I-Firejail 0.9.72 ifika nokuthuthukiswa kwezokuphepha nokunye okwengeziwe

Darkcrizt

Imizuzu ye-4

mlindos_

I-Firejail wuhlelo lwe-SUID olunciphisa ubungozi bokwephulwa kwezokuphepha ngokukhawulela imvelo yohlelo lokusebenza.

Imemezele ukwethulwa kwe- inguqulo entsha yephrojekthi ye-Firejail 0.9.72, eqala isistimu yokwenziwa okukodwa kwezinhlelo zokusebenza eziyingcaca, ikhonsoli kanye neseva, okukuvumela ukuthi unciphise ubungozi bokufaka engozini uhlelo oluyinhloko ngokuqalisa izinhlelo ezingathenjwa noma ezingaba sengozini.

Ukuze uzihlukanise, i-Firejail sebenzisa izikhala zamagama, I-AppArmor nokuhlunga ikholi yesistimu (seccomp-bpf) ku-Linux. Uma seluqalile, uhlelo nazo zonke izinqubo zengane zisebenzisa izethulo ezihlukene zezinsiza ze-kernel, njengesitaki senethiwekhi, ithebula lenqubo, namaphoyinti okukhweza.

Izinhlelo zokusebenza ezincike kwenye zingahlanganiswa zibe yibhokisi lesihlabathi elivamile. Uma uthanda, i-Firejail ingasetshenziswa futhi ukusebenzisa iziqukathi ze-Docker, i-LXC, ne-OpenVZ.

Izinhlelo zokusebenza eziningi ezidumile, ezifaka iFirefox, iChromium, i-VLC, kanye ne-Transmission, zinamaphrofayili okuhlukanisa amakholi wesistimu amiswe ngaphambilini. Ukuze uthole amalungelo adingekayo okusetha indawo ene-sandbox, i-firejail esebenzisekayo ifakwa nomyalo wempande we-SUID (amalungelo asethwa kabusha ngemva kokuqaliswa). Ukuze uqalise uhlelo ngemodi ehlukanisiwe, vele ucacise igama lohlelo lokusebenza njengengxabano kunsizakalo ye-firejail, isibonelo, "firejail firefox" noma "sudo firejail /etc/init.d/nginx start".

Izindaba eziphambili zeFirejail 0.9.72

Kule nguqulo entsha singakuthola lokho wengeze isihlungi sekholi yesistimu ye-seccomp ukuvimba okudaliwe kwe-namespace (kungezwe inketho ethi "-khawula-izikhala zamagama" ukuze inikwe amandla). Kubuyekezwe amathebula ekholi esistimu namaqembu e-seccomp.

imodi ithuthukisiwe phoqa-akunazimfihlo (NO_NEW_PRIVS) Ithuthukisa iziqinisekiso zokuphepha futhi ihloselwe ukuvimbela izinqubo ezintsha ekutholeni amalungelo engeziwe.

Olunye ushintsho olugqamayo ukuthi amandla okusebenzisa amaphrofayili akho e-AppArmor angeziwe (inketho ethi “–apparmor” iphakanyiselwe uxhumano).

Singakuthola futhi lokho uhlelo lokuqapha ithrafikhi yenethiwekhi ye-nettrace, ebonisa ulwazi mayelana ne-IP kanye nobukhulu bethrafikhi yekheli ngalinye, isekela i-ICMP futhi inikeza izinketho “-dnstrace”, “–icmptrace”, kanye “–snitrace”.

Of ezinye izinguquko ezigqamile:

  • Kukhishwe imiyalo ye--cgroup kanye ne-shell (okuzenzakalelayo ithi -shell=none).
  • Ukwakhiwa kwe-Firetunnel kuyama ngokuzenzakalela.
  • I-chroot ekhutshaziwe, i-private-lib ne-tracelog ukucushwa ku-/etc/firejail/firejail.config.
  • Kususwe usekelo lwe-grsecurity.
  • i-modif: isuse umyalo we--cgroup
  • lungisa: setha --shell=none njengokumisiwe
  • lungisa: kususiwe --shell
  • i-modif: I-Firetunnel ivaliwe ngokuzenzakalelayo ku-configure.ac
  • i-modif: ukusekelwa kwe-grsecurity kususiwe
  • i-modif: yeka ukufihla amafayela avinjelwe ku-/etc ngokuzenzakalelayo
  • ukuziphatha okudala (kukhutshazwe ngokuzenzakalela)
  • ukulungisa iziphazamisi: ukungena kwelogi yokuhlola okugcwele kwe-seccomp
  • i-bugfix: --netlock ayisebenzi (Iphutha: alikho ibhokisi lesihlabathi elivumelekile)

Okokugcina, kulabo abathanda lolu hlelo, kufanele bazi ukuthi lubhalwe ngo-C, lusatshalaliswa ngaphansi kwelayisensi ye-GPLv2, futhi lungasebenza kunoma yikuphi ukusatshalaliswa kweLinux. Amaphakheji e-Firejail Ready alungiswa ngamafomethi e-deb (Debian, Ubuntu).

Ungayifaka kanjani iFirejail kuLinux?

Okwalabo abanentshisekelo yokukwazi ukufaka iFirejail ekusatshalalisweni kwabo kweLinux, bangakwenza ngokulandela imiyalo ukuthi sabelana ngezansi.

Ku-Debian, Ubuntu kanye nokuphuma kokunye ukufakwa kulula kakhulu, kusukela bangakwazi ukufaka iFirejail kusuka ezinqolobaneni wokusatshalaliswa kwawo noma bangalanda amaphakheji we-deb olungiselelwe funa isixhumanisi esilandelayo.

Endabeni yokukhetha ukufakwa kokugcina, vele uvule ukuphela bese wenza umyalo olandelayo:

sudo apt-get install firejail

Noma uma bethathe isinqumo sokulanda amaphakheji wesikweletu, bangafaka nomphathi wabo wephakheji abawuthandayo noma kusuka ku-terminal ngomyalo:

sudo dpkg -i firejail_0.9.72-apparmor_1_amd64.deb

Ngenkathi yecala le-Arch Linux kanye nokuphuma kokunye kusuka kulokhu, vele ugijime:

sudo pacman -S firejail

Isethaphu

Lapho ukufakwa sekuqedile, manje kuzodingeka ukuthi silungiselele i-sandbox futhi futhi kufanele sibe ne-AppArmor enikwe amandla.

Kusuka esigungwini esizokuthayipha:

sudo firecfg

sudo apparmor_parser -r /etc/apparmor.d/firejail-default

Ukwazi ukusetshenziswa nokuhlanganiswa kwayo ungaxhumana nomhlahlandlela wayo Kulesi sixhumanisi esilandelayo.


Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Unomthwalo wemfanelo ngedatha: AB Internet Networks 2008 SL
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.