Ukukhishwa kwe-Fedora 40 kuphakamisa ukunika amandla izilungiselelo zokuzihlukanisa zezinsizakalo zesistimu ezinikwe amandla ngokuzenzakalelayo, kanye nezinsizakalo ezinezinhlelo zokusebenza ezibucayi ezifana ne-PostgreSQL, Apache httpd, Nginx, ne-MariaDB. Kulindeleke ukuthi ushintsho lukhulise kakhulu ukuphepha kokusabalalisa ekucushweni okuzenzakalelayo futhi kuzokwenza kube nokwenzeka ukuvimba ukukhubazeka okungaziwa kumasevisi wesistimu. Lesi siphakamiso asikakacatshangelwa yi-FESCo (i-Fedora Engineering Steering Committee), enesibopho sengxenye yezobuchwepheshe yokuthuthukiswa kokusatshalaliswa kwe-Fedora. Isiphakamiso singase sinqatshwe phakathi nenqubo yokubuyekeza umphakathi.
Izilungiselelo ezinconyiwe zokunika amandla:
- PrivateTmp=yebo - ihlinzeka ngohlu lwemibhalo oluhlukene olunamafayela esikhashana.
- ProtectSystem=yebo/igcwele/iqinile β faka isistimu yefayela ngemodi yokufunda kuphela (kwimodi βegcweleβ - /etc/, ngemodi eqinile - wonke amasistimu wefayela ngaphandle /dev/, /proc/ kanye /sys/).
- I-ProtectHome=yeboβyenqaba ukufinyelela kuhla lwemibhalo lwabasebenzisi basekhaya.
- PrivateDevices=yebo - ishiya ukufinyelela kuphela ku-/dev/null, /dev/zero kanye /dev/okungahleliwe
- ProtectKernelTunables=yebo - ukufinyelela kokufunda kuphela ku-/proc/sys/, /sys/, /proc/acpi, /proc/fs, /proc/irq, njll.
- ProtectKernelModules=yebo - vimbela ukulayisha amamojula e-kernel.
- I-ProtectKernelLogs=yebo - ivimbela ukufinyelela ku-buffer ngamalogi e-kernel.
- ProtectControlGroups=yebo - ukufinyelela kokufunda kuphela ku/sys/fs/cgroup/
- NoNewPrivileges=yebo - ukuvimbela ukukhushulwa kwamalungelo ngokusebenzisa amafulegi e-setuid, setgid kanye namakhono.
- PrivateNetwork=yebo - ukubekwa endaweni yamagama ehlukile yesitaki senethiwekhi.
- I-ProtectClock=yeboβvimbela ukushintsha isikhathi.
- ProtectHostname=yebo - iyakwenqabela ukushintsha igama lomsingathi.
- I-ProtectProc=invisible - ukufihla izinqubo zabanye abantu ku-/proc.
- Umsebenzisi= - shintsha umsebenzisi
Ukwengeza, ungase ucabange ukunika amandla izilungiselelo ezilandelayo:
- I-CapabilityBoundingSet=
- I-DevicePolicy=ivaliwe
- I-KeyringMode=eyimfihlo
- LockPersonality=yebo
- MemoryDenyWriteExecute=yebo
- PrivateUsers=yebo
- KhiphaIPC=yebo
- RestrictAddressFamilies=
- RestrictNamespaces=yebo
- RestrictRealtime=yebo
- RestrictSUIDSGID=yebo
- I-SystemCallFilter=
- I-SystemCallArchitectures=yomdabu
Source: opennet.ru