea khale ho feta 3.0. Liphutheloana tse seng li loketse ka Firejail li lokiselitsoe ka liforomo tsa deb (Debian, Ubuntu) le rpm (CentOS, Fedora).
Bakeng sa ho itšehla thajana, Firejail e sebelisa libaka tsa mabitso (libaka tsa mabitso), AppArmor le ho sefa mohala oa sistimi (seccomp-bpf) ho Linux. Ha e se e qalile, lenaneo le lits'ebetso tsohle tsa lona tsa bana li sebelisa lipontšo tse arohaneng tsa lisebelisoa tsa kernel joalo ka stack ea marang-rang, tafole ea ts'ebetso, le lintlha tse holimo. Lisebelisoa tse itšetlehileng ka tse ling li ka kopanngoa hore e be sandbox e le 'ngoe e tloaelehileng. Haeba o lakatsa, Firejail e ka boela ea sebelisoa ho tsamaisa lijana tsa Docker, LXC le OpenVZ.
Ho fapana le lisebelisoa tsa ho itšehla thajana, mollo oa mollo o bonolo haholo ho o lokisa ebile ha o hloke ho lokisoa ha setšoantšo sa sistimi - sebopeho sa setshelo se thehiloe ho fofa ho ipapisitse le litaba tsa sistimi ea hajoale ea faele mme se hlakolwa kamora hore kopo e felisoe. Lisebelisoa tse feto-fetohang li fanoa bakeng sa ho beha melao ea phihlello ea sistimi ea faele, o ka tseba hore na ke lifaele life le li-directory tse lumelletsoeng kapa tse hanetsoeng ho fihlella, hokela lits'ebetso tsa nakoana tsa faele (tmpfs) bakeng sa data, thibela phihlello ea lifaele kapa li-directory ho bala feela, kopanya li-directory ka bind-mount. le li-overlayfs.
Palo e kholo ea lits'ebetso tse tsebahalang, ho kenyeletsoa Firefox, Chromium, VLC, le Transmission, li na le li-profiles tsa ho itšehla thajana tsa sistimi. Ho fumana litokelo tse hlokahalang ho theha tikoloho ea sandbox, firejail e sebetsang e kentsoe le folakha ea motso oa SUID (litokelo li setiloe bocha kamora ho qala). Ho phethahatsa lenaneo ka mokhoa oa ho itšehla thajana, ho lekane ho hlalosa lebitso la kopo e le khang ho setsi sa mollo oa mollo, mohlala, "firejail firefox" kapa "sudo firejail /etc/init.d/nginx start".
Tokollong e ncha:
- E kenyellelitse seccomp system call filter ho thibela pōpo ea sebaka sa mabitso (e kenyellelitsoe "--restrict-namespaces" kgetho ho nolofalletsa). Litafole tsa mehala tse ntlafalitsoeng le lihlopha tsa seccomp.
- Mokhoa o ntlafalitsoeng oa force-nonewprivs (NO_NEW_PRIVS) ho thibela lits'ebetso tse ncha ho fumana litokelo tse ling.
- E kenyellelitse bokhoni ba ho sebelisa lifaele tsa hau tsa AppArmor (khetho ea "--apparmor" e fanoa bakeng sa khokahano).
- The nettrace network tracking system, e bonts'ang tlhahisoleseling mabapi le IP le sephethephethe ho tloha atereseng e 'ngoe le e' ngoe, e ts'ehetsa ICMP mme e fana ka likhetho tsa "-dnstrace", "-icmptrace" le "--snitrace".
- E tlositsoe --cgroup le --shell litaelo (kamehla ke --shell=none). Mohaho oa Firetunnel o emisoa ke kamehla. Chroot e holofetseng, li-private-lib le litlhophiso tsa tracelog ho /etc/firejail/firejail.config. E tlositsoe tšehetso bakeng sa grsecurity.
Source: opennet.ru