Ukukhutshwa kweprojekthi ye-Firejail 0.9.72 ishicilelwe, ephuhlisa inkqubo yokusetyenziswa okukodwa kwe-graphical, i-console kunye nezicelo zeseva, okuvumela ukunciphisa umngcipheko wokunciphisa inkqubo engundoqo xa uqhuba iinkqubo ezingathembekiyo okanye ezinokuthi zibe sengozini. Inkqubo ibhalwe kwi-C, isasazwe phantsi kwelayisensi ye-GPLv2 kwaye inokuqhuba kuyo nayiphi na i-Linux yokuhanjiswa kunye ne-kernel endala kune-3.0. Iiphakheji ze-Firejail esele zenziwe zilungiswa ngedeb (Debian, Ubuntu) kunye ne-rpm (CentOS, Fedora) iifomathi.
Ukwahlukaniswa, i-Firejail isebenzisa izithuba zamagama, i-AppArmor, kunye nokucoca umnxeba wenkqubo (seccomp-bpf) kwiLinux. Nje ukuba iqaliswe, inkqubo kunye nazo zonke iinkqubo zayo zomntwana zisebenzisa iimbono ezahlukeneyo zemithombo ye-kernel, efana nestakhi yenethiwekhi, itafile yenkqubo, kunye neendawo zokunyuka. Izicelo ezixhomekeke kwenye zinokudityaniswa zibe yibhokisi yesanti enye eqhelekileyo. Ukuba uyanqweneleka, iFirejail inokusetyenziselwa ukuqhuba iDocker, LXC kunye nezikhongozeli zeOpenVZ.
Ngokungafaniyo nezixhobo zokwahlula iikhonteyina, i-firejail ilula kakhulu ukuyilungisa kwaye ayifuni ukulungiswa komfanekiso wenkqubo - i-container composition yenziwa kwi-fly ngokusekelwe kumxholo wefayile yangoku kwaye iyacinywa emva kokuba isicelo sigqityiwe. Iindlela eziguquguqukayo zokuseta imigaqo yokufikelela kwisixokelelwano sefayile zinikiwe; unokumisela ukuba zeziphi iifayile kunye nabalawuli abavunyelweyo okanye abalelwa ukufikelela, qhagamshela iinkqubo zefayile zethutyana (tmpfs) zedatha, ukufikelela umda kwiifayile okanye abalawuli ukufunda kuphela, ukudibanisa abalawuli ngokusebenzisa i-bind-mount kunye ne-overlayfs.
Kwinani elikhulu lezicelo ezidumileyo, ezibandakanya iFirefox, iChromium, iVLC kunye noThumelo, iiprofayili zokuzihlukanisa zenkqubo eyenziweyo sele zilungisiwe. Ukufumana amalungelo ayimfuneko ukuseta indawo ye-sandboxed, i-firejail executable ifakwe kunye neflegi yengcambu ye-SUID (amalungelo asetyenzisiweyo emva kokuqaliswa). Ukuqhuba inkqubo kwimo yokwahlula, cacisa ngokulula igama lesicelo njengengxabano kusetyenziso lwefirejail, umzekelo, βfirejail firefoxβ okanye βsudo firejail /etc/init.d/nginx startβ.
Kukhupho olutsha:
- Yongezwe isihluzo se-seccomp yeefowuni zenkqubo ezithintela ukwenziwa kwezithuba zamagama (i "--restrict-namespaces" ukhetho longeziwe ukuze lusebenze). Iitafile zefowuni ezihlaziyiweyo kunye namaqela e-seccomp.
- Ukuphuculwa kwendlela yokunyanzeliswa kwe-nonewprivs (NO_NEW_PRIVS), ethintela iinkqubo ezintsha ekufumaneni amalungelo awongezelelweyo.
- Yongeza ukukwazi ukusebenzisa iiprofayili zakho ze-AppArmor (ukhetho lwe- "--apparmor" lunikezelwa uqhagamshelo).
- Inkqubo yokulandelela inethiwekhi ye-nettrace, ebonisa ulwazi malunga ne-IP kunye nokuqina kwe-traffic kwidilesi nganye, isebenzisa inkxaso ye-ICMP kwaye inikezela "--dnstrace", "--icmptrace" kunye "--snitrace" okukhethwa kukho.
- I --iqela kunye --imiyalelo yeqokobhe isusiwe (okungagqibekanga ngu --iqokobhe=akukho). Ukwakhiwa kwe-Firetunnel kumisiwe ngokungagqibekanga. I-chroot ekhubazekileyo, i-private-lib kunye nezicwangciso ze-tracelog kwi /etc/firejail/firejail.config. Inkxaso ye-gsecurity iye yanqunyanyiswa.
umthombo: opennet.ru