I-Firejail uhlaka oluthuthukisa uhlelo lokukhishwa okukodwa kwezinhlelo zokusebenza zemifanekiso, ikhonsoli neseva. Usebenzisa iFirejail inciphisa ubungozi bokuyekethisa uhlelo main lapho kuqhutshwa izinhlelo ezingathembekile noma ezingaba sengozini. Uhlelo lubhalwe ngo-C, lusatshalaliswa ngaphansi kwelayisense le-GPLv2 futhi lungasebenza kunoma yikuphi ukusatshalaliswa kwe-Linux.
I-Firejail isebenzisa izikhala zamagama, i-AppArmor, nokuhlunga ikholi yohlelo (seccomp-bpf) ku-Linux ngokuhlukaniswa. Lapho sekuqaliwe, uhlelo nazo zonke izinqubo zalo zezingane zisebenzisa izethulo ezihlukile zezinsizakusebenza ze-kernel, njengestaki senethiwekhi, itafula lokucubungula, namaphoyinti wokukhweza.
Izicelo ezincikile zingahlanganiswa ebhokisini le-sandbox elijwayelekile. Uma ufisa, iFirejail ingasetshenziswa futhi ukuqala iziqukathi ze-Docker, LXC, ne-OpenVZ.
Mayelana neFirejail
Ngokungafani namathuluzi wokuvikela iziqukathi, IFirejail ilula ngokwedlulele ukuyimisa futhi ayidingi ukulungiswa kwesithombe sohlelo: Ukwakheka kwesiqukathi kwenziwa ngokususelwa kokuqukethwe kohlelo lwamanje lwefayela futhi kususwa ngemuva kokuphela kohlelo lokusebenza.
Se nikezela ngamathuluzi aguquguqukayo okusetha imithetho yokufinyelela kohlelo lwefayela Unganquma ukuthi yimaphi amafayela nezinkomba ezinokufinyelela okwenqatshiwe noma okwenqatshiwe, xhuma amasistimu efayela lesikhashana (tmpfs) wedatha, ukhawulele ukufinyelela kokufundwa kuphela kumafayili noma kwizikhombisi-ndlela, uhlanganise izinkomba usebenzisa i-bind-mount nama-overlayfs.
Ngenombolo enkulu yezinhlelo zokusebenza ezidumile, kufaka phakathi iFirefox, iChromium, iVLC, phakathi kokunye, amaphrofayli wokuhlukanisa amakholi wesistimu alungiselelwe ngaphandle kwebhokisi.
Ukuthola amalungelo adingekayo wokusetha i-sandbox, i-firejail ephumelelayo ifakwa nefulegi lempande le-SUID (ngemuva kokuqalisa, amalungelo asethwe kabusha).
Yini okusha kuFirejail 0.9.62?
Kule nguqulo entsha kugqanyisiwe lokho iza namanye amaphrofayli angeziwe wokuqalisa kohlelo lokusebenza ihlukaniswe lapho inani eliphelele lamaphrofayli lifinyelela ku-884.
Ngaphandle kwakho ukusethwa komkhawulo wekhophi wefayela kungeziwe ukumisa ifayela /etc/firejail/firejail.config, Lokhu kukuvumela ukuthi ubeke umkhawulo kusayizi wamafayela azokopishelwa kwimemori usebenzisa izinketho ze- "- eziyimfihlo- *" (ngokuzenzakalela, umkhawulo usethelwe ku-500MB).
Ikholi ye-chroot manje ayenziwanga ngokususelwa endleleni, kepha esikhundleni salokho isebenzisa amaphuzu wokukhweza ngokususelwa encazelweni yefayela.
Kwezinye izinguquko:
- Kumaphrofayli, ama-debugger avunyelwe.
- Ukuhlunga okuthuthukisiwe kwamakholi wesistimu kusetshenziswa indlela ye-seccomp.
- Ukutholwa okuzenzakalelayo kwamafulegi womhlanganisi kuyanikezwa.
- Umkhombandlela we / usr / share ugunyazelwe amaphrofayili ahlukahlukene.
- Imibhalo emisha yokusiza i-gdb-firejail.sh ne- sort.py ingeziwe esigabeni se-conrib.
- Ukuvikelwa okuthuthukisiwe esigabeni esinelungelo lokusebenzisa ikhodi (i-SUID).
- Kumaphrofayli, izimpawu ezintsha ezinemibandela i-HAS_X11 ne-HAS_NET ziyasetshenziswa ukuqinisekisa ubukhona besiphakeli se-X nokufinyelela kunethiwekhi.
Ungayifaka kanjani iFirejail kuLinux?
Okwalabo abanentshisekelo yokukwazi ukufaka iFirejail ekusatshalalisweni kwabo kweLinux, bangakwenza ngokulandela imiyalo ukuthi sabelana ngezansi.
Ku-Debian, Ubuntu kanye nokuphuma kokunye ukufakwa kulula impela kusukela bangakwazi ukufaka iFirejail kusuka ezinqolobaneni wokusatshalaliswa kwawo noma bangalanda amaphakheji we-deb olungiselelwe funa umthombo.
Endabeni yokukhetha ukufakwa kokugcina, vele uvule ukuphela bese wenza umyalo olandelayo:
sudo apt-get install firejail
Noma uma bethathe isinqumo sokulanda amaphakheji wesikweletu, bangafaka nomphathi wabo wephakheji abawuthandayo noma kusuka ku-terminal ngomyalo:
sudo dpkg -i firejail_0.9.62_1*.deb
Ngenkathi yecala le-Arch Linux kanye nokuphuma kokunye kusuka kulokhu, vele ugijime:
sudo pacman -S firejail
Endabeni kaFedora, RHEL, CentOS, OpenSUSE noma iyiphi enye i-distro enokwesekwa kwamaphakeji we-rpm angathola amaphakheji kusuka ku- isixhumanisi esilandelayo.
Futhi ukufakwa kwenziwa nge:
sudo rpm -i firejail-0.9.62-1.x86_64.rpm
Isethaphu
Lapho ukufakwa sekuqedile, manje kuzodingeka ukuthi silungiselele i-sandbox futhi futhi kufanele sibe ne-AppArmor enikwe amandla.
Kusuka esigungwini esizokuthayipha:
sudo firecfg sudo apparmor_parser -r /etc/apparmor.d/firejail-default
Ukwazi ukusetshenziswa nokuhlanganiswa kwayo ungaxhumana nomhlahlandlela wayo Kulesi sixhumanisi esilandelayo.