Ukukhishwa kwamathuluzi okuhlela umsebenzi wezindawo ezingazodwa I-Bubblewrap 0.5.0 iyatholakala, ngokuvamile isetshenziselwa ukukhawulela izinhlelo zokusebenza ezingazodwana zabasebenzisi abangenamalungelo. Empeleni, i-Bubblewrap isetshenziswa iphrojekthi ye-Flatpak njengesendlalelo sokuhlukanisa izinhlelo zokusebenza eziqaliswe kumaphakheji. Ikhodi yephrojekthi ibhalwe ngo-C futhi isatshalaliswa ngaphansi kwelayisensi ye-LGPLv2+.
Ukuze uzihlukanise, kusetshenziswa ubuchwepheshe be-virtualization yeziqukathi ze-Linux, ngokusekelwe ekusetshenzisweni kwamaqoqo, izindawo zamagama, i-Seccomp ne-SELinux. Ukuze wenze imisebenzi enelungelo lokumisa isiqukathi, i-Bubblewrap yethulwa ngamalungelo ezimpande (ifayela elisebenzisekayo elinefulegi le-suid) bese isetha kabusha amalungelo ngemva kokuba isiqukathi siqalisiwe.
Ukwenza kusebenze izindawo zamagama zabasebenzisi ohlelweni lwe-namespace, olukuvumela ukuthi usebenzise isethi yakho ehlukene yezihlonzi ezitsheni, akudingekile ukuze kusetshenziswe, ngoba akusebenzi ngokuzenzakalelayo ekusabalaliseni okuningi (i-Bubblewrap ibekwe njengokuqaliswa okulinganiselwe kwe-suid isethi encane yamakhono ezikhala zamagama abasebenzisi - ukukhipha bonke abasebenzisi kanye nezihlonzi zenqubo endaweni, ngaphandle kwalena yamanje, kusetshenziswa izindlela ze-CLONE_NEWUSER kanye ne-CLONE_NEWPID). Ukuze uthole ukuvikelwa okwengeziwe, izinhlelo ezisetshenziswa ngaphansi kwe-Bubblewrap ziqaliswa ngemodi ye-PR_SET_NO_NEW_PRIVS, evimbela ukutholwa kwamalungelo amasha, isibonelo, uma ifulegi le-setuid likhona.
Ukuzihlukanisa ezingeni lesistimu yefayela kufezwa ngokudala indawo entsha yegama ngokuzenzakalelayo, lapho ukuhlukaniswa kwempande okungenalutho kwakhiwa kusetshenziswa ama-tmpfs. Uma kunesidingo, izingxenye zangaphandle ze-FS zinamathiselwe kulokhu kuhlukaniswa kumodi ethi βmount βbhindβ (isibonelo, uma yethulwa ngenketho ethi βbwrap βro-bind/usr/usrβ, ukwahlukanisa /usr kudluliselwa kusuka ohlelweni olukhulu. kumodi yokufunda kuphela). Amandla enethiwekhi anomkhawulo wokufinyelela kusixhumi esibonakalayo se-loopback ngokuhlukaniswa kwesitaki senethiwekhi nge-CLONE_NEWNET kanye namafulegi we-CLONE_NEWUTS.
Umehluko oyinhloko ovela kuphrojekthi efanayo ye-Firejail, ephinde esebenzisa imodeli yokuqalisa i-setuid, ukuthi ku-Bubblewrap ungqimba lokudala iziqukathi luhlanganisa kuphela ubuncane obudingekayo bamakhono, kanye nayo yonke imisebenzi ethuthukisiwe edingekayo ukuze kusetshenziswe izinhlelo zokusebenza zegraphical, ukusebenzisana nedeskithophu kanye nezicelo zokuhlunga. ku-Pulseaudio, idluliselwe ohlangothini lwe-Flatpak futhi isetshenziswe ngemva kokuba amalungelo asethwe kabusha. Ngakolunye uhlangothi, i-Firejail ihlanganisa yonke imisebenzi ehlobene efayeleni elilodwa elisebenzisekayo, okwenza kube nzima ukuhlola nokugcina ukuphepha ezingeni elifanele.
Π Π½ΠΎΠ²ΠΎΠΌ Π²ΡΠΏΡΡΠΊΠ΅ ΠΏΡΠ΅Π΄Π»ΠΎΠΆΠ΅Π½Ρ ΠΎΠΏΡΠΈΠΈ: Β«βchmodΒ» Π΄Π»Ρ ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΡ ΠΏΡΠ°Π² Π΄ΠΎΡΡΡΠΏΠ°, Β«βclearenvΒ» Π΄Π»Ρ ΠΎΡΠΈΡΡΠΊΠΈ ΠΏΠ΅ΡΠ΅ΠΌΠ΅Π½Π½ΡΡ
ΠΎΠΊΡΡΠΆΠ΅Π½ΠΈΡ (ΠΊΡΠΎΠΌΠ΅ PWD) ΠΈ Β«βpermsΒ» Π΄Π»Ρ ΠΎΠΏΡΠ΅Π΄Π΅Π»Π΅Π½ΠΈΡ ΠΏΡΠ°Π² Π΄ΠΎΡΡΡΠΏΠ°, ΠΏΡΠΈΠΌΠ΅Π½ΡΠ΅ΠΌΡΡ
ΠΏΡΠΈ Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΠΈ ΠΎΠΏΠ΅ΡΠ°ΡΠΈΠΉ Β«βbind-dataΒ», Β«βdirΒ», Β«βfileΒ», Β«βro-bind-dataΒ» ΠΈ Β«βtmpfsΒ». Π£Π»ΡΡΡΠ΅Π½Π° Π΄ΠΈΠ°Π³Π½ΠΎΡΡΠΈΠΊΠ° ΠΏΡΠΎΠ±Π»Π΅ΠΌ, Π²ΠΎΠ·Π½ΠΈΠΊΠ°ΡΡΠΈΠΉ ΠΏΡΠΈ ΡΠ±ΠΎΠ΅ ΠΌΠΎΠ½ΡΠΈΡΠΎΠ²Π°Π½ΠΈΡ Π² ΡΠ΅ΠΆΠΈΠΌΠ΅ bind. ΠΠ»Ρ zsh Π΄ΠΎΠ±Π°Π²Π»Π΅Π½Π° ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΊΠ° Π°Π²ΡΠΎΠ΄ΠΎΠΏΠΎΠ»Π½Π΅Π½ΠΈΡ ΠΊΠΎΠΌΠ°Π½Π΄ Π½Π°ΠΆΠ°ΡΠΈΠ΅ΠΌ ΡΠ°Π±ΡΠ»ΡΡΠΈΠΈ.
Source: opennet.ru