ukukhululwa kwephrojekthi , lapho isistimu ithuthukiswa khona ukuze kusetshenziswe okukodwa kwezithombe, ikhonsoli nezinhlelo zokusebenza zeseva. Ukusebenzisa i-Firejail kukuvumela ukuthi unciphise ubungozi bokufaka engozini isistimu enkulu uma usebenzisa izinhlelo ezingathembekile noma ezingase zibe sengcupheni. Uhlelo lubhalwe ngolimi C, ilayisensi ngaphansi kwe-GPLv2 futhi ingasebenza kunoma yikuphi ukusatshalaliswa kwe-Linux nge-kernel endala kuno-3.0. Amaphakheji alungile ane-Firejail kumafomethi we-deb (Debian, Ubuntu) kanye ne-rpm (CentOS, Fedora).
Okokuzihlukanisa e-Firejail izikhala zamagama, i-AppArmor, nokuhlunga ikholi yesistimu (seccomp-bpf) ku-Linux. Uma seluqaliwe, uhlelo nazo zonke izinqubo zengane zisebenzisa ukubuka okuhlukene kwezinsiza ze-kernel, njengesitaki senethiwekhi, ithebula lenqubo, namaphoyinti okukhweza. Izinhlelo zokusebenza ezincike kwenye zingahlanganiswa zibe yibhokisi lesihlabathi elilodwa elivamile. Uma uthanda, i-Firejail ingasetshenziswa futhi ukusebenzisa iziqukathi ze-Docker, i-LXC ne-OpenVZ.
Ngokungafani namathuluzi wokufaka iziqukathi, i-firejail iyingozi kakhulu ekucushweni futhi akudingi ukulungiswa kwesithombe sohlelo - ukwakheka kwesiqukathi kwakhiwa empukaneni ngokusekelwe kokuqukethwe kwesistimu yefayela yamanje futhi kuyasuswa ngemva kokuqedwa kwesicelo. Izindlela eziguquguqukayo zokusetha imithetho yokufinyelela ohlelweni lwefayela zinikeziwe; unganquma ukuthi yimaphi amafayela nezinkomba ezivunyelwe noma ezinqatshelwe ukufinyelela, xhuma amasistimu wefayela wesikhashana (tmpfs) ukuze uthole idatha, ukhawulele ukufinyelela kumafayela noma izinkomba zokufunda kuphela, uhlanganise izinkomba ngokusebenzisa i-bind-mount kanye ne-overlayfs.
Ngenani elikhulu lezinhlelo zokusebenza ezidumile, kufaka phakathi iFirefox, iChromium, i-VLC kanye ne-Transmission, esenziwe ngomumo. ukuhlukaniswa kwekholi yesistimu. Ukuze uqalise uhlelo ngemodi yokuhlukanisa, vele ucacise igama lohlelo lokusebenza njengengxabano kunsizakalo ye-firejail, isibonelo, "firejail firefox" noma "sudo firejail /etc/init.d/nginx start".
Ekukhishweni okusha:
- Ukuba sengozini okuvumela inqubo enonya ukuthi idlule indlela yokuvinjelwa kwezingcingo yesistimu kulungisiwe. Ingqikithi yokuba sengozini ukuthi izihlungi ze-Seccomp zikopishwa kuhla lwemibhalo /run/firejail/mnt, olufundeka ngaphakathi kwendawo engayodwa. Izinqubo ezinonya ezisebenza kwimodi yokuhlukanisa zingashintsha lawa mafayela, okuzokwenza ukuthi izinqubo ezintsha ezisebenza endaweni efanayo zisetshenziswe ngaphandle kokusebenzisa isihlungi sezingcingo;
- Isihlungi se-memory-deny-write-execute siqinisekisa ukuthi ikholi ye-"memfd_create" ivinjiwe;
- Kwengezwe inketho entsha ethi "private-cwd" ukushintsha uhla lwemibhalo olusebenzayo lwejele;
- Kwengezwe inketho ethi "--nodbus" ukuvimba amasokhethi e-D-Bus;
- Ukusekelwa okubuyiselwe kwe-CentOS 6;
- ukwesekwa kwamaphakheji ngamafomethi ΠΈ .
ukuthi la maphakheji kufanele asebenzise amathuluzi awo; - Amaphrofayili amasha engeziwe ukuze ahlukanise ezinye izinhlelo ezingama-87, okuhlanganisa i-mypaint, nano, xfce4-mixer, gnome-keyring, redshift, font-manager, gconf-editor, gsettings, freeciv, lincity-ng, openttd, torcs, tremulous, warsow, freemind, kid3, freecol, opencity, utox, freeoffice-planmaker, freeoffice-presentation, freeoffice-textmaker, inkview, meteo-qt, ktouch, yelp kanye cantata.
Source: opennet.ru