ukukhishwa okusha kwekhithi yamathuluzi , eklanyelwe ukuhlela umsebenzi wezindawo ezingazodwa ku-Linux futhi isebenze ezingeni lohlelo lwabasebenzisi abangenamalungelo. Empeleni, i-Bubblewrap isetshenziswa iphrojekthi ye-Flatpak njengesendlalelo sokuhlukanisa izinhlelo zokusebenza eziqaliswe kumaphakheji. Ikhodi yephrojekthi ibhalwe ku-C kanye ilayisensi ngaphansi kwe-LGPLv2+.
Ukuze uzihlukanise, kusetshenziswa ubuchwepheshe be-virtualization yeziqukathi ze-Linux, ngokusekelwe ekusetshenzisweni kwamaqoqo, izindawo zamagama, i-Seccomp ne-SELinux. Ukuze wenze imisebenzi enelungelo lokumisa isiqukathi, i-Bubblewrap yethulwa ngamalungelo ezimpande (ifayela elisebenzisekayo elinefulegi le-suid) bese isetha kabusha amalungelo ngemva kokuba isiqukathi siqalisiwe.
Ukwenza kusebenze izindawo zamagama zabasebenzisi ohlelweni lwe-namespace, olukuvumela ukuthi usebenzise isethi yakho ehlukene yezihlonzi ezitsheni, akudingekile ukuze kusetshenziswe, ngoba akusebenzi ngokuzenzakalelayo ekusabalaliseni okuningi (i-Bubblewrap ibekwe njengokuqaliswa okulinganiselwe kwe-suid isethi encane yamakhono ezikhala zamagama abasebenzisi - ukukhipha bonke abasebenzisi kanye nezihlonzi zenqubo endaweni, ngaphandle kwalena yamanje, kusetshenziswa izindlela ze-CLONE_NEWUSER kanye ne-CLONE_NEWPID). Ukuze uthole ukuvikelwa okwengeziwe, okusebenzisekayo ngaphansi kokulawula
Izinhlelo ze-Bubblewrap ziqaliswa ngemodi ye-PR_SET_NO_NEW_PRIVS, evimbela ukuthola amalungelo amasha, isibonelo, uma ifulegi le-setuid likhona.
Ukuzihlukanisa ezingeni lesistimu yefayela kufezwa ngokudala indawo entsha yegama ngokuzenzakalelayo, lapho ukuhlukaniswa kwempande okungenalutho kwakhiwa kusetshenziswa ama-tmpfs. Uma kunesidingo, izingxenye zangaphandle ze-FS zinamathiselwe kulokhu kuhlukaniswa kumodi ethi “mount —bhind” (isibonelo, uma yethulwa ngenketho ethi “bwrap —ro-bind/usr/usr”, ukwahlukanisa /usr kudluliselwa kusuka ohlelweni olukhulu. kumodi yokufunda kuphela). Amandla enethiwekhi anomkhawulo wokufinyelela kusixhumi esibonakalayo se-loopback ngokuhlukaniswa kwesitaki senethiwekhi nge-CLONE_NEWNET kanye namafulegi we-CLONE_NEWUTS.
Umehluko omkhulu kuphrojekthi efanayo , ephinde isebenzisa imodeli yokwethulwa kwe-setuid, eyokuthi ku-Bubblewrap isendlalelo sokudala iziqukathi sihlanganisa kuphela amakhono amancane adingekayo, futhi yonke imisebenzi ethuthukisiwe edingekayo ukuze kusetshenziswe izinhlelo zokusebenza zesithombe, ukusebenzisana nedeskithophu nokuhlunga izingcingo eziya ku-Pulseaudio zikhishwa ngaphandle kwe-Flatpak futhi ziyasetshenziswa. ngemva kokuba amalungelo asethwe kabusha. Ngakolunye uhlangothi, i-Firejail ihlanganisa yonke imisebenzi ehlobene efayeleni elilodwa elisebenzisekayo, okwenza kube nzima ukuhlola nokugcina ukuphepha .
Ukukhishwa okusha kuyaphawuleka ekusetshenzisweni kosekelo lokujoyina izikhala zamagama zabasebenzisi ezikhona futhi kucutshungulwe izikhala zamagama ze-pid. Ukuze ulawule ukuxhunywa kwezikhala zamagama, amafulegi okuthi “--userns”, “--users2” kanye “no-pidns” engeziwe.
Lesi sici asisebenzi kumodi ye-setuid futhi sidinga ukusetshenziswa kwemodi ehlukile engasebenza ngaphandle kokuthola amalungelo ezimpande, kodwa sidinga ukuqalisa.
izikhala zamagama zabasebenzisi kusistimu (ikhutshazwe ngokuzenzakalelayo ku-Debian ne-RHEL/CentOS) futhi ayibandakanyi ithuba yemikhawulo "yezikhala zamagama zomsebenzisi" rim. Izici ezintsha ze-Bubblewrap 0.4 futhi zihlanganisa ikhono lokwakha ngelabhulali ye-musl C esikhundleni se-glibc nosekelo lokulondoloza ulwazi lwe-namespace kufayela elinezibalo ngefomethi ye-JSON.
Source: opennet.ru
