ukukhutshwa okutsha kwezixhobo zokusebenza , eyilelwe ukulungelelanisa umsebenzi weendawo ezizimeleyo Linux kwaye isebenza kwinqanaba lesicelo kubasebenzisi abangenamalungelo. Ngokwenyani, iBubblewrap isetyenziswa yiprojekthi yeFlatpak njengomaleko wokwahlula izicelo eziqaliswe kwiipakeji. Ikhowudi yeprojekthi ibhalwe ngo-C kwaye ilayisenisi phantsi kwe-LGPLv2+.
Izixhobo zemveli zisetyenziselwa ukufudumala Linux ubuchwepheshe bokubona izinto kwisikhongozeli ngokusekelwe ekusebenziseni ii-cgroups, izithuba zamagama, iSeccomp kunye neSELinuxUkuze kwenziwe imisebenzi yokumisela isitya esikhethekileyo, iBubblewrap isebenza ngamalungelo eengcambu (ifayile esebenzisekayo ineflegi yesuid evuliweyo) ize ilahle amalungelo emva kokuba ukuqaliswa kwesitya kugqityiwe.
Ukwenziwa kusebenze kwezithuba zegama lomsebenzisi kwinkqubo yesithuba samagama, ekuvumela ukuba usebenzise ezakho iiseti ezahlukeneyo zezazisi kwizikhongozeli, ayifuneki ukuba isebenze, kuba ayisebenzi ngokungagqibekanga kunikezelo oluninzi (i-Bubblewrap ibekwe njengophumezo olulinganiselweyo lwe-suid iseti engaphantsi yezakhono zomsebenzisi zezithuba zamagama - ukungabandakanyi bonke abasebenzisi kunye nenkqubo yokuchonga ukusuka kokusingqongileyo, ngaphandle kwale yangoku, i-CLONE_NEWUSER kunye ne-CLONE_NEWPID iindlela ziyasetyenziswa). Ngokhuseleko olongezelelweyo, oluphunyezwa phantsi kolawulo
Iinkqubo zeBubblewrap ziphehlelelwa kwimo yePR_SET_NO_NEW_PRIVS, ethintela ukufumana amalungelo amatsha, umzekelo, ukuba iflegi ye-setuid ikhona.
Ukwahlulwa kwinqanaba lenkqubo yefayile kufezekiswa ngokudala indawo entsha yegama lokunyuka ngokungagqibekanga, apho isahlulelo sengcambu esingenanto sidalwa kusetyenziswa i-tmpfs. Ukuba kuyimfuneko, izahlulo zeFS zangaphandle zincanyathiselwe kolu lwahlulelo kwimowudi "yokunyuka -bopha" (umzekelo, xa iqaliswa nge "bwrap -ro-bind /usr /usr" ukhetho, isahlulelo /usr sithunyelwa ukusuka kwinkqubo ephambili. kwimowudi yokufunda kuphela). Ubunakho bothungelwano buthintelwe ukufikelela kujongano lweloopback kunye nokwahlukaniswa kwesitaki sothungelwano nge-CLONE_NEWNET kunye ne-CLONE_NEWUTS iiflegi.
Umahluko ophambili kwiprojekthi efanayo , ekwasebenzisa imodeli yokumiliselwa kwe-setuid, kukuba kwiBubblewrap umaleko wokudala isikhongozeli ubandakanya kuphela ubuncinci obufunekayo bokukwazi, kunye nayo yonke imisebenzi eqhubela phambili efunekayo ukuqhuba usetyenziso lomzobo, isebenzisana nedesktop kunye nokucoca iminxeba eya kwiPulseaudio ikhutshelwe ngaphandle iFlatpak kwaye iyenziwa. emva kokuba amalungelo asetyenzisiwe. I-Firejail, kwelinye icala, idibanisa yonke imisebenzi ehambelanayo kwifayile enye ephunyezwayo, eyenza kube nzima ukuphicotha nokugcina ukhuseleko .
Ukukhutshwa okutsha kuphawuleka ekuphunyezweni kwenkxaso yokujoyina izithuba ezikhoyo zamagama abasebenzisi kunye nenkqubo yeendawo zamagama zepid. Ukulawula uqhagamshelo lwezithuba zamagama, iiflegi "--userns", "--users2" kunye ne "-pidns" zongeziwe.
Lo mboniso awusebenzi kwimowudi yokucwangciswa kwaye ufuna usebenziso lwendlela eyahlukileyo enokusebenza ngaphandle kokufumana amalungelo engcambu, kodwa ifuna isebenze.
izithuba zamagama zomsebenzisi kwinkqubo (zikhutshaziwe ngokuzenzekelayo kwi Debian kunye ne-RHEL/CentOS) kwaye ayikhuphi ngaphandle ithuba lokuba ukwenzela "izithuba zamagama zomsebenzisi" izithintelo rim. Iimpawu ezintsha ze-Bubblewrap 0.4 zikwabandakanya ukukwazi ukwakha ngethala leencwadi le-musl C endaweni ye-glibc kunye nenkxaso yokugcina ulwazi lwendawo yegama kwifayile enezibalo kwifomathi ye-JSON.
umthombo: opennet.ru
