Ukukhishwa kwamathuluzi okuhlela umsebenzi wezindawo ezingazodwa I-Bubblewrap 0.6 iyatholakala, ngokuvamile isetshenziselwa ukukhawulela izinhlelo zokusebenza ezingazodwana zabasebenzisi abangenamalungelo. Empeleni, i-Bubblewrap isetshenziswa iphrojekthi ye-Flatpak njengesendlalelo sokuhlukanisa izinhlelo zokusebenza eziqaliswe kumaphakheji. Ikhodi yephrojekthi ibhalwe ngo-C futhi isatshalaliswa ngaphansi kwelayisensi ye-LGPLv2+.
Ukuze uzihlukanise, kusetshenziswa ubuchwepheshe be-virtualization yeziqukathi ze-Linux, ngokusekelwe ekusetshenzisweni kwamaqoqo, izindawo zamagama, i-Seccomp ne-SELinux. Ukuze wenze imisebenzi enelungelo lokumisa isiqukathi, i-Bubblewrap yethulwa ngamalungelo ezimpande (ifayela elisebenzisekayo elinefulegi le-suid) bese isetha kabusha amalungelo ngemva kokuba isiqukathi siqalisiwe.
Ukwenza kusebenze izindawo zamagama zabasebenzisi ohlelweni lwe-namespace, olukuvumela ukuthi usebenzise isethi yakho ehlukene yezihlonzi ezitsheni, akudingekile ukuze kusetshenziswe, ngoba akusebenzi ngokuzenzakalelayo ekusabalaliseni okuningi (i-Bubblewrap ibekwe njengokuqaliswa okulinganiselwe kwe-suid isethi encane yamakhono ezikhala zamagama abasebenzisi - ukukhipha bonke abasebenzisi kanye nezihlonzi zenqubo endaweni, ngaphandle kwalena yamanje, kusetshenziswa izindlela ze-CLONE_NEWUSER kanye ne-CLONE_NEWPID). Ukuze uthole ukuvikelwa okwengeziwe, izinhlelo ezisetshenziswa ngaphansi kwe-Bubblewrap ziqaliswa ngemodi ye-PR_SET_NO_NEW_PRIVS, evimbela ukutholwa kwamalungelo amasha, isibonelo, uma ifulegi le-setuid likhona.
Ukuzihlukanisa ezingeni lesistimu yefayela kufezwa ngokudala indawo entsha yegama ngokuzenzakalelayo, lapho ukuhlukaniswa kwempande okungenalutho kwakhiwa kusetshenziswa ama-tmpfs. Uma kunesidingo, izingxenye zangaphandle ze-FS zinamathiselwe kulokhu kuhlukaniswa kumodi ethi βmount βbhindβ (isibonelo, uma yethulwa ngenketho ethi βbwrap βro-bind/usr/usrβ, ukwahlukanisa /usr kudluliselwa kusuka ohlelweni olukhulu. kumodi yokufunda kuphela). Amandla enethiwekhi anomkhawulo wokufinyelela kusixhumi esibonakalayo se-loopback ngokuhlukaniswa kwesitaki senethiwekhi nge-CLONE_NEWNET kanye namafulegi we-CLONE_NEWUTS.
Umehluko oyinhloko ovela kuphrojekthi efanayo ye-Firejail, ephinde esebenzisa imodeli yokuqalisa i-setuid, ukuthi ku-Bubblewrap ungqimba lokudala iziqukathi luhlanganisa kuphela ubuncane obudingekayo bamakhono, kanye nayo yonke imisebenzi ethuthukisiwe edingekayo ukuze kusetshenziswe izinhlelo zokusebenza zegraphical, ukusebenzisana nedeskithophu kanye nezicelo zokuhlunga. ku-Pulseaudio, idluliselwe ohlangothini lwe-Flatpak futhi isetshenziswe ngemva kokuba amalungelo asethwe kabusha. Ngakolunye uhlangothi, i-Firejail ihlanganisa yonke imisebenzi ehlobene efayeleni elilodwa elisebenzisekayo, okwenza kube nzima ukuhlola nokugcina ukuphepha ezingeni elifanele.
Ekukhishweni okusha:
- ΠΠΎΠ±Π°Π²Π»Π΅Π½Π° ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΊΠ° ΡΠ±ΠΎΡΠΎΡΠ½ΠΎΠΉ ΡΠΈΡΡΠ΅ΠΌΡ Meson. ΠΠΎΠ΄Π΄Π΅ΡΠΆΠΊΠ° ΡΠ±ΠΎΡΠΊΠΈ ΠΏΡΠΈ ΠΏΠΎΠΌΠΎΡΠΈ Autotools ΠΏΠΎΠΊΠ° ΡΠΎΡ ΡΠ°Π½Π΅Π½Π°, Π½ΠΎ Π±ΡΠ΄Π΅Ρ ΡΠ΄Π°Π»Π΅Π½Π° Π² ΠΎΠ΄Π½ΠΎΠΌ ΠΈΠ· ΡΠ»Π΅Π΄ΡΡΡΠΈΡ Π²ΡΠΏΡΡΠΊΠΎΠ².
- Π Π΅Π°Π»ΠΈΠ·ΠΎΠ²Π°Π½Π° ΠΎΠΏΡΠΈΡ Β«βadd-seccompΒ» Π΄Π»Ρ Π΄ΠΎΠ±Π°Π²Π»Π΅Π½ΠΈΡ Π±ΠΎΠ»Π΅Π΅ ΡΠ΅ΠΌ ΠΎΠ΄Π½ΠΎΠΉ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΡ seccomp. ΠΠΎΠ±Π°Π²Π»Π΅Π½ΠΎ ΠΏΡΠ΅Π΄ΡΠΏΡΠ΅ΠΆΠ΄Π΅Π½ΠΈΠ΅ ΠΎ ΡΠΎΠΌ, ΡΡΠΎ ΠΏΡΠΈ ΠΏΠΎΠ²ΡΠΎΡΠ½ΠΎΠΌ ΡΠΊΠ°Π·Π°Π½ΠΈΠΈ ΠΎΠΏΡΠΈΠΈ Β«βseccompΒ» Π±ΡΠ΄Π΅Ρ ΠΏΡΠΈΠΌΠ΅Π½ΡΠ½ ΡΠΎΠ»ΡΠΊΠΎ ΠΏΠΎΡΠ»Π΅Π΄Π½ΠΈΠΉ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡ.
- ΠΠ΅ΡΠΊΠ° master Π² git-ΡΠ΅ΠΏΠΎΠ·ΠΈΡΠΎΡΠΈΠΈ ΠΏΠ΅ΡΠ΅ΠΈΠΌΠ΅Π½ΠΎΠ²Π°Π½Π° Π² main.
- ΠΠΎΠ±Π°Π²Π»Π΅Π½Π° ΡΠ°ΡΡΠΈΡΠ½Π°Ρ ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΊΠ° ΡΠΏΠ΅ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ REUSE, ΡΠ½ΠΈΡΠΈΡΠΈΡΡΡΡΠ΅ΠΉ ΠΏΡΠΎΡΠ΅ΡΡ ΡΠΊΠ°Π·Π°Π½ΠΈΡ ΡΠ²Π΅Π΄Π΅Π½ΠΈΠΉ ΠΎ Π»ΠΈΡΠ΅Π½Π·ΠΈΡΡ ΠΈ Π°Π²ΡΠΎΡΡΠΊΠΈΡ ΠΏΡΠ°Π²Π°Ρ . ΠΠΎ ΠΌΠ½ΠΎΠ³ΠΈΠ΅ ΡΠ°ΠΉΠ»Ρ Ρ ΠΊΠΎΠ΄ΠΎΠΌ Π΄ΠΎΠ±Π°Π²Π»Π΅Π½Ρ Π·Π°Π³ΠΎΠ»ΠΎΠ²ΠΊΠΈ SPDX-License-Identifier. Π‘Π»Π΅Π΄ΠΎΠ²Π°Π½ΠΈΠ΅ ΡΠ΅ΠΊΠΎΠΌΠ΅Π½Π΄Π°ΡΠΈΡΠΌ REUSE ΠΏΠΎΠ·Π²ΠΎΠ»ΡΠ΅Ρ ΡΠΏΡΠΎΡΡΠΈΡΡ Π°Π²ΡΠΎΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠ΅ ΠΎΠΏΡΠ΅Π΄Π΅Π»Π΅Π½ΠΈΠ΅ ΠΊΠ°ΠΊΠ°Ρ Π»ΠΈΡΠ΅Π½Π·ΠΈΡ ΠΏΡΠΈΠΌΠ΅Π½ΡΠ΅ΡΡΡ ΠΊ ΠΊΠ°ΠΊΠΈΠΌ ΠΈΠ· ΡΠ°ΡΡΠ΅ΠΉ ΠΊΠΎΠ΄Π° ΠΏΡΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΡ.
- ΠΠΎΠ±Π°Π²Π»Π΅Π½Π° ΠΏΡΠΎΠ²Π΅ΡΠΊΠ° Π·Π½Π°ΡΠ΅Π½ΠΈΡ ΡΡΡΡΡΠΈΠΊΠ° Π°ΡΠ³ΡΠΌΠ΅Π½ΡΠΎΠ² ΠΊΠΎΠΌΠ°Π½Π΄Π½ΠΎΠΉ ΡΡΡΠΎΠΊΠΈ (argc) ΠΈ ΡΠ΅Π°Π»ΠΈΠ·ΠΎΠ²Π°Π½ ΡΠΊΡΡΡΠ΅Π½Π½ΡΠΉ Π²ΡΡ ΠΎΠ΄ Π² ΡΠ»ΡΡΠ°Π΅ Π΅ΡΠ»ΠΈ ΡΡΡΡΡΠΈΠΊ ΡΠ°Π²Π΅Π½ Π½ΡΠ»Ρ. ΠΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΠ΅ ΠΏΠΎΠ·Π²ΠΎΠ»ΡΠ΅Ρ Π±Π»ΠΎΠΊΠΈΡΠΎΠ²Π°ΡΡ ΠΏΡΠΎΠ±Π»Π΅ΠΌΡ Ρ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΡΡ, Π²ΡΠ·Π²Π°Π½Π½ΡΠ΅ Π½Π΅ΠΊΠΎΡΡΠ΅ΠΊΡΠ½ΠΎΠΉ ΠΎΠ±ΡΠ°Π±ΠΎΡΠΊΠΎΠΉ ΠΏΠ΅ΡΠ΅Π΄Π°Π²Π°Π΅ΠΌΡΡ Π°ΡΠ³ΡΠΌΠ΅Π½ΡΠΎΠ² ΠΊΠΎΠΌΠ°Π½Π΄Π½ΠΎΠΉ ΡΡΡΠΎΠΊΠΈ, ΡΠ°ΠΊΠΈΠ΅ ΠΊΠ°ΠΊ CVE-2021-4034 Π² Polkit.
Source: opennet.ru