Munguva pfupi yapfuura kuwanikwa kwe iyo itsva vhezheni yesandboxing bubble kuputira 0.6, umo dzimwe shanduko dzakakosha dzakaitwa sekubatanidzwa kwerutsigiro rwekubatanidza neMeson, tsigiro yechikamu cheiyo REUSE kududzirwa uye dzimwe shanduko shoma.
Kune avo vasingazive nezveBubblewrap, iwe unofanirwa kuziva kuti iyi i chishandiso chinowanzo shandiswa kudzora maapplication ega ega kune vasina-yakasarudzika vashandisi. Mukuita, iyo Flatpak purojekiti inoshandisa Bubblewrap sedhizaini yekuparadzanisa maapplication akatangwa kubva pamapakeji.
Zvekuzviparadzanisa, Linux inoshandisa virtualization matekinoroji yemidziyo yechinyakare inoenderana nekushandiswa kwemakgroup, nzvimbo dzemazita, Seccomp uye SELinux. Kuita mabasa akarongeka ekugadzirisa mudziyo, Bubblewrap inotangwa nemidzi rombo (iyo inoitisa faira ine mureza wakazvimiririra), ichiteverwa nerunyararo reset mushure mekunge mudziyo watangwa.
Nezve Bubblewrap
Bubblewrap yakamisikidzwa seyakaganhurirwa suida kuita kubva pane subset yemushandisi namespace mabasa kusabvisa ese mushandisi uye maitiro edhisheni kubva kunharaunda kunze kweiyo yazvino, shandisa modhi CLONE_NEWUSER uye CLONE_NEWPID.
Kuti uwedzere kuchengetedzwa, zvirongwa zvinomhanya muBubblewrap zvinotanga mumodi PR_SET_NO_NEW_PRIVS, iyo inorambidza mikana mitsva, semuenzaniso, ine setuid mureza.
Kusurukirwa padanho refaira system kunoitwa nekugadzira, nekumisikidza, nyowani nyowani yezita rezita, mune isina chinhu chikamu chemidzi chinogadzirwa uchishandisa tmpfs.
Kana zvichidikanwa, zvikamu zvekunze zveFS zvakasungirwa pachikamu ichi mumount-kusunga»(Semuenzaniso, kutanga nesarudzo«bwrap –ro-kusunga / usr / usr', Iyo / usr chikamu chinotumirwa kubva kuMubati mune yekuverenga-chete maitiro).
Kugona kwe network inogumira kuwana iyo loopback interface inverted ne network stack yekuzviparadzanisa kuburikidza nezviratidzo CLONE_NEWNET uye CLONE_NEWUTS.
Musiyano wakakosha neiyo yakafanana Firejail chirongwa, iyo inoshandisawo setuid Launcher, iri muBubblewrap, dhata remidziyo rinosanganisira chete mashoma mashoma anodikanwa maficha uye ese epamberi mabasa anodikanwa ekumisikidza graphical application, kushamwaridzana nedesktop, uye kusefa mafoni kuPulseaudio, zvinounzwa kudivi reFlatpak uye kumhanya mushure mekunge maropafadzo aiswazve.
Zvikuru zvitsva zveBubblewrap 0.6
Mune iyi vhezheni nyowani yeBubblewrap 0.6 iyo inoratidzwa, inosimbiswa kuti akawedzera rutsigiro rwe iyo kuvaka system Meson, nerutsigiro rwekunyora ne Autotools yakachengeterwa ikozvino, asi zvakarongwa kuti izvi ichabviswa nekuda kwekushandisa Meson mukuburitswa kunotevera.
Chimwe chitsva mune iyi vhezheni itsva yeBubblewrap 0.6 ndiko kuita kwesarudzo "-add-seccomp" kuwedzera anopfuura imwe seccomp chirongwa, akawedzerawo yambiro yekuti kana iyo "-seccomp" sarudzo yakatsanangurwa zvakare, sarudzo yekupedzisira chete ndiyo ichashandiswa.
Izvo zvinoonekwawo kuti iyo tsigiro yechikamu cheiyo REUSE yakatarwa, iyo inobatanidza maitiro ekutsanangura rezinesi uye ruzivo rwekodzero.
Besides that misoro yakawedzerwawo SPDX-License-Identifier kune akawanda mafaera yekodhi. Kutevedzera REUSE nhungamiro zvinoita kuti zvive nyore kungozvisarudzira kuti nderipi rezinesi rinoshanda kune zvikamu zvipi zvekodhi yako yekushandisa.
Kune rumwe rutivi, akawedzera argument counter value check kubva pamutsetse wekuraira (argc) uye shandisa kubuda kwechimbichimbi kana counter iri zero. Kuchinja pInokubvumira kuvhara nyaya dzekuchengetedza kukonzerwa nekubata zvisirizvo kweakapfuura command line nharo, senge CVE-2021-4034 muPolkit.
Yeimwe shanduko izvo zvinoratidzika kubva pane iyi nyowani vhezheni:
- Iro master bazi mune git repository rakatumidzwa zita rekuti main
- Bvisa yekare CI kubatanidzwa
- Kushandisa bash kuburikidza nePATH kuti ienderane zvirinani neasiri-FHS masisitimu anoshanda
pakupedzisira kana uri kufarira kuziva zvishoma nezvazvo nezve iyi vhezheni nyowani, iwe unogona kutarisa iyo ruzivo Mune inotevera chinongedzo.