Ukukhishwa kwamathuluzi okuhlela umsebenzi wezindawo ezingazodwa I-Bubblewrap 0.8 iyatholakala, ngokuvamile isetshenziselwa ukukhawulela izinhlelo zokusebenza ezingazodwana zabasebenzisi abangenamalungelo. Empeleni, i-Bubblewrap isetshenziswa iphrojekthi ye-Flatpak njengesendlalelo sokuhlukanisa izinhlelo zokusebenza eziqaliswe kumaphakheji. Ikhodi yephrojekthi ibhalwe ngo-C futhi isatshalaliswa ngaphansi kwelayisensi ye-LGPLv2+.
Ukuze uzihlukanise, kusetshenziswa ubuchwepheshe be-virtualization yeziqukathi ze-Linux, ngokusekelwe ekusetshenzisweni kwamaqoqo, izindawo zamagama, i-Seccomp ne-SELinux. Ukuze wenze imisebenzi enelungelo lokumisa isiqukathi, i-Bubblewrap yethulwa ngamalungelo ezimpande (ifayela elisebenzisekayo elinefulegi le-suid) bese isetha kabusha amalungelo ngemva kokuba isiqukathi siqalisiwe.
Ukwenza kusebenze izindawo zamagama zabasebenzisi ohlelweni lwe-namespace, olukuvumela ukuthi usebenzise isethi yakho ehlukene yezihlonzi ezitsheni, akudingekile ukuze kusetshenziswe, ngoba akusebenzi ngokuzenzakalelayo ekusabalaliseni okuningi (i-Bubblewrap ibekwe njengokuqaliswa okulinganiselwe kwe-suid isethi encane yamakhono ezikhala zamagama abasebenzisi - ukukhipha bonke abasebenzisi kanye nezihlonzi zenqubo endaweni, ngaphandle kwalena yamanje, kusetshenziswa izindlela ze-CLONE_NEWUSER kanye ne-CLONE_NEWPID). Ukuze uthole ukuvikelwa okwengeziwe, izinhlelo ezisetshenziswa ngaphansi kwe-Bubblewrap ziqaliswa ngemodi ye-PR_SET_NO_NEW_PRIVS, evimbela ukutholwa kwamalungelo amasha, isibonelo, uma ifulegi le-setuid likhona.
Ukuzihlukanisa ezingeni lesistimu yefayela kufezwa ngokudala indawo entsha yegama ngokuzenzakalelayo, lapho ukuhlukaniswa kwempande okungenalutho kwakhiwa kusetshenziswa ama-tmpfs. Uma kunesidingo, izingxenye zangaphandle ze-FS zinamathiselwe kulokhu kuhlukaniswa kumodi ethi βmount βbhindβ (isibonelo, uma yethulwa ngenketho ethi βbwrap βro-bind/usr/usrβ, ukwahlukanisa /usr kudluliselwa kusuka ohlelweni olukhulu. kumodi yokufunda kuphela). Amandla enethiwekhi anomkhawulo wokufinyelela kusixhumi esibonakalayo se-loopback ngokuhlukaniswa kwesitaki senethiwekhi nge-CLONE_NEWNET kanye namafulegi we-CLONE_NEWUTS.
Umehluko oyinhloko ovela kuphrojekthi efanayo ye-Firejail, ephinde esebenzisa imodeli yokuqalisa i-setuid, ukuthi ku-Bubblewrap ungqimba lokudala iziqukathi luhlanganisa kuphela ubuncane obudingekayo bamakhono, kanye nayo yonke imisebenzi ethuthukisiwe edingekayo ukuze kusetshenziswe izinhlelo zokusebenza zegraphical, ukusebenzisana nedeskithophu kanye nezicelo zokuhlunga. ku-Pulseaudio, idluliselwe ohlangothini lwe-Flatpak futhi isetshenziswe ngemva kokuba amalungelo asethwe kabusha. Ngakolunye uhlangothi, i-Firejail ihlanganisa yonke imisebenzi ehlobene efayeleni elilodwa elisebenzisekayo, okwenza kube nzima ukuhlola nokugcina ukuphepha ezingeni elifanele.
Ekukhishweni okusha:
- Kwengezwe inketho ethi "--disable-userns" ukuze ukhubaze ukudalwa kwendawo yayo yamagama yomsebenzisi esidlekeni endaweni ye-sandbox.
- Kwengezwe inketho ethi "--assert-users-disabled" ukuhlola ukuthi isikhala se-ID somsebenzisi esikhona sisetshenziswa uma kusetshenziswa inketho ethi "--disable-userns".
- Okuqukethwe kolwazi lwemilayezo yephutha ehlobene nokukhubaza izilungiselelo ze-CONFIG_SECCOMP kanye ne-CONFIG_SECCOMP_FILTER ku-kernel kunyusiwe.
Source: opennet.ru