ProHoster > Блог > izindaba ze-inthanethi > Ukukhishwa Kwe-Firejail Application Isolation System 0.9.62

Ukukhishwa Kwe-Firejail Application Isolation System 0.9.62

Ngemva kwezinyanga eziyisithupha zentuthuko iyatholakala ukukhululwa kwephrojekthi I-Firejail 0.9.62, esakha isistimu yokwenza okukodwa kwezithombe, ikhonsoli, nezinhlelo zokusebenza zeseva. Ukusebenzisa i-Firejail kunciphisa ubungozi bokufaka engozini isistimu eyinhloko lapho usebenzisa izinhlelo ezingathenjwa noma ezingaba sengozini. Uhlelo lubhalwe ngo-C. isatshalaliswa ngu ilayisensi ngaphansi kwe-GPLv2 futhi ingasebenza kunoma yikuphi ukusatshalaliswa Linux nge-kernel endala kune-3.0. Amaphakheji enziwe ngomumo nge-Firejail ilungisiwe kumafomethi e-deb (Debian, Ubuntu) kanye ne-rpm (CentOS, i-Fedora).

Okokuzihlukanisa e-Firejail ziyasetshenziswa izikhala zamagama, i-AppArmor, kanye nokuhlunga ucingo lwesistimu (seccomp-bpf) ku LinuxUma seluqalisiwe, uhlelo kanye nazo zonke izinqubo zalo zomntwana zisebenzisa izethulo ezihlukene zezinsiza ze-kernel, njenge-network stack, i-process table, kanye nama-mount points. Izinhlelo zokusebenza ezincikene zingahlanganiswa zibe yi-sandbox eyodwa eyabelwe. I-Firejail ingasetshenziswa futhi ukusebenzisa izitsha ze-Docker, LXC, kanye ne-OpenVZ.

Ngokungafani nemishini yokuhlukanisa isitsha, i-firejail iyingozi kakhulu elula Ukucushwa akudingi ukulungiselela isithombe sohlelo—okuqukethwe kwesiqukathi kukhiqizwa ngokuphazima kweso ngokusekelwe kokuqukethwe kohlelo lwamanje lwefayela futhi kuyasuswa ngemva kokunqanyulwa kwesicelo. Imithetho yokufinyelela yesistimu yefayela eguquguqukayo inikeziwe, ekuvumela ukuba uchaze ukuthi yimaphi amafayela nezinkomba ezivunyelwe noma ezinqatshelwe ukufinyelela, faka izinhlelo zefayela zesikhashana (tmpfs) ukuze uthole idatha, ubeke umkhawulo wokufinyelela kumafayela noma izinkomba zokufunda kuphela, futhi uhlanganise izinkomba usebenzisa i-bind-mount kanye ne-overlayfs.

Ama-plugin enziwe aselungile ayatholakala ngenani elikhulu lezinhlelo zokusebenza ezidumile, kufaka phakathi iFirefox, iChromium, i-VLC kanye ne-Transmission. amaphrofayli Ukuhlukaniswa kwezingcingo zesistimu. Ukuze uthole amalungelo adingekayo ukuze kumiswe indawo engayodwa, i-firejail esebenzisekayo ifakwa nefulegi lempande ye-SUID (amalungelo asethwa kabusha ngemva kokuqaliswa). Ukuze uqalise uhlelo ngemodi yokuhlukanisa, vele ucacise igama lohlelo lokusebenza njengengxabano kunsizakalo ye-firejail, isibonelo, "firejail firefox" noma "sudo firejail /etc/init.d/nginx start."

Ekukhishweni okusha:

  • Kufayela lokumisa /etc/firejail/firejail.config kwengezwe ifayela-copy-limit setting, elikuvumela ukuthi ukhawulele usayizi wamafayela azokopishelwa kumemori lapho usebenzisa izinketho "--private-*" (ngokuzenzakalelayo, umkhawulo usethelwa ku-500MB).
  • Izifanekiso zokudala amaphrofayili amasha wokuvinjelwa kwezinhlelo zokusebenza zengezwe kuhla lwemibhalo /usr/share/doc/firejail.
  • Ama-debugger avunyelwe kumaphrofayili.
  • Ukuhlunga ikholi yesistimu okuthuthukisiwe kusetshenziswa indlela ye-seccomp.
  • Ukutholwa okuzenzakalelayo kwamafulegi okuhlanganisa kunikezwa.
  • Ukuncenga kwe-chroot manje kwenziwa kusetshenziswa amaphoyinti wokukhweza asuselwa ekuchazeni ifayela kunalawo asekelwe endleleni.
  • Uhlu lwemibhalo /usr/share lugunyaziwe kumaphrofayili ahlukahlukene.
  • Imibhalo yomsizi emisha ethi gdb-firejail.sh kanye ne- sort.py yengezwe esigabeni se-conrib.
  • Ukuvikela okuqinisiwe esigabeni sokwenza ikhodi enelungelo (i-SUID).
  • Izici ezintsha ezinemibandela i-HAS_X11 kanye ne-HAS_NET zisetshenziswe ukuze amaphrofayili ahlole ukuba khona kweseva ye-X kanye nokufinyelela kwenethiwekhi.
  • Amaphrofayili engeziwe okwethulwa kohlelo lokusebenza olulodwa (inani eliphelele lamaphrofayili linyuswe laya ku-884):
    • i2p,
    • i-tor-browser (AUR),
    • Zulip,
    • rsync,
    • signal-cli,
    • tcpdump,
    • tshark,
    • qgis,
    • I-OpenArena,
    • godot,
    • klatexformula,
    • klatexformula_cmdl,
    • izixhumanisi
    • ama-xlinks,
    • pandoc,
    • amaqembu-for-linux,
    • irekhodi lomsindo we-gnome,
    • Newsbeuter,
    • keepassxc-cli,
    • keepassxc-proxy,
    • rhythmbox-client,
    • Jerry,
    • ukushisekela,
    • mpg123,
    • dlala,
    • mpg123.bin,
    • mpg123-alsa,
    • mpg123-id3dump,
    • ngaphandle 123,
    • mpg123-jack,
    • mpg123-nas,
    • mpg123-openal,
    • mpg123-oss,
    • mpg123-portaudio,
    • mpg123-pulse,
    • mpg123-strip,
    • pavucontrol-qt,
    • izinhlamvu ze-gnome,
    • imephu yezinhlamvu ze-gnome,
    • Inyoni yomkhomo,
    • i-tb-starter-wrapper,
    • bzcat,
    • kiwix-desktop,
    • bzcat,
    • zstd,
    • pzstd,
    • zstdcat,
    • zstdgrep,
    • zstdless,
    • zstdmt,
    • unzstd,
    • ar,
    • i-gnome-latex,
    • i-pngquant,
    • i-kalgebra,
    • I-kalgebramobile,
    • ujabule,
    • kfind,
    • inhlamba,
    • isiqophi somsindo,
    • ukuqapha ikhamera,
    • ddgtk,
    • umdwebi,
    • unf,
    • gmpc,
    • i-imeyili,
    • iphuzu,
    • ingqikithi -namathisela.

Source: opennet.ru

Thenga ukusingathwa okuthembekile kwamasayithi anokuvikelwa kwe-DDoS, amaseva e-VPS VDS 🔥 Thenga ukusingathwa kwewebhusayithi okuthembekile ngokuvikelwa kwe-DDoS, amaseva e-VPS VDS | ProHoster