Ubuthathaka (CVE-2022-31214) ichongiwe kwisicelo se-Firejail sodwa esivumela umsebenzisi wasekhaya ukuba afumane amalungelo engcambu kwinkqubo yomkhosi. Kukho i-exploit esebenzayo ekhoyo kwi-domain yoluntu, evavanyiweyo ekukhutshweni kwangoku kwe-openSUSE, i-Debian, i-Arch, i-Gentoo kunye ne-Fedora kunye ne-firejail utility efakwe. Umba ulungiswe kwi-firejail 0.9.70 ukukhululwa. Njengomsebenzi wokukhusela, unokuseta u-"join no" kunye ne-"force-nonewprivs ewe" iiparamitha kwizicwangciso (/etc/firejail/firejail.config).
I-Firejail isebenzisa izithuba zamagama, i-AppArmor, kunye nenkqubo yokucofa umnxeba (seccomp-bpf) kwi-Linux ukuze ibekwe yodwa, kodwa ifuna amalungelo aphakamileyo okuseta umiliselo olulodwa, oluzuzwayo ngokubophelela kwingcambu yokusebenza yeflegi okanye ukubaleka nge-sudo. Ukuba sesichengeni kubangelwa yimpazamo kwingqiqo yokhetho "--join=". ", yenzelwe ukudibanisa kwindawo esele iqhutywa ekwanti (iyafana nomyalelo wokungena kwindawo yebhokisi yesanti) ngenkcazelo yemeko-bume ngesichongi senkqubo esisebenza kuyo. Ngexesha lokusetha kwakhona i-pre-privilege phase, i-firejail imisela amalungelo enkqubo echaziweyo kwaye iwasebenzise kwinkqubo entsha edityaniswe nokusingqongileyo usebenzisa "-join" ukhetho.
Ngaphambi kokudibanisa, ijonga ukuba inkqubo echaziweyo iyasebenza kwindawo ye-firejail. Olu qwalaselo luvavanya ubukho befayile /run/firejail/mnt/join. Ukuxhaphaza ubuthathaka, umhlaseli angalinganisa ubume obungeyodwa, indawo yejele yomlilo esebenzisa indawo yegama, aze aqhagamshele kuyo esebenzisa u-β--joinβ ukhetho. Ukuba useto alwenzi indlela yokuthintela ukufumana amalungelo awongezelelweyo kwiinkqubo ezintsha (prctl NO_NEW_PRIVS), i-firejail iya kudibanisa umsebenzisi kwindawo ye-dummy kwaye izame ukusebenzisa useto lwendawo yegama lomsebenzisi inkqubo ye-init (PID 1).
Ngenxa yoko, inkqubo eqhagamshelwe nge "firejail -join" iya kuphelela kwindawo ye-ID yomsebenzisi yasekuqaleni kunye namalungelo angatshintshiyo, kodwa kwindawo eyahlukileyo yokunyuka, elawulwa ngokupheleleyo ngumhlaseli. Umhlaseli unokuphumeza iinkqubo zengcambu ye-setuid kwindawo yencopho ayenzileyo, evumela, umzekelo, ukutshintsha i/etc/sudoers useto okanye PAM parameters kuluhlu lwefayile yakhe kwaye ube nako ukwenza imiyalelo ngamalungelo engcambu usebenzisa i sudo okanye su eziluncedo.
umthombo: opennet.ru