Bubblewrap kayan aiki ne abin da ke aiki don tsara aikin sandbox akan Linux da gudu a matakin aikace-aikacen mai amfani ba gata ba. A aikace, ana amfani da Bubblewrap ta aikin Flatpak azaman matsakaiciyar Layer don ware aikace-aikacen da aka ƙaddamar daga fakitin software.
Don keɓancewa, Linux yana amfani da fasahohin haɓaka ƙarfi na kwantena na gargajiya dangane da amfani da cgroups, sunayen sarauta, Seccomp da SELinux. Don aiwatar da ayyukan alfarma don saita kwantena, Bubblewrap an fara shi da gatan tushen (fayil mai zartarwa tare da tutar asusu), sannan sake saiti na gata bayan an fara akwatin.
Babu buƙatar kunna wuraren sunayen mai amfani akan tsarin, yana ba ku damar amfani da id id naku a cikin kwantena, saboda tsoho ba ya aiki a kan yawan rarrabawa.
Game da Bubblewrap
Bubblewrap an sanya shi azaman iyakantaccen aikin suida daga rukunin ayyukan suna na sararin mai amfani don keɓance duk mai amfani da aiwatar da ids daga mahalli banda na yanzu, amfani da hanyoyin CLONE_NEWUSER da CLONE_NEWPID.
Don ƙarin kariya, shirye-shiryen da ke gudana a cikin Bubblewrap suna farawa a cikin yanayin PR_SET_NO_NEW_PRIVS, wanda ya haramta sabon gata, misali, tare da tutar setuid.
Keɓewa a matakin tsarin fayil ana yin shi ta ƙirƙirar, ta hanyar tsoho, sabon sararin suna, wanda aka ƙirƙiri ɓangaren tushen komai ta amfani da tmpfs.
Idan ya cancanta, sassan FS na waje suna haɗe da wannan ɓangaren a cikin «hau –bind»(Misali, farawa da zaɓi«bwrap –ro-bind / usr / usr', An tura sashen / usr daga mai masaukin a yanayin karanta-kawai).
Capabilitiesarfin hanyoyin sadarwa an iyakance shi don samun damar amfani da maɓallin kewayawa juyawa tare da keɓewar hanyar sadarwa ta hanyar alamun CLONE_NEWNET da CLONE_NEWUTS.
Bambancin maɓalli tare da irin wannan aikin Firejail, wanda kuma yayi amfani da setuid launcher, shine a cikin Bubblewrap, Layer akwatin ya haɗa da mafi ƙarancin fasali masu mahimmanci kuma duk ayyukan da aka ci gaba da ake buƙata don ƙaddamar da aikace-aikacen zane, mu'amala da tebur, da kuma kiran kira zuwa Pulseaudio, an kawo su a gefen Flatpak kuma suna gudana bayan an sake saita gata.
Firejail, a gefe guda, ya haɗo duk ayyukan da suka shafi cikin fayil ɗin da za a aiwatar, rikitar da binciken ka da kiyaye tsaro a matakin da ya dace.
Bubblewrap yana aiki sosai ta hanyar da ƙirƙirar filin sararin samaniya mara komai akan tsarin fayil na ɗan lokaci wanda za'a lalata shi bayan an gama sarrafa sandbox.
Ta amfani da maɓallan, mai amfani na iya gina yanayin tsarin fayilolin da ake so a cikin sararin suna ta hanyar hawa kan haɗin haɗin kundin adireshin da ake so daga tsarin mai masaukin.
Bubblew 0.4.0
Bubblewrap a halin yanzu yana cikin sigar 0.4.0 wanda aka sake shi kwanan nan. An rubuta lambar aikin a cikin C kuma an rarraba ta ƙarƙashin lasisin LGPLv2 +.
Sabuwar sigar sananne ne don aiwatar da tallafi don shiga wuraren sunaye da matakai masu amfani da suke (wuraren sunayen pid).
Tutocin "–userns", "–userns2" da "–pidns" an kara su don kula da haɗin filayen suna.
Wannan fasalin ba ya aiki a cikin yanayin saiti kuma yana buƙatar keɓaɓɓen yanayin da zai iya aiki ba tare da gata ba, amma yana buƙatar kunna sunayen sararin masu amfani akan tsarin (naƙasasshe ta hanyar Debian da RHEL / CentOS) kuma baya keɓance yiwuwar don amfanuwa da yiwuwar rairayin rauni zuwa gefen ƙuntataccen "wuraren sararin mai amfani".
Daga cikin sababbin kayan aikin Bubblewrap 0.4, ana kuma lura da yiwuwar yin gini tare da dakin karatun musl C maimakon glibc, da tallafi don adana bayanan sararin suna zuwa fayil ɗin ƙididdiga a tsarin JSON.
Ana iya tuntuɓar lambar Bubblewrap, da takaddun aiki game da Github, mahaɗin shine wannan.