Vachangoburitsa nhau yekuti njodzi yakaonekwa (yatonyorwa pasi peCVE-2022-31214) muFirejail app sandboxing tool, inotsanangurwa kuti chikanganiso chaonekwa chinogona kubvumira mushandisi wenzvimbo kuti ave mudzi pane iyo host system.
Firejail inoshandisa iyo namespaces mashini, AppArmor, uye sisitimu yekufona kusefa (seccomp-bpf) muLinux yekuzviparadzanisa nevamwe, asi inoda maropafadzo akakwirira kugadzirisa kusunungurwa kwakazvimirira, kwainowana nekusunga kune suid mudzi mureza utility kana kumhanya ne sudo.
Kusagadzikana kunokonzerwa nekukanganisa mune logic ye "-join="" sarudzo », yakagadzirirwa kubatanidza kune yakasarudzika nharaunda yave kutomhanya (yakafanana nemirairo yekupinda yenzvimbo yesandbox) ine nharaunda inotsanangurwa neID yemaitiro ari kushanda mairi. Muchikamu chisati chatanga, firejail inoona ropafadzo dzemaitiro akataurwa uye inoashandisa kune nzira itsva inobatanidza nharaunda ne "-join" sarudzo.
Usati wabatana, inotarisa kana iyo yakatsanangurwa maitiro ari kushanda munzvimbo yemotojail. Iyi cheki inoongorora kuvepo kweiyo /run/firejail/mnt/join faira. Kushandisa kusasimba, munhu anorwisa anogona kutevedzera manyepo asiri ega firejail nharaunda uchishandisa gomo namespace uye wozobatanidza kwairi uchishandisa iyo "--join" sarudzo.
Kana iyo gadziriso isingagone maitiro ekurambidza kuwana mamwe maropafadzo mumaitiro matsva (prctl NO_NEW_PRIVS), firejail ichabatanidza mushandisi kune imwe nzvimbo yekufungidzira uye kuyedza kushandisa iyo mushandisi namespace kumisikidzwa yezviziviso zvevashandisi ( namespace mushandisi) yeinit process ( PID 1).
Mazhinji epfungwa kuseri kwejoin function iri musource code kubva ku `src/firejail/join.c` faira. Zvikamu zvakakosha zvekodhi zvinotevedzwa nazvo ropafadzo dzakakwirira (inoshanda UID 0). Iyo ID yemaitiro yakapfuura semurairo mutsara nharo inoongororwa kuona kana iri rmudziyo uye uone zvimwe zvezvinhu zvayo izvo Izvo zvinoshandawo kune nzira itsva yekupinda.
Iyo huru yemaitiro ekusarudza kana kujoinha iyo inotarirwa maitiro zvinobudirira kuvepo kwefaira mugomo rezita rechinangwa, maitiro anowanikwa mukati /run/firejail/mnt/join. Ichi chiziviso chinoitwa pane f`is_ready_for_join()` basa. Iyo faira inovhurwa uchishandisa lIyo `O_RDONLY|O_CLOEXEC` mireza uye trace `fstat()` mhedzisiro inofanirwa kuita zvinotevera zvinodiwa:
- iyo faira inofanira kunge iri yakajairika faira.
- iyo faira inofanira kunge iri ye userid 0 (sekuonekwa kubva kune wekutanga mushandisi
namespace).
- iyo faira inofanira kunge iri 1 byte muhukuru.
Semagumo, maitiro akabatana kuburikidza ne "firejail --join" anozopedzisira ave munzvimbo yezita ID yemushandisi yepakutanga neropafadzo dzisina kuchinjwa, asi munzvimbo yakasiyana yegomo, inodzorwa zvachose neanorwisa.
Iyo "yakajoinwa" shell inozogara pane yekutanga mushandisi
namespace, ichiri kuchengeta iwo epakutanga akajairwa mushandisi ropafadzo, zvisinei gomo namespace richava iro rinodzorwa neanorwisa. As
iyo nonewprivs configuration haina kushandiswa, anorwisa anogona ikozvino
mhanyisa setuid-midzi zvirongwa mukati megomo iri namespace
Kunyanya, munhu anorwisa anogona kumhanyisa setuid-midzi zvirongwa munzvimbo yegomo iyo yakagadzira, ichibvumira kuti, semuenzaniso, shandura /etc/sudoers configuration kana PAM parameters mune yayo faira hierarchy uye kuwana kugona kumhanyisa mirairo semudzi. kushandisa sudo kana zvishandiso zvayo.
Pakupedzisira, zvakakodzera kutaura kuti kushandiswa kwekushanda kwakagadzirwa, kwakaedzwa pane zvazvino shanduro dzeOpenSUSE, Debian, Arch, Gentoo uye Fedora ine firejail utility yakaiswa.
Dambudziko rakagadziriswa mufirejail version 0.9.70. Sekugadzirisa kuchengetedza, unogona kuseta iyo gadziriso (/etc/firejail/firejail.config) ku "hapana kujoina" uye "kumanikidza-nonewprivs hongu".
Finalmente kana iwe uchifarira kuziva zvakawanda nezvazvo, unogona kutarisa ruzivo mu inotevera chinongedzo.