Mazuva mashoma apfuura vakazvizivisa ivo nhau dze kuonekwa kwekumwe kunetseka unofunga kuti zvine njodzi here muFirejail, Connman uye GNU Guix. Uye ndizvo izvozvo maererano ne kushomeka kunowanikwa muhurongwa hwekushandisa sandboxed kunyorera firejail (CVE-2021-26910) izvi inobvumira kukwidziridza iwo maropafadzo kumudzi mushandisi.
firejail shandisa nzvimbo dzemazita, AppArmor uye system kufona kusefa (seccomp-bpf) yekuzviparadzanisa neLinux, asi inoda mukana wakakwidziridzwa kumisikidza yakasarudzika boot, iyo inogona kuwanikwa nekusunga kuchishandiswa ine suid midzi mureza kana nekumhanya neSudo.
Kushushikana kunokonzerwa nechikanganiso mukodhi kutsigira iyo OverlayFS faira system, iyo inoshandiswa kugadzira imwe yekuwedzera pamusoro peiyo huru faira sisitimu yekuchengetedza shanduko dzinoitwa neyakagadzika maitiro. Maitiro ari ega anofungidzirwa kuwana mukana wekuverenga kune yekutanga faira sisitimu, uye ese mabasa ekunyora anoendeswazve kune yenguva diki yekuchengetedza uye haikanganisa iyo chaiyo yekutanga faira system.
Nokusingaperi, KufukidzaFS zvikamu zvakaiswa mudhairekitori repamba remushandisisemuenzaniso mukati "/home/test/.firejail/ [[zita]", nepo muridzi weaya madhairekitori akaiswa kumidzi kuitira kuti mushandisi wazvino arege kushandura zvirimo.
Paunenge uchigadzira sandbox nharaunda, Firejail inotarisa kuti mudzi weiyo yenguva pfupi KupfuuraFS kupatsanura haigadzirisike nemusina kushandiswa. Iko kunetseka kunokonzerwa nemamiriro ezvinhu emujaho nekuda kwekuti mashandiro haaitwe nemaatomu uye pane pfupi pfupi pakati pecheki nekukwira, izvo zvinotibvumidza kutsiva iyo midzi .fireja dhairekitori nedhairekitori iro razvino mushandisi anonyora kuwana ( kubvira .firejail yakagadzirwa mudhairekitori remushandisi, mushandisi anogona kuitazve zita).
Kuva nekunyorera kuwana kune .fireja dhairekitori inokutendera iwe kuti uwedzere nzvimbo dzemakomo KumusoroFS ine yekufananidza chinongedzo uye chinja chero faira pane system. Iye muongorori akagadzirira anoshanda prototype yeanoshandisa, iyo ichazoburitswa vhiki imwe mushure mekuburitswa kwekugadziriswa. Dambudziko rinowanikwa kubvira vhezheni 0.9.30. Mune vhezheni 0.9.64.4, kusagadzikana kwakavharwa nekuremadza rutsigiro rweOverlayFS.
Kuvhara kusagadzikana neimwe nzira, unogona zvakare kudzima OverlayFS nekuwedzera paramende "yekuwedzeredza" ine kukosha "kwete" ku /etc/firejail/firejail.config.
Yechipiri kunetseka Dangerous iyo yakazivikanwa (CVE-2021-26675) yaive mune network network ConnMan, iyo yakave yakapararira mumasisitimu akadzika midzi eLinux uye maIoT zvishandiso. Iyo kukuvadzwa kunogona kubvumidza kuitiswa kure kwekodhi yemurwisi.
Dambudziko iri nekuda kweye buffer kufashukira mune dnsproxy kodhi Uye inogona kushandiswazve nekudzosa mhinduro dzakagadzirwa zvine hungwaru kubva kuseva yeDNS uko iyo proxy yeDNS yakagadziridzwa kuendesa zvakare traffic. Tesla, uyo anoshandisa ConnMan, ataura dambudziko iri. Kushushikana kwakagadziriswa mukuburitswa kwanezuro kweConnMan 1.39.
Finalmente, kumwe kuchengeteka kusagadzikana iyo yaakaburitsa, yaive mukugovera GNU Guix uye inoenderana neyakajeka yekuisa suid-midzi mafaera mune / run / setuid-zvirongwa dhairekitori.
Mazhinji emapurogiramu mune ino dhairekitori akatumirwa ne setuid-mudzi uye setgid-mudzi mireza, asi iwo haana kugadzirirwa kushanda ne setgid-mudzi, iyo inogona kuve inogona kushandiswa kukwidziridza ropafadzo pachirongwa.
Nekudaro, mazhinji emapurogiramu aya akagadzirirwa kumhanya se setuid-mudzi, asi kwete se setgid-mudzi. Naizvozvo, kumisikidzwa uku kwakaunza njodzi yekuwedzera kwenzvimbo (vashandisi veGuix mu "kugoverwa kune dzimwe nyika" havana kukanganiswa).
Iyi bhagi yakagadziriswa uye vashandisi vanokurudzirwa kugadzirisa yavo system….
Hapana kubiridzirwa kwedambudziko iri kunozivikanwa kusvika parinhasi
Finalmente kana iwe uchifarira kuziva zvakawanda nezvazvo Nezve zvinyorwa zvekusagadzikana kwakataurwa, unogona kutarisa ruzivo mune izvi mune zvinotevera zvinongedzo.