I-Firejail 0.9.78 ikhutshiwe. Iphuhlisa inkqubo yokwenza imizobo, i-console, kunye nezicelo zeseva ngokwahlukeneyo, inciphisa umngcipheko wokubeka emngciphekweni inkqubo yomsingathi xa iqhuba iinkqubo ezingathembekanga okanye ezinokuba sesichengeni. Le nkqubo ibhalwe ngo-C, isasazwa phantsi kwelayisenisi ye-GPLv2, kwaye isebenza kuyo nayiphi na isasazwa. Linux nge-kernel endala kune-3.0. Iipakeji ezenziwe ngokulungela kunye neFirejail zilungiswa kwiifomathi ze-deb (Debian, Ubuntu) kunye ne-rpm (CentOS, Fedora).
I-Firejail isebenzisa i-namespaces, i-AppArmor, kunye ne-system call filtering (seccomp-bpf) ukuze ihlukanise. LinuxNje ukuba iqaliswe, inkqubo kunye nazo zonke iinkqubo zayo zomntwana zisebenzisa iindlela ezahlukeneyo zokubonisa izixhobo zekernel, ezifana ne-network stack, i-process table, kunye neendawo zokufaka. Ii-aplikeshini ezixhomekeke kwezinye zinokudityaniswa zibe yi-sandbox enye ekwabelwana ngayo. I-Firejail ingasetyenziselwa ukuqhuba izikhongozeli zeDocker, LXC, kunye ne-OpenVZ.
Ngokungafaniyo nezixhobo zokwahlula iikhonteyina, iFirejail ilula kakhulu ukuyicwangcisa kwaye ayifuni ukulungiselela umfanekiso wenkqubo—umxholo wekhonteyina wenziwa ngokukhawuleza ngokusekelwe kumxholo wenkqubo yefayile yangoku kwaye uyacinywa emva kokuba usetyenziso luphelile. Imithetho yokufikelela kwinkqubo yefayile eguquguqukayo iyabonelelwa, ikuvumela ukuba uchaze ukuba zeziphi iifayile kunye neefolda ezivunyelweyo okanye ezingavunyelwanga ukufikelela kuzo, faka iinkqubo zefayile zexeshana (tmpfs) zedatha, uthintele ukufikelela kwiifayile okanye kwiifolda ukuze zifundwe kuphela, kwaye udibanise iifolda usebenzisa i-bind-mount kunye ne-overlayfs.
Kwinani elikhulu lezicelo ezidumileyo, ezibandakanya iFirefox, iChromium, iVLC kunye noThumelo, iiprofayili zokuzihlukanisa zenkqubo eyenziweyo sele zilungisiwe. Ukufumana amalungelo ayimfuneko ukuseta indawo ye-sandboxed, i-firejail executable ifakwe kunye neflegi yengcambu ye-SUID (amalungelo asetyenzisiweyo emva kokuqaliswa). Ukuqhuba inkqubo kwimo yokwahlula, cacisa ngokulula igama lesicelo njengengxabano kusetyenziso lwefirejail, umzekelo, “firejail firefox” okanye “sudo firejail /etc/init.d/nginx start”.
Kukhupho olutsha:
- Iinketho ze-arg-max-count, i-arg-max-len, i-env-max-count, kunye ne-env-max-len zongezwe kwifayile yoqwalaselo lwe-firejail.config ukutshintsha imida kwinani kunye nobukhulu beenketho zomgca womyalelo kunye neenguqu zendalo. Ngokungagqibekanga, inani leengxoxo lilinganiselwe kwi-128, inani leenguqu zendalo lilinganiselwe kwi-256, kwaye ubungakanani bengxoxo nganye yi-PATH_MAX ukusuka kwi-limits.h (kwi Linux 40196) + 32.
- Kongezwe ukhetho lwe-"--xephyr-extra-params" lokucacisa ezinye iindlela kwi-Xephyr (esetyenziselwa ukudala iindawo ze-sandbox ze-X11 kunye neseva yabo ye-X esebenza kwifestile) kumgca womyalelo ngaphandle kokutshintsha i-firejail.config.
- Isixhobo se-bwrap (bubblewrap) esifakwe kwindawo yesanti sithatyathelwe indawo yi-fbwrap middleware, eqalisa iinkqubo ngaphandle kwesanti ukusombulula iingxaki zokuqaliswa kweFirefox, iThunderbird, kunye ne-GIMP ngenxa yokuba i-glycin 2.0.0 ibizwa kwi-gdk-pixbuf2 kusetyenziswa i-bwrap. Ukhetho lwe-"--allow-bwrap" longezwe kwi-kopi ye-bwrap endaweni ye-middleware.
- Iitafile zefowuni zenkqubo ezihlaziyiweyo ze-seccomp. Iifowuni ezintsha zenkqubo, ezifana ne-epoll_pwait2 kunye ne-futex_wait, zongeziwe.
- Ukhetho lokwakha "--disable-globalcfg" lususiwe, kwaye inkxaso ye-overlayfs ("--overlay") kunye ne-IDS (Intrusion Detection System, "--ids") ayisekho.
- Kongezwe iiprofayili zokwahlulahlula ze-ne text editor (text editor), i-Trivalent browser, kunye ne-OpenRA, i-quakesspasm, i-gzdoom, i-lzdoom, kunye neenjini zemidlalo ze-uzdoom.
- Iiprofayili ezihlaziyiweyo ze-thunderbird, wine, qutebrowser, firefox, godot, wusc, mullvad-browser, blink, steam, ssh, brave kunye ne-hashcat.
umthombo: opennet.ru
