tokollo ea morero , moo ho ntseng ho ntlafatsoa sistimi bakeng sa ts'ebetso e ikhethileng ea lits'ebetso tsa graphical, console le seva. Ho sebelisa Firejail ho u lumella ho fokotsa kotsi ea ho senya tsamaiso ea mantlha ha u sebelisa mananeo a sa tšepahaleng kapa a ka bang kotsi. Lenaneo le ngotsoe ka puo ea C, e nang le laesense tlasa GPLv2 mme e ka tsamaisa phepelo efe kapa efe ea Linux ka kernel ea khale ho feta 3.0. Liphutheloana tse lokiselitsoeng ka Firejail ka liforomo tsa deb (Debian, Ubuntu) le rpm (CentOS, Fedora).
Bakeng sa ho itšehla thajana ho Firejail libaka tsa mabitso, AppArmor, le ho sefa mehala ea sistimi (seccomp-bpf) ho Linux. Ha e se e qalile, lenaneo le lits'ebetso tsohle tsa lona tsa bana li sebelisa maikutlo a fapaneng a lisebelisoa tsa kernel, joalo ka stack ea marang-rang, tafole ea ts'ebetso le lintlha tsa ho phahamisa. Lisebelisoa tse itšetlehileng ka tse ling li ka kopanngoa hore e be sandbox e le 'ngoe e tloaelehileng. Haeba o lakatsa, Firejail e ka boela ea sebelisoa ho tsamaisa lijana tsa Docker, LXC le OpenVZ.
Ho fapana le lisebelisoa tsa ho kenya lisebelisoa, mollo oa mollo o matla haholo ka tlhophiso mme ha e hloke ho lokisoa ha setšoantšo sa sistimi - sebopeho sa setshelo se thehoa ka fofa ho latela litaba tsa sistimi ea hajoale ea faele mme se hlakolwa kamora hore kopo e phetheloe. Ho fanoa ka mekhoa e feto-fetohang ea ho beha melao ea phihlello ho sistimi ea faele; o ka tseba hore na ke lifaele life le li-directory tse lumelletsoeng kapa tse hanetsoeng ho fihlella, hokela lits'ebetso tsa nakoana tsa faele (tmpfs) bakeng sa data, ho fokotsa phihlello ea lifaele kapa li-directory ho bala feela, ho kopanya li-directory ka ho sebelisa litsamaiso tsa nakoana tsa faele. tlama-thaba le overlayfs.
Bakeng sa palo e kholo ea lits'ebetso tse tsebahalang, ho kenyeletsoa Firefox, Chromium, VLC le Transmission, e seng e lokisitsoe. ho itšehla thajana hoa tsamaiso. Ho tsamaisa lenaneo ka mokhoa oa ho itšehla thajana, hlalosa feela lebitso la kopo e le khang ho setsi sa mollo oa mollo, mohlala, "firejail firefox" kapa "sudo firejail /etc/init.d/nginx start".
Tokollong e ncha:
- Kotsi e lumellang ts'ebetso e mpe ho feta mokhoa oa thibelo ea mohala oa sistimi e lokisitsoe. Moko oa ho ba kotsing ke hore li-filters tsa Seccomp li kopitsoa bukeng ea /run/firejail/mnt, e ngoloang ka har'a tikoloho e ka thoko. Ts'ebetso e mpe e sebetsang ka mokhoa oa ho itšehla thajana e ka fetola lifaele tsena, e leng se tla etsa hore lits'ebetso tse ncha tse sebetsang tikolohong e le 'ngoe li phethoe ntle le ho sebelisa mochini oa mohala oa sistimi;
- Sefahla sa memory-deny-write-execute se netefatsa hore mohala oa "memfd_create" o koetsoe;
- E kenyellelitse khetho e ncha "private-cwd" ho fetola bukana ea ho sebetsa bakeng sa chankana;
- E kenyellelitsoe "--nodbus" khetho ea ho thibela li-sockets tsa D-Bus;
- Tšehetso e khutliselitsoeng bakeng sa CentOS 6;
- tšehetso bakeng sa liphutheloana ka lifomate и .
hore liphutheloana tsena li lokela ho sebelisa lisebelisoa tsa tsona; - Lintlha tse ncha li kenyellelitsoe ho arola mananeo a eketsehileng a 87, ho kenyelletsa mypaint, nano, xfce4-mixer, gnome-keyring, redshift, font-manager, gconf-editor, gsettings, freeciv, lincity-ng, openttd, torcs, tremulous, warsow, freemind, kid3, freecol, opencity, utox, freeoffice-planmaker, freeoffice-presentations, freeoffice-textmaker, inkview, meteo-qt, ktouch, yelp le cantata.
Source: opennet.ru