U-Qualys uhlonze ubungozi obubili (CVE-2021-44731, CVE-2021-44730) kunsiza ye-snap-confine, enikezwe ifulegi lempande ye-SUID futhi ebizwa ngenqubo ye-snapd ukudala indawo esebenzisekayo yezinhlelo zokusebenza ezilethwa ngamaphakheji aqukethwe ngokwawo. ngefomethi ye-snap. Ubungozi buvumela umsebenzisi wasendaweni ongenamalungelo ukuthi asebenzise ikhodi enamalungelo ezimpande ohlelweni. Izinkinga zixazululwa kusibuyekezo sephakheji ye-snapd ye-Ubuntu 21.10, 20.04 kanye ne-18.04.
Ukuba sengozini kokuqala (CVE-2021-44730) kuvumela ukuhlasela ngokusebenzisa isixhumanisi esiqinile, kodwa kudinga ukukhubaza ukuvikelwa kwesixhumanisi esiqinile (ukusetha i-sysctl fs.protected_hardlinks ku-0). Inkinga ibangelwa ukuqinisekiswa okungalungile kwendawo yamafayela asebenzisekayo we-snap-update-ns kanye nezinhlelo zomsizi ze-snap-discard-ns ezisebenza njengempande. Indlela eya kulawa mafayela ibalwe kumsebenzi we-sc_open_snapd_tool() ngokusekelwe endleleni yawo esuka ku-/proc/self/exe, ekuvumela ukuthi udale isixhumanisi esiqinile ukuze uvale nge-snap ku-directory yakho bese ubeka izinguqulo zakho ze-snap- update-ns kanye nezifinyezo kulolu hlu lwemibhalo lahla-ns. Ngemva kokusebenza ngesixhumanisi esiqinile, i-snap-confine ngamalungelo empande izokwethula amafayela we-snap-update-ns kanye ne-snap-discard-ns kusuka kuhla lwemibhalo lwamanje, esikhundleni salo umhlaseli.
Ukuba sengozini kwesibili kubangelwa isimo somjaho futhi kungasetshenziswa ekucushweni okuzenzakalelayo kwe-Ubuntu Desktop. Ukuze ukuxhashazwa kusebenze ngempumelelo ku-Ubuntu Server, kufanele ukhethe eyodwa yamaphakheji kusukela kusigaba esithi "Featured Server Snaps" lapho ufaka. Isimo somjaho sibonakala kumsebenzi wokusetha_private_mount() obizwa ngesikhathi sokulungiswa kwendawo yegama lephoyinti lokukhweza lephakheji ye-snap. Lo msebenzi udala uhla lwemibhalo lwesikhashana oluthi β/tmp/snap.$SNAP_NAME/tmpβ noma lisebenzisa olukhona kakade ukuhlanganisa uhla lwemibhalo lwephakheji ye-snap kulo.
Njengoba igama lohla lwemibhalo lwesikhashana libikezelwa, umhlaseli angashintsha okuqukethwe kwalo afake isixhumanisi esingokomfanekiso ngemva kokuhlola umnikazi, kodwa ngaphambi kokubiza ikholi yesistimu yokukhweza. Isibonelo, ungakha i-symlink "/tmp/snap.lxd/tmp" kuhla lwemibhalo /tmp/snap.lxd olukhomba uhla lwemibhalo olungadingeki, futhi ucingo lokukhweza() luzolandela i-symlink futhi lukhweze uhla lwemibhalo thatha indawo yegama. Ngendlela efanayo, ungakwazi ukukhweza okuqukethwe kwakho ku-/var/lib futhi, ngokufaka esikhundleni /var/lib/snapd/mount/snap.snap-store.user-fstab, uhlele ukukhwezwa kohla lwemibhalo lwakho / njll endaweni yamagama ye iphakethe le-snap ukuhlela ukulayishwa komtapo wakho wezincwadi ngamalungelo ezimpande ngokufaka esikhundleni /etc/ld.so.preload.
Kuyaphawulwa ukuthi ukudala ukuxhaphaza kuvele kuwumsebenzi ongewona omncane, njengoba insiza ye-snap-confine ibhalwe ku-Go usebenzisa amasu wokuhlela avikelekile, inokuvikelwa okususelwa kumaphrofayili we-AppArmor, izingcingo zohlelo lokuhlunga ezisuselwa kumshini we-seccomp, futhi zisebenzisa. indawo yamagama yokukhweza ukuze uhlukanise. Kodwa-ke, abacwaningi bakwazi ukulungiselela ukuxhashazwa okusebenzayo ukuze bathole amalungelo ezimpande ohlelweni. Ikhodi yokuxhaphaza izoshicilelwa emasontweni ambalwa ngemva kokuba abasebenzisi bafake izibuyekezo ezinikeziwe.
Source: opennet.ru