ukukhutshwa okutsha kwezixhobo zokusebenza , eyenzelwe ukulungelelanisa umsebenzi weendawo ezizimeleyo kwi-Linux kunye nokusebenza kwinqanaba lesicelo sabasebenzisi abangenanto. Ngokwesiqhelo, iBubblewrap isetyenziswa yiprojekthi yeFlatpak njengomaleko wokuhlukanisa usetyenziso oluqaliswe kwiiphakheji. Ikhowudi yeprojekthi ibhalwe kwi-C kunye ilayisenisi phantsi kwe-LGPLv2+.
Ukwahlukaniswa, itekhnoloji yesiqhelo ye-Linux yesikhongozeli iyasetyenziswa, esekwe kusetyenziso lwamaqela, izithuba zamagama, i-Seccomp kunye ne-SELinux. Ukwenza imisebenzi enelungelo lokumisela isikhongozeli, iBubblewrap iqalwa ngamalungelo engcambu (ifayile ephunyeziweyo eneflegi ye-suid) kwaye iphinde imisele amalungelo emva kokuba isikhongozeli siqalisiwe.
Ukwenziwa kusebenze kwezithuba zegama lomsebenzisi kwinkqubo yesithuba samagama, ekuvumela ukuba usebenzise ezakho iiseti ezahlukeneyo zezazisi kwizikhongozeli, ayifuneki ukuba isebenze, kuba ayisebenzi ngokungagqibekanga kunikezelo oluninzi (i-Bubblewrap ibekwe njengophumezo olulinganiselweyo lwe-suid iseti engaphantsi yezakhono zomsebenzisi zezithuba zamagama - ukungabandakanyi bonke abasebenzisi kunye nenkqubo yokuchonga ukusuka kokusingqongileyo, ngaphandle kwale yangoku, i-CLONE_NEWUSER kunye ne-CLONE_NEWPID iindlela ziyasetyenziswa). Ngokhuseleko olongezelelweyo, oluphunyezwa phantsi kolawulo
Iinkqubo zeBubblewrap ziphehlelelwa kwimo yePR_SET_NO_NEW_PRIVS, ethintela ukufumana amalungelo amatsha, umzekelo, ukuba iflegi ye-setuid ikhona.
Ukwahlulwa kwinqanaba lenkqubo yefayile kufezekiswa ngokudala indawo entsha yegama lokunyuka ngokungagqibekanga, apho isahlulelo sengcambu esingenanto sidalwa kusetyenziswa i-tmpfs. Ukuba kuyimfuneko, izahlulo zeFS zangaphandle zincanyathiselwe kolu lwahlulelo kwimowudi "yokunyuka -bopha" (umzekelo, xa iqaliswa nge "bwrap -ro-bind /usr /usr" ukhetho, isahlulelo /usr sithunyelwa ukusuka kwinkqubo ephambili. kwimowudi yokufunda kuphela). Ubunakho bothungelwano buthintelwe ukufikelela kujongano lweloopback kunye nokwahlukaniswa kwesitaki sothungelwano nge-CLONE_NEWNET kunye ne-CLONE_NEWUTS iiflegi.
Umahluko ophambili kwiprojekthi efanayo , ekwasebenzisa imodeli yokumiliselwa kwe-setuid, kukuba kwiBubblewrap umaleko wokudala isikhongozeli ubandakanya kuphela ubuncinci obufunekayo bokukwazi, kunye nayo yonke imisebenzi eqhubela phambili efunekayo ukuqhuba usetyenziso lomzobo, isebenzisana nedesktop kunye nokucoca iminxeba eya kwiPulseaudio ikhutshelwe ngaphandle iFlatpak kwaye iyenziwa. emva kokuba amalungelo asetyenzisiwe. I-Firejail, kwelinye icala, idibanisa yonke imisebenzi ehambelanayo kwifayile enye ephunyezwayo, eyenza kube nzima ukuphicotha nokugcina ukhuseleko .
Ukukhutshwa okutsha kuphawuleka ekuphunyezweni kwenkxaso yokujoyina izithuba ezikhoyo zamagama abasebenzisi kunye nenkqubo yeendawo zamagama zepid. Ukulawula uqhagamshelo lwezithuba zamagama, iiflegi "--userns", "--users2" kunye ne "-pidns" zongeziwe.
Lo mboniso awusebenzi kwimowudi yokucwangciswa kwaye ufuna usebenziso lwendlela eyahlukileyo enokusebenza ngaphandle kokufumana amalungelo engcambu, kodwa ifuna isebenze.
izithuba zamagama abasebenzisi kwisixokelelwano (ikhubazwe ngokungagqibekanga kwiDebian kunye neRHEL/CentOS) kwaye ayikhupheli ngaphandle into enokwenzeka ukwenzela "izithuba zamagama zomsebenzisi" izithintelo rim. Iimpawu ezintsha ze-Bubblewrap 0.4 zikwabandakanya ukukwazi ukwakha ngethala leencwadi le-musl C endaweni ye-glibc kunye nenkxaso yokugcina ulwazi lwendawo yegama kwifayile enezibalo kwifomathi ye-JSON.
umthombo: opennet.ru
