I-ProHoster > Π‘Π»ΠΎΠ³ > izindaba ze-inthanethi > I-Fedora 40 ihlela ukunika amandla ukuhlukaniswa kwensiza yesistimu

I-Fedora 40 ihlela ukunika amandla ukuhlukaniswa kwensiza yesistimu

Ukukhishwa kwe-Fedora 40 kuphakamisa ukunika amandla izilungiselelo zokuzihlukanisa zezinsizakalo zesistimu ezinikwe amandla ngokuzenzakalelayo, kanye nezinsizakalo ezinezinhlelo zokusebenza ezibucayi ezifana ne-PostgreSQL, Apache httpd, Nginx, ne-MariaDB. Kulindeleke ukuthi ushintsho lukhulise kakhulu ukuphepha kokusabalalisa ekucushweni okuzenzakalelayo futhi kuzokwenza kube nokwenzeka ukuvimba ukukhubazeka okungaziwa kumasevisi wesistimu. Lesi siphakamiso asikakacatshangelwa yi-FESCo (i-Fedora Engineering Steering Committee), enesibopho sengxenye yezobuchwepheshe yokuthuthukiswa kokusatshalaliswa kwe-Fedora. Isiphakamiso singase sinqatshwe phakathi nenqubo yokubuyekeza umphakathi.

Izilungiselelo ezinconyiwe zokunika amandla:

  • PrivateTmp=yebo - ihlinzeka ngohlu lwemibhalo oluhlukene olunamafayela esikhashana.
  • ProtectSystem=yebo/igcwele/iqinile β€” faka isistimu yefayela ngemodi yokufunda kuphela (kwimodi β€œegcwele” - /etc/, ngemodi eqinile - wonke amasistimu wefayela ngaphandle /dev/, /proc/ kanye /sys/).
  • I-ProtectHome=yeboβ€”yenqaba ukufinyelela kuhla lwemibhalo lwabasebenzisi basekhaya.
  • PrivateDevices=yebo - ishiya ukufinyelela kuphela ku-/dev/null, /dev/zero kanye /dev/okungahleliwe
  • ProtectKernelTunables=yebo - ukufinyelela kokufunda kuphela ku-/proc/sys/, /sys/, /proc/acpi, /proc/fs, /proc/irq, njll.
  • ProtectKernelModules=yebo - vimbela ukulayisha amamojula e-kernel.
  • I-ProtectKernelLogs=yebo - ivimbela ukufinyelela ku-buffer ngamalogi e-kernel.
  • ProtectControlGroups=yebo - ukufinyelela kokufunda kuphela ku/sys/fs/cgroup/
  • NoNewPrivileges=yebo - ukuvimbela ukukhushulwa kwamalungelo ngokusebenzisa amafulegi e-setuid, setgid kanye namakhono.
  • PrivateNetwork=yebo - ukubekwa endaweni yamagama ehlukile yesitaki senethiwekhi.
  • I-ProtectClock=yeboβ€”vimbela ukushintsha isikhathi.
  • ProtectHostname=yebo - iyakwenqabela ukushintsha igama lomsingathi.
  • I-ProtectProc=invisible - ukufihla izinqubo zabanye abantu ku-/proc.
  • Umsebenzisi= - shintsha umsebenzisi

Ukwengeza, ungase ucabange ukunika amandla izilungiselelo ezilandelayo:

  • I-CapabilityBoundingSet=
  • I-DevicePolicy=ivaliwe
  • I-KeyringMode=eyimfihlo
  • LockPersonality=yebo
  • MemoryDenyWriteExecute=yebo
  • PrivateUsers=yebo
  • KhiphaIPC=yebo
  • RestrictAddressFamilies=
  • RestrictNamespaces=yebo
  • RestrictRealtime=yebo
  • RestrictSUIDSGID=yebo
  • I-SystemCallFilter=
  • I-SystemCallArchitectures=yomdabu

Source: opennet.ru

Engeza amazwana