Ukukhutshwa kwezixhobo zokuququzelela umsebenzi weendawo ezizimeleyo I-Bubblewrap 0.6 iyafumaneka, idla ngokusetyenziselwa ukukhawulela izicelo zabasebenzisi abangenamalungelo. Ngokwesiqhelo, iBubblewrap isetyenziswa yiprojekthi yeFlatpak njengomaleko wokuhlukanisa usetyenziso oluqaliswe kwiiphakheji. Ikhowudi yeprojekthi ibhalwe kwi-C kwaye ihanjiswa phantsi kwelayisensi ye-LGPLv2 +.
Ukwahlukaniswa, itekhnoloji yesiqhelo ye-Linux yesikhongozeli iyasetyenziswa, esekwe kusetyenziso lwamaqela, izithuba zamagama, i-Seccomp kunye ne-SELinux. Ukwenza imisebenzi enelungelo lokumisela isikhongozeli, iBubblewrap iqalwa ngamalungelo engcambu (ifayile ephunyeziweyo eneflegi ye-suid) kwaye iphinde imisele amalungelo emva kokuba isikhongozeli siqalisiwe.
Ukwenziwa kusebenze kwezithuba zegama lomsebenzisi kwinkqubo yesithuba samagama, ekuvumela ukuba usebenzise ezakho iiseti ezahlukeneyo zezazisi kwizikhongozeli, ayifuneki ukuba isebenze, kuba ayisebenzi ngokungagqibekanga kunikezelo oluninzi (i-Bubblewrap ibekwe njengophumezo olulinganiselweyo lwe-suid iseti engaphantsi yezakhono zomsebenzisi zezithuba zamagama - ukungabandakanyi bonke abasebenzisi kunye nenkqubo yokuchonga ukusuka kokusingqongileyo, ngaphandle kwale yangoku, i-CLONE_NEWUSER kunye ne-CLONE_NEWPID iindlela ziyasetyenziswa). Ngokhuseleko olongezelelweyo, iinkqubo eziqhutywa phantsi kweBubblewrap zindululwa kwimo ye-PR_SET_NO_NEW_PRIVS, ethintela ukufunyanwa kwamalungelo amatsha, umzekelo, ukuba iflegi ye-setuid ikhona.
Ukwahlulwa kwinqanaba lenkqubo yefayile kufezekiswa ngokudala indawo entsha yegama lokunyuka ngokungagqibekanga, apho isahlulelo sengcambu esingenanto sidalwa kusetyenziswa i-tmpfs. Ukuba kuyimfuneko, izahlulo zeFS zangaphandle zincanyathiselwe kolu lwahlulelo kwimowudi "yokunyuka -bopha" (umzekelo, xa iqaliswa nge "bwrap -ro-bind /usr /usr" ukhetho, isahlulelo /usr sithunyelwa ukusuka kwinkqubo ephambili. kwimowudi yokufunda kuphela). Ubunakho bothungelwano buthintelwe ukufikelela kujongano lweloopback kunye nokwahlukaniswa kwesitaki sothungelwano nge-CLONE_NEWNET kunye ne-CLONE_NEWUTS iiflegi.
Umahluko ophambili kwiprojekthi efanayo ye-Firejail, ekwasebenzisa imodeli yokumiliselwa kwe-setuid, kukuba kwi-Bubblewrap umaleko wokwenza isikhongozeli ubandakanya kuphela ubuncinci obufunekayo, kunye nayo yonke imisebenzi ephambili eyimfuneko ekuqhubeni usetyenziso lomzobo, ukusebenzisana nedesktop kunye nezicelo zokucoca. ukuya ePulseaudio, idluliselwe kwicala leFlatpak kwaye iqhutywe emva kokuba amalungelo abuyiselwe. I-Firejail, ngakolunye uhlangothi, idibanisa yonke imisebenzi ehambelanayo kwifayile enye ephunyezwayo, eyenza kube nzima ukuphicotha nokugcina ukhuseleko kwinqanaba elifanelekileyo.
Kukhupho olutsha:
- Inkxaso eyongeziweyo yenkqubo yendibano yeMeson. Inkxaso yokwakha nge-Autotools igcinwe okwangoku, kodwa iya kususwa ekukhutshweni kwexesha elizayo.
- Iphunyeziwe "--yongeza-seccomp" ukhetho ukongeza ngaphezulu kwenkqubo enye ye-seccomp. Yongezwe isilumkiso ukuba ukhankanya "--seccomp" ukhetho kwakhona, kuphela iparameter yokugqibela iya kusetyenziswa.
- Isebe eliyintloko kwindawo yokugcina igit linikwe elinye igama labaphambili.
- Inxalenye yenkxaso eyongeziweyo yenkcazelo ye-REUSE, emanyanisa inkqubo yokuchaza iphepha-mvume kunye nolwazi lwelungelo lokushicilela. Iifayile ezininzi zekhowudi zinezihloko ze-SPDX-License-Identifier ezongeziweyo. Ukulandela izikhokelo ze-REUSE kwenza kube lula ukumisela ngokuzenzekelayo ukuba yeyiphi ilayisenisi esebenzayo ukuba zeziphi iindawo zekhowudi yesicelo.
- Kongezwe kujongwa ixabiso lengxoxo yengxabano yomgca womyalelo (argc) kwaye kuphunyezwe ukuphuma kaxakeka ukuba indawo yokubala inguziro. Utshintsho lunceda ukuvala imiba yokhuseleko ebangelwa ukuphathwa ngokungalunganga kweengxoxo zomgca womyalelo ogqithisiweyo, njenge-CVE-2021-4034 kwi-Polkit.
umthombo: opennet.ru