ProHoster > Ibhulogi > iindaba ze-intanethi > Ukukhutshwa kweNkqubo yokuBekwa yodwa kweSicelo soMlilo 0.9.62

Ukukhutshwa kweNkqubo yokuBekwa yodwa kweSicelo soMlilo 0.9.62

Emva kweenyanga ezintandathu zophuhliso iyafumaneka ukukhutshwa kweprojekthi I-Firejail 0.9.62, apho inkqubo iphuhliselwa umiliselo olulodwa lomzobo, ikhonsoli kunye nezicelo zeseva. Ukusebenzisa i-Firejail kukuvumela ukuba unciphise umngcipheko wokubeka esichengeni inkqubo engundoqo xa uqhuba iinkqubo ezingathembekanga okanye ezinokuba semngciphekweni. Inkqubo ibhalwe ngolwimi C, isasazwa ngu ilayisenisi phantsi kweGPLv2 kwaye ingasebenza kuyo nayiphi na isasazo Linux ene-kernel endala kune-3.0. Iipakeji ezisele zenziwe ngeFirejail ilungisiwe kwiifomathi zedeb (Debian, Ubuntu) kunye ne-rpm (CentOS, Fedora).

Ngokuba wedwa eFirejail ziyasetyenziswa izithuba zamagama, i-AppArmor, kunye nokucoca iifowuni zenkqubo (seccomp-bpf) kwi LinuxNje ukuba iqaliswe, inkqubo kunye nazo zonke iinkqubo zayo zomntwana zisebenzisa iindlela ezahlukeneyo zokubonisa izixhobo zekernel, ezifana ne-network stack, i-process table, kunye neendawo zokufaka. Ii-aplikeshini ezixhomekeke kwezinye zinokudityaniswa zibe yi-sandbox enye ekwabelwana ngayo. I-Firejail ingasetyenziselwa ukuqhuba izikhongozeli zeDocker, LXC, kunye ne-OpenVZ.

Ngokungafaniyo nezixhobo zokugquma iikhonteyina, i-firejail igqithise kakhulu elula kuqwalaselo kwaye ayifuni ukulungiswa komfanekiso wenkqubo - ukubunjwa kwesikhongozelo kwenziwa kwimpukane ngokusekelwe kwimixholo yenkqubo yefayile yangoku kwaye iyacinywa emva kokuba isicelo sigqityiwe. Iindlela eziguquguqukayo zokumisela imithetho yokufikelela kwisixokelelwano sefayile zibonelelwa, unokugqiba ukuba zeziphi iifayile kunye nezalathisi ezivunyelweyo okanye ezinqatshelwe ukufikelela, qhagamshela iisistim zefayile zethutyana (tmpfs) zedatha, zikhawulele ukufikelela kwiifayile okanye kwizikhombisi zokufunda kuphela, zidibanise iirejista ngokusebenzisa iifayili zexeshana (tmpfs) i-bind-mount kunye ne-overlayfs.

Ngenani elikhulu lezicelo ezidumileyo, kubandakanya iFirefox, iChromium, iVLC kunye noThumelo, sele lulungile. iiprofayili inkqubo yokufowuna yodwa. Ukufumana amalungelo ayimfuneko ukuseta indawo ye-sandboxed, i-firejail executable ifakwe kunye neflegi yengcambu ye-SUID (amalungelo asetyenzisiweyo emva kokuqaliswa). Ukuqhuba inkqubo kwimo yokwahlula, cacisa ngokulula igama lesicelo njengengxabano kusetyenziso lwe-firejail, umzekelo, "firejail firefox" okanye "sudo firejail /etc/init.d/nginx start".

Kukhupho olutsha:

  • Kwifayile yoqwalaselo /etc/firejail/firejail.config yongezwe ifayile-ikopi-umda useto, ekuvumela ukuba unciphise ubungakanani beefayile eziya kukotshwa kwinkumbulo xa usebenzisa "--yabucala-*" iinketho (ngokungagqibekanga umda umiselwe kwi-500MB).
  • Izempleyithi zokudala iiprofayili ezitsha zothintelo lwesicelo zongezwe kwi/usr/share/doc/firejail directory.
  • Iiprofayili zivumela ukusetyenziswa kwee-debuggers.
  • Ukuhluzwa okuphuculweyo kweefowuni zesixokelelwano kusetyenziswa indlela ye-seccomp.
  • Ukuzibona ngokuzenzekelayo iiflegi zomqokeleli kunikezelwa.
  • Umnxeba we-chroot awusenziwa ngokusekelwe kwindlela, kodwa usebenzisa iindawo zokunyuka ezisekelwe kwinkcazo yefayile.
  • I/usr/share directory ifakwe kuluhlu lweenkangeleko ezahlukeneyo.
  • Izikripthi zomncedisi omtsha we-gdb-firejail.sh kunye ne- sort.py zongezwe kwicandelo le-conrib.
  • Ukuqiniswa kokhuseleko kwinqanaba lokuphunyezwa kwekhowudi enelungelo (SUID).
  • Kwiiprofayili, iimpawu ezintsha ezinemiqathango HAS_X11 kunye ne-HAS_NET ziphunyeziwe ukujonga ubukho beseva ye-X kunye nofikelelo lwenethiwekhi.
  • Iiprofayile ezongeziweyo zokuqaliswa kwesicelo esisodwa (inani lilonke leeprofayili linyukile laya kutsho kuma-884):
    • i2p,
    • ibrowser (AUR),
    • Zulip,
    • rsync
    • uphawu-cli
    • tcpdump
    • tshark,
    • qgis
    • I-OpenArena,
    • godot,
    • klatexformula,
    • klatexformula_cmdl,
    • amakhonkco
    • i-xlinks,
    • pandoc
    • amaqela-kwi-linux,
    • i-gnome-sound-rekhoda,
    • umthengisi weendaba,
    • keepassxc-cli,
    • keepassxc-proxy,
    • rhythmbox-client,
    • ijeri
    • inzondelelo,
    • mpg123,
    • dlala,
    • mpg123.bin,
    • mpg123-alsa,
    • mpg123-id3dump,
    • ngaphandle kwe123,
    • mpg123-jack,
    • mpg123-nas,
    • mpg123-ivuliwe,
    • mpg123-oss,
    • mpg123-portaudio,
    • mpg123-pulse,
    • mpg123-umcu,
    • pavucontrol-qt,
    • iimpawu ze-gnome,
    • imephu yomlinganiswa we-gnome,
    • Umnenga
    • i-tb-starter-wrapper,
    • bzcat,
    • kiwix-desktop,
    • bzcat,
    • zstd,
    • pzstd,
    • zstdcat,
    • zstdgrep,
    • zstdless,
    • zstdmt,
    • unzstd,
    • ar,
    • i-gnome-latex,
    • pngquant
    • icalgebra
    • kalgebramobile,
    • hlekisa
    • fumana,
    • inhlamba,
    • irekhoda yomsindo,
    • cameramonitor
    • ddgtk
    • umfanekiso,
    • unf,
    • gmpc,
    • I-imeyile ye-elektroniki,
    • umxholo
    • inqaku-coca.

umthombo: opennet.ru

Thenga ukusingathwa okuthembekileyo kwiindawo ezinokhuseleko lweDDoS, iiseva zeVPS VDS 🔥 Thenga ukusingathwa kwewebhusayithi okuthembekileyo ngokhuseleko lwe-DDoS, iiseva zeVPS VDS | ProHoster