Kwiintsuku ezimbalwa ezidlulileyo bazazisile iindaba ze ukufumanisa ubuthathaka obuthile ucinga ukuba unobungozi kwiFirejail, iConnman kunye neGNU Guix. Kwaye oko kwimeko ye ubungozi obuchongiweyo kwinkqubo yokusebenzisa usetyenziso lwebhokisi yesanti Umlilo (CVE-2021-26910) oku ivumela ukuphakamisa amalungelo kumsebenzisi wengcambu.
Umlilo sebenzisa izithuba zamagama, AppArmor kunye nenkqubo yokuhluza umnxeba (seccomp-bpf) yokwahlulahlula kwiLinux, kodwa ifuna amalungelo aphakamileyo ekuqwalaseleni ukuqala kwempahla, ezinokufunyanwa ngokubophelela ekusebenziseni neflegi yeengcambu okanye ngokusebenza nesudo.
Ukuba semngciphekweni kubangelwa yimpazamo kwikhowudi yokuxhasa inkqubo yefayile e-OverlayFS, esetyenziselwa ukwenza umaleko owongezelelweyo ngaphezulu kwenkqubo ephambili yefayile ukugcina utshintsho olwenziwe yinkqubo eyodwa. Inkqubo yodwa ithathwa njengokufumana ukufikelela kufundo lwenkqubo ephambili yefayile, kwaye yonke imisebenzi yokubhala iqondiselwe kugcino lwexeshana kwaye ayichaphazeli eyona nkqubo iphambili yefayile.
Ngokuzenzekela, Izahlulo ze-OverlayFS zibekwe kulawulo lwasekhaya lomsebenzisiumzekelo ngaphakathi "/home/test/.firejail/ [[igama]", ngelixa umnini wale mikhombandlela esekwe kwiingcambu ukuze umsebenzisi wangoku angabinakutshintsha ngqo umxholo wabo.
Xa useta indawo yesanti, I-Firejail ijonga ukuba ingcambu yokwahlula okwethutyana i-OverlayFS ayinakuguqulwa ngumsebenzisi ongenalungelo. Ukuba semngciphekweni kubangelwa yimeko yomdyarho ngenxa yokuba imisebenzi ayenziwa nge-atom kwaye kukho umzuzu omfutshane phakathi kwetsheki kunye nokunyuka, okusivumela ukuba sithathe indawo yengcambu. ukusukela.
Ukuba nokubhala ukufikelela kwisikhombisi somlilo I-OverlayFS enekhonkco lokomfuziselo kwaye utshintshe nayiphi na ifayile kwinkqubo. Umphandi ulungiselele iprototype esebenzayo yokuxhaphaza, eya kupapashwa kwiveki enye emva kokukhutshwa kokulungiswa. Ingxaki ivela ukusukela kuguqulelo 0.9.30. Kwinguqulelo engu-0.9.64.4, ukuba semngciphekweni kuye kwavalwa ngokuthi kungasebenzi inkxaso yeOverlayFS.
Ukuthintela ubungozi ngenye indlela, unokukhubaza i-OverlayFS ngokongeza ipharamitha "ngaphezulu" ngexabiso "hayi" ku /etc/firejail/firejail.config
Ubungozi besibini Ingozi echongiweyo (i-CVE-2021-26675) yayikwisilungisi senethiwekhi ConnMan, ethe yasasazeka kwiinkqubo zeLinux ezifakiwe kunye nezixhobo ze-IoT. Umngcipheko unokuvumela ukwenziwa kude kwekhowudi yomhlaseli.
Ingxaki kungenxa yokuphuphuma kwesikhuseli kwikhowudi yednsproxy Kwaye inokuxhaphaza ngokubuyisa iimpendulo ezenziwe ngokukodwa kwiseva ye-DNS apho ummeli we-DNS emiselwe ukuba ahambise khona ukugcwala kwabantu. UTesla, osebenzisa iConnMan, uxele ingxaki. Umngcipheko walungiswa ekukhululweni kweConnMan 1.39 izolo.
Gqibela, obunye ubungozi kwezokhuseleko ayikhuphileyo, ibikuhanjiso I-GNU Guix kwaye inxulumene nokubaluleka kokubekwa kweefayile ezinengcambu kwi / run / setuid-program directory.
Uninzi lweenkqubo kolu lawulo zithunyelwa nge-setuid-root kunye ne-setgid-root flags, kodwa zazingayenzelwanga ukusebenza nge-setgid-root, enokuthi isetyenziselwe ukuphakamisa amalungelo kwinkqubo.
Nangona kunjalo, uninzi lwezi nkqubo luyilelwe ukuba lusebenze njenge-setuid-root, kodwa hayi njenge-setgid-root. Ke ngoko, oluqwalaselo lubeke emngciphekweni wokunyuka kwamalungelo endawo (abasebenzisi beGuix "kunikezelo lwangaphandle" abachaphazeleki).
Le bug ilungisiwe kwaye abasebenzisi bayakhuthazwa ukuba bahlaziye inkqubo yabo….
Akukho kuxhaphazwa kwale ngxaki kwaziwa ukuza kuthi ga ngoku
Gqibela ukuba unomdla wokwazi okungakumbi ngayo Malunga namanqaku okuba sesichengeni, unokujonga iinkcukacha malunga noku malunga noku kulandelayo.