Ukukhutshwa kwezixhobo zokuququzelela umsebenzi weendawo ezizimeleyo I-Bubblewrap 0.6 iyafumaneka, idla ngokusetyenziselwa ukukhawulela izicelo zabasebenzisi abangenamalungelo. Ngokwesiqhelo, iBubblewrap isetyenziswa yiprojekthi yeFlatpak njengomaleko wokuhlukanisa usetyenziso oluqaliswe kwiiphakheji. Ikhowudi yeprojekthi ibhalwe kwi-C kwaye ihanjiswa phantsi kwelayisensi ye-LGPLv2 +.
Ukwahlukaniswa, itekhnoloji yesiqhelo ye-Linux yesikhongozeli iyasetyenziswa, esekwe kusetyenziso lwamaqela, izithuba zamagama, i-Seccomp kunye ne-SELinux. Ukwenza imisebenzi enelungelo lokumisela isikhongozeli, iBubblewrap iqalwa ngamalungelo engcambu (ifayile ephunyeziweyo eneflegi ye-suid) kwaye iphinde imisele amalungelo emva kokuba isikhongozeli siqalisiwe.
Ukwenziwa kusebenze kwezithuba zegama lomsebenzisi kwinkqubo yesithuba samagama, ekuvumela ukuba usebenzise ezakho iiseti ezahlukeneyo zezazisi kwizikhongozeli, ayifuneki ukuba isebenze, kuba ayisebenzi ngokungagqibekanga kunikezelo oluninzi (i-Bubblewrap ibekwe njengophumezo olulinganiselweyo lwe-suid iseti engaphantsi yezakhono zomsebenzisi zezithuba zamagama - ukungabandakanyi bonke abasebenzisi kunye nenkqubo yokuchonga ukusuka kokusingqongileyo, ngaphandle kwale yangoku, i-CLONE_NEWUSER kunye ne-CLONE_NEWPID iindlela ziyasetyenziswa). Ngokhuseleko olongezelelweyo, iinkqubo eziqhutywa phantsi kweBubblewrap zindululwa kwimo ye-PR_SET_NO_NEW_PRIVS, ethintela ukufunyanwa kwamalungelo amatsha, umzekelo, ukuba iflegi ye-setuid ikhona.
Ukwahlulwa kwinqanaba lenkqubo yefayile kufezekiswa ngokudala indawo entsha yegama lokunyuka ngokungagqibekanga, apho isahlulelo sengcambu esingenanto sidalwa kusetyenziswa i-tmpfs. Ukuba kuyimfuneko, izahlulo zeFS zangaphandle zincanyathiselwe kolu lwahlulelo kwimowudi "yokunyuka -bopha" (umzekelo, xa iqaliswa nge "bwrap -ro-bind /usr /usr" ukhetho, isahlulelo /usr sithunyelwa ukusuka kwinkqubo ephambili. kwimowudi yokufunda kuphela). Ubunakho bothungelwano buthintelwe ukufikelela kujongano lweloopback kunye nokwahlukaniswa kwesitaki sothungelwano nge-CLONE_NEWNET kunye ne-CLONE_NEWUTS iiflegi.
Umahluko ophambili kwiprojekthi efanayo ye-Firejail, ekwasebenzisa imodeli yokumiliselwa kwe-setuid, kukuba kwi-Bubblewrap umaleko wokwenza isikhongozeli ubandakanya kuphela ubuncinci obufunekayo, kunye nayo yonke imisebenzi ephambili eyimfuneko ekuqhubeni usetyenziso lomzobo, ukusebenzisana nedesktop kunye nezicelo zokucoca. ukuya ePulseaudio, idluliselwe kwicala leFlatpak kwaye iqhutywe emva kokuba amalungelo abuyiselwe. I-Firejail, ngakolunye uhlangothi, idibanisa yonke imisebenzi ehambelanayo kwifayile enye ephunyezwayo, eyenza kube nzima ukuphicotha nokugcina ukhuseleko kwinqanaba elifanelekileyo.
Kukhupho olutsha:
- ΠΠΎΠ±Π°Π²Π»Π΅Π½Π° ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΊΠ° ΡΠ±ΠΎΡΠΎΡΠ½ΠΎΠΉ ΡΠΈΡΡΠ΅ΠΌΡ Meson. ΠΠΎΠ΄Π΄Π΅ΡΠΆΠΊΠ° ΡΠ±ΠΎΡΠΊΠΈ ΠΏΡΠΈ ΠΏΠΎΠΌΠΎΡΠΈ Autotools ΠΏΠΎΠΊΠ° ΡΠΎΡ ΡΠ°Π½Π΅Π½Π°, Π½ΠΎ Π±ΡΠ΄Π΅Ρ ΡΠ΄Π°Π»Π΅Π½Π° Π² ΠΎΠ΄Π½ΠΎΠΌ ΠΈΠ· ΡΠ»Π΅Π΄ΡΡΡΠΈΡ Π²ΡΠΏΡΡΠΊΠΎΠ².
- Π Π΅Π°Π»ΠΈΠ·ΠΎΠ²Π°Π½Π° ΠΎΠΏΡΠΈΡ Β«βadd-seccompΒ» Π΄Π»Ρ Π΄ΠΎΠ±Π°Π²Π»Π΅Π½ΠΈΡ Π±ΠΎΠ»Π΅Π΅ ΡΠ΅ΠΌ ΠΎΠ΄Π½ΠΎΠΉ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΡ seccomp. ΠΠΎΠ±Π°Π²Π»Π΅Π½ΠΎ ΠΏΡΠ΅Π΄ΡΠΏΡΠ΅ΠΆΠ΄Π΅Π½ΠΈΠ΅ ΠΎ ΡΠΎΠΌ, ΡΡΠΎ ΠΏΡΠΈ ΠΏΠΎΠ²ΡΠΎΡΠ½ΠΎΠΌ ΡΠΊΠ°Π·Π°Π½ΠΈΠΈ ΠΎΠΏΡΠΈΠΈ Β«βseccompΒ» Π±ΡΠ΄Π΅Ρ ΠΏΡΠΈΠΌΠ΅Π½ΡΠ½ ΡΠΎΠ»ΡΠΊΠΎ ΠΏΠΎΡΠ»Π΅Π΄Π½ΠΈΠΉ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡ.
- ΠΠ΅ΡΠΊΠ° master Π² git-ΡΠ΅ΠΏΠΎΠ·ΠΈΡΠΎΡΠΈΠΈ ΠΏΠ΅ΡΠ΅ΠΈΠΌΠ΅Π½ΠΎΠ²Π°Π½Π° Π² main.
- ΠΠΎΠ±Π°Π²Π»Π΅Π½Π° ΡΠ°ΡΡΠΈΡΠ½Π°Ρ ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΊΠ° ΡΠΏΠ΅ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ REUSE, ΡΠ½ΠΈΡΠΈΡΠΈΡΡΡΡΠ΅ΠΉ ΠΏΡΠΎΡΠ΅ΡΡ ΡΠΊΠ°Π·Π°Π½ΠΈΡ ΡΠ²Π΅Π΄Π΅Π½ΠΈΠΉ ΠΎ Π»ΠΈΡΠ΅Π½Π·ΠΈΡΡ ΠΈ Π°Π²ΡΠΎΡΡΠΊΠΈΡ ΠΏΡΠ°Π²Π°Ρ . ΠΠΎ ΠΌΠ½ΠΎΠ³ΠΈΠ΅ ΡΠ°ΠΉΠ»Ρ Ρ ΠΊΠΎΠ΄ΠΎΠΌ Π΄ΠΎΠ±Π°Π²Π»Π΅Π½Ρ Π·Π°Π³ΠΎΠ»ΠΎΠ²ΠΊΠΈ SPDX-License-Identifier. Π‘Π»Π΅Π΄ΠΎΠ²Π°Π½ΠΈΠ΅ ΡΠ΅ΠΊΠΎΠΌΠ΅Π½Π΄Π°ΡΠΈΡΠΌ REUSE ΠΏΠΎΠ·Π²ΠΎΠ»ΡΠ΅Ρ ΡΠΏΡΠΎΡΡΠΈΡΡ Π°Π²ΡΠΎΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠ΅ ΠΎΠΏΡΠ΅Π΄Π΅Π»Π΅Π½ΠΈΠ΅ ΠΊΠ°ΠΊΠ°Ρ Π»ΠΈΡΠ΅Π½Π·ΠΈΡ ΠΏΡΠΈΠΌΠ΅Π½ΡΠ΅ΡΡΡ ΠΊ ΠΊΠ°ΠΊΠΈΠΌ ΠΈΠ· ΡΠ°ΡΡΠ΅ΠΉ ΠΊΠΎΠ΄Π° ΠΏΡΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΡ.
- ΠΠΎΠ±Π°Π²Π»Π΅Π½Π° ΠΏΡΠΎΠ²Π΅ΡΠΊΠ° Π·Π½Π°ΡΠ΅Π½ΠΈΡ ΡΡΡΡΡΠΈΠΊΠ° Π°ΡΠ³ΡΠΌΠ΅Π½ΡΠΎΠ² ΠΊΠΎΠΌΠ°Π½Π΄Π½ΠΎΠΉ ΡΡΡΠΎΠΊΠΈ (argc) ΠΈ ΡΠ΅Π°Π»ΠΈΠ·ΠΎΠ²Π°Π½ ΡΠΊΡΡΡΠ΅Π½Π½ΡΠΉ Π²ΡΡ ΠΎΠ΄ Π² ΡΠ»ΡΡΠ°Π΅ Π΅ΡΠ»ΠΈ ΡΡΡΡΡΠΈΠΊ ΡΠ°Π²Π΅Π½ Π½ΡΠ»Ρ. ΠΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΠ΅ ΠΏΠΎΠ·Π²ΠΎΠ»ΡΠ΅Ρ Π±Π»ΠΎΠΊΠΈΡΠΎΠ²Π°ΡΡ ΠΏΡΠΎΠ±Π»Π΅ΠΌΡ Ρ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΡΡ, Π²ΡΠ·Π²Π°Π½Π½ΡΠ΅ Π½Π΅ΠΊΠΎΡΡΠ΅ΠΊΡΠ½ΠΎΠΉ ΠΎΠ±ΡΠ°Π±ΠΎΡΠΊΠΎΠΉ ΠΏΠ΅ΡΠ΅Π΄Π°Π²Π°Π΅ΠΌΡΡ Π°ΡΠ³ΡΠΌΠ΅Π½ΡΠΎΠ² ΠΊΠΎΠΌΠ°Π½Π΄Π½ΠΎΠΉ ΡΡΡΠΎΠΊΠΈ, ΡΠ°ΠΊΠΈΠ΅ ΠΊΠ°ΠΊ CVE-2021-4034 Π² Polkit.
umthombo: opennet.ru