Firejail shirin SUID ne wanda ke rage haɗarin keta tsaro ta hanyar taƙaita yanayin aiwatar da aikace-aikacen.
Ya sanar da kaddamar da sabon tsarin aikin Firejail 0.9.72, wanda ke tasowa tsarin don keɓantaccen aiwatar da aikace-aikacen hoto, console da uwar garken, wanda ke ba ka damar rage haɗarin lalata babban tsarin ta hanyar gudanar da shirye-shirye marasa aminci ko yuwuwar rauni.
Don ware, Firejail amfani da wuraren suna, AppArmor da tace kiran tsarin (seccomp-bpf) akan Linux. Da zarar an fara, shirin da duk tsarin tafiyar da yaran nasa suna amfani da keɓantaccen wakilci na albarkatun kwaya, kamar tari na cibiyar sadarwa, tebur mai sarrafawa, da wuraren hawa.
Ana iya haɗa aikace-aikacen da suka dogara da juna a cikin akwati na gama gari. Idan ana so, Hakanan ana iya amfani da Firejail don gudanar da kwantena Docker, LXC, da OpenVZ.
Shahararrun ƙa'idodi, gami da Firefox, Chromium, VLC, da Watsawa, sun riga sun tsara bayanan bayanan keɓewar tsarin kira. Don samun gata da suka dace don saita yanayi mai yashi, ana shigar da aikin kashe gobara tare da tushen SUID (ana sake saita gata bayan farawa). Don gudanar da shirin a keɓe yanayin, kawai saka sunan aikace-aikacen azaman hujja ga mai amfani da gidan kashe gobara, misali, "firejail firefox" ko "sudo firejail /etc/init.d/nginx start".
Babban labarai na Firejail 0.9.72
A cikin wannan sabon sigar zamu iya samun hakan ƙara tsarin seccomp kira tace don toshe ƙirƙirar sarari suna (ƙara zaɓin “–restrict-namespaces” don kunnawa). Sabunta tsarin kiran tebur da ƙungiyoyin seccomp.
an inganta yanayin tilasta-noewprivs (NO_NEW_PRIVS) Yana inganta garantin tsaro kuma an yi niyya don hana sabbin matakai samun ƙarin gata.
Wani canjin da ya fito fili shine ikon yin amfani da bayanan martaba na AppArmor ɗinku an ƙara shi (an zaɓi "-apparmor" don haɗin kai).
Hakanan zamu iya samun hakan tsarin sa ido kan zirga-zirgar hanyar sadarwa na nettrace, wanda ke nuna bayanai game da IP da ƙarfin zirga-zirga na kowane adireshin, yana goyan bayan ICMP kuma yana ba da zaɓuɓɓukan "-dnstrace", "-icmptrace", da "-snitrace".
Na wasu canje-canje da suka yi fice:
- An cire umarnin -cgroup da -shell (tsoho shine -shell = babu).
- Ginin Firetunnel yana tsayawa ta tsohuwa.
- An kashe chroot, masu zaman kansu-lib da saitin tracelog a /etc/firejail/firejail.config.
- Cire tallafi don gressecurity.
- modif: cire umarnin -cgroup
- modif: saita --shell=babu azaman tsoho
- gyara: cire --harsashi
- modif: An kashe Firetunnel ta tsohuwa a cikin configure.ac
- modif: cire tallafin gsecurity
- modif: dakatar da ɓoye fayilolin baƙaƙe a cikin /etc ta tsohuwa
- tsohon hali (an kashe ta tsohuwa)
- gyara kwaro: ambaliya seccomp shigarwar log log
- bugfix: --netlock baya aiki (Kuskure: babu ingantaccen akwatin sandbox)
A ƙarshe, ga waɗanda ke da sha'awar shirin, ya kamata su sani cewa an rubuta shi a cikin C, ana rarraba shi ƙarƙashin lasisin GPLv2, kuma yana iya aiki akan kowane rarraba Linux. An shirya fakitin Shirye-shiryen Firejail a cikin tsarin bashi (Debian, Ubuntu).
Yadda ake girka Firejail akan Linux?
Ga waɗanda suke da sha'awar iya shigar da Firejail akan rarraba Linux, za su iya yin ta bin umarnin cewa muna raba a kasa.
Akan Debian, Ubuntu da abubuwan banbanci shigarwa ne quite sauki, tun suna iya girka Firejail daga rumbun adana bayanai na rarrabawa ko kuma za su iya zazzage fakitin bashi daga mahada mai zuwa.
Dangane da zaɓin shigarwa daga wuraren ajiya, kawai buɗe tashar kuma aiwatar da umarnin mai zuwa:
sudo apt-get install firejail
Ko kuma idan sun yanke shawarar zazzage abubuwan fakitin, zasu iya girkawa tare da manajan kunshin da suka fi so ko daga tashar tare da umarnin:
sudo dpkg -i firejail_0.9.72-apparmor_1_amd64.deb
Duk da yake don batun Arch Linux da abubuwan da suka samo asali daga wannan, kawai gudu:
sudo pacman -S firejail
sanyi
Da zarar an gama girkawa, yanzu zamu saita sandbox kuma dole ne a kunna AppArmor.
Daga tashar da za mu buga:
sudo firecfg sudo apparmor_parser -r /etc/apparmor.d/firejail-default
Don sanin amfani da hadewarta zaka iya tuntubar jagorarta A cikin mahaɗin mai zuwa.