Imemezele ukwethulwa kwe- inguqulo entsha yephrojekthi ye-Firejail 0.9.72, eqala isistimu yokwenziwa okukodwa kwezinhlelo zokusebenza eziyingcaca, ikhonsoli kanye neseva, okukuvumela ukuthi unciphise ubungozi bokufaka engozini uhlelo oluyinhloko ngokuqalisa izinhlelo ezingathenjwa noma ezingaba sengozini.
Ukuze uzihlukanise, i-Firejail sebenzisa izikhala zamagama, I-AppArmor nokuhlunga ikholi yesistimu (seccomp-bpf) ku-Linux. Uma seluqalile, uhlelo nazo zonke izinqubo zengane zisebenzisa izethulo ezihlukene zezinsiza ze-kernel, njengesitaki senethiwekhi, ithebula lenqubo, namaphoyinti okukhweza.
Izinhlelo zokusebenza ezincike kwenye zingahlanganiswa zibe yibhokisi lesihlabathi elivamile. Uma uthanda, i-Firejail ingasetshenziswa futhi ukusebenzisa iziqukathi ze-Docker, i-LXC, ne-OpenVZ.
Izinhlelo zokusebenza eziningi ezidumile, ezifaka iFirefox, iChromium, i-VLC, kanye ne-Transmission, zinamaphrofayili okuhlukanisa amakholi wesistimu amiswe ngaphambilini. Ukuze uthole amalungelo adingekayo okusetha indawo ene-sandbox, i-firejail esebenzisekayo ifakwa nomyalo wempande we-SUID (amalungelo asethwa kabusha ngemva kokuqaliswa). Ukuze uqalise uhlelo ngemodi ehlukanisiwe, vele ucacise igama lohlelo lokusebenza njengengxabano kunsizakalo ye-firejail, isibonelo, "firejail firefox" noma "sudo firejail /etc/init.d/nginx start".
Izindaba eziphambili zeFirejail 0.9.72
Kule nguqulo entsha singakuthola lokho wengeze isihlungi sekholi yesistimu ye-seccomp ukuvimba okudaliwe kwe-namespace (kungezwe inketho ethi "-khawula-izikhala zamagama" ukuze inikwe amandla). Kubuyekezwe amathebula ekholi esistimu namaqembu e-seccomp.
imodi ithuthukisiwe phoqa-akunazimfihlo (NO_NEW_PRIVS) Ithuthukisa iziqinisekiso zokuphepha futhi ihloselwe ukuvimbela izinqubo ezintsha ekutholeni amalungelo engeziwe.
Olunye ushintsho olugqamayo ukuthi amandla okusebenzisa amaphrofayili akho e-AppArmor angeziwe (inketho ethi “–apparmor” iphakanyiselwe uxhumano).
Singakuthola futhi lokho uhlelo lokuqapha ithrafikhi yenethiwekhi ye-nettrace, ebonisa ulwazi mayelana ne-IP kanye nobukhulu bethrafikhi yekheli ngalinye, isekela i-ICMP futhi inikeza izinketho “-dnstrace”, “–icmptrace”, kanye “–snitrace”.
Of ezinye izinguquko ezigqamile:
- Kukhishwe imiyalo ye--cgroup kanye ne-shell (okuzenzakalelayo ithi -shell=none).
- Ukwakhiwa kwe-Firetunnel kuyama ngokuzenzakalela.
- I-chroot ekhutshaziwe, i-private-lib ne-tracelog ukucushwa ku-/etc/firejail/firejail.config.
- Kususwe usekelo lwe-grsecurity.
- i-modif: isuse umyalo we--cgroup
- lungisa: setha --shell=none njengokumisiwe
- lungisa: kususiwe --shell
- i-modif: I-Firetunnel ivaliwe ngokuzenzakalelayo ku-configure.ac
- i-modif: ukusekelwa kwe-grsecurity kususiwe
- i-modif: yeka ukufihla amafayela avinjelwe ku-/etc ngokuzenzakalelayo
- ukuziphatha okudala (kukhutshazwe ngokuzenzakalela)
- ukulungisa iziphazamisi: ukungena kwelogi yokuhlola okugcwele kwe-seccomp
- i-bugfix: --netlock ayisebenzi (Iphutha: alikho ibhokisi lesihlabathi elivumelekile)
Okokugcina, kulabo abathanda lolu hlelo, kufanele bazi ukuthi lubhalwe ngo-C, lusatshalaliswa ngaphansi kwelayisensi ye-GPLv2, futhi lungasebenza kunoma yikuphi ukusatshalaliswa kweLinux. Amaphakheji e-Firejail Ready alungiswa ngamafomethi e-deb (Debian, Ubuntu).
Ungayifaka kanjani iFirejail kuLinux?
Okwalabo abanentshisekelo yokukwazi ukufaka iFirejail ekusatshalalisweni kwabo kweLinux, bangakwenza ngokulandela imiyalo ukuthi sabelana ngezansi.
Ku-Debian, Ubuntu kanye nokuphuma kokunye ukufakwa kulula kakhulu, kusukela bangakwazi ukufaka iFirejail kusuka ezinqolobaneni wokusatshalaliswa kwawo noma bangalanda amaphakheji we-deb olungiselelwe funa isixhumanisi esilandelayo.
Endabeni yokukhetha ukufakwa kokugcina, vele uvule ukuphela bese wenza umyalo olandelayo:
sudo apt-get install firejail
Noma uma bethathe isinqumo sokulanda amaphakheji wesikweletu, bangafaka nomphathi wabo wephakheji abawuthandayo noma kusuka ku-terminal ngomyalo:
sudo dpkg -i firejail_0.9.72-apparmor_1_amd64.deb
Ngenkathi yecala le-Arch Linux kanye nokuphuma kokunye kusuka kulokhu, vele ugijime:
sudo pacman -S firejail
Isethaphu
Lapho ukufakwa sekuqedile, manje kuzodingeka ukuthi silungiselele i-sandbox futhi futhi kufanele sibe ne-AppArmor enikwe amandla.
Kusuka esigungwini esizokuthayipha:
sudo firecfg sudo apparmor_parser -r /etc/apparmor.d/firejail-default
Ukwazi ukusetshenziswa nokuhlanganiswa kwayo ungaxhumana nomhlahlandlela wayo Kulesi sixhumanisi esilandelayo.