I-Bubblewrap sisixhobo yintoni esebenzayo ukuhlela umsebenzi webhokisi yesanti kwiLinux kwaye ubaleke kwinqanaba lesicelo sabasebenzisi abangenalungelo. Ukuziqhelanisa, iBubblewrap isetyenziswa yiprojekthi yePlppak njengomaleko ophakathi ukwahlula usetyenziso olusungulwe kwiiphakheji zesoftware.
Ukuzimela wedwa, iLinux isebenzisa itekhnoloji yokwenziwa kwezinto izikhongozeli zesiko ezisekwe ekusetyenzisweni kweekgroups, namespaces, Seccomp and SELinux. Ukwenza imisebenzi enelungelo lokumisela isikhongozeli, iBubblewrap iqalwa ngamalungelo ezengcambu (ifayile ephunyeziweyo neflegi enesidima), elandelwa lilungelo lokuseta kwakhona emva kokuba isikhongozeli siqalisiwe.
Akukho sidingo sokwenza ukuba izithuba zamagama omsebenzisi zisebenze kwinkqubo, ekuvumela ukuba usebenzise iseti yakho yee-id kwizikhongozeli, njengoko ngokungagqibekanga kungasebenzi kunikezelo oluninzi.
Malunga neBubblewrap
I-Bubblewrap ibekwe njengophumezo olunomda lwe-suida Ukusuka kwindawo esezantsi yemisebenzi yamagama esithuba somsebenzi ukukhuphela ngaphandle zonke umsebenzisi kunye nenkqubo ye-ids kwindalo esingqongileyo ngaphandle kwale ikhoyo ngoku, sebenzisa iindlela CLONE_NEWUSER kunye ne-CLONE_NEWPID.
Ukukhusela okongezelelweyo, Iinkqubo ezisebenza kwi-Bubblewrap ziqala kwimowudi PR_SET_NO_NEW_PRIVS, othintela amalungelo amatsha, umzekelo, kunye neflegi yeseti.
Ukuzahlula kwinqanaba lenkqubo yefayile kwenziwa ngokudala, ngokungagqibekanga, indawo entsha yamagama, apho isahlulelo seengcambu esingenanto senziwa kusetyenziswa i-tmpfs.
Ukuba kukho imfuneko, amacandelo e-FS angaphandle ancanyathiselwe kweli candelo kwi «mount-bopha»(Umzekelo, ukuqala ngokhetho«bwrap -ro-bopha / usr / usr', Icandelo / usr ligqithiselwa kumamkeli kwimowudi yokufunda-kuphela).
Amandla enethiwekhi anqunyelwe ukufikelela kunxibelelwano lwe-loopback iguqulwe yokwahlulahlula inethiwekhi ngokwahlulahlula ngokusebenzisa izikhombisi CLONE_NEWNET kunye ne-CLONE_NEWUTS.
Umahluko ophambili kwiprojekthi yeFirejail efanayo, Ikwasebenzisa isindululi esisetiweyo, kukuba kwi-Bubblewrap, Umaleko wesikhongozeli ubandakanya ubuncinci beempawu eziyimfuneko nayo yonke imisebenzi ehambele phambili efunekayo yokuqalisa usetyenziso lwegrafiki, ukunxibelelana nedesktop, kunye neefilitha zokucoca kwiPulseaudio, ziziswa kwicala leFlatpak kwaye ziqhutywa emva kokuba amalungelo ehlelwe kwakhona.
I-Firejail, kwelinye icala, idibanisa yonke imisebenzi enxulumene nefayile enye ephumelelayo, ukwenza nzima uphicotho-zincwadi kunye nokugcina ukhuseleko kwinqanaba elifanelekileyo.
I-Bubblewrap iyasebenza ngokusebenzisa i ukwenza indawo engenanto yegama lentaba kwifayile yethutyana eziza kutshatyalaliswa emva kokuba kugqityiwe ukwenziwa kwebhokisi yesanti.
Ngokusebenzisa iitshintshi, umsebenzisi angazakhela indawo enqwenelekayo yenkqubo yefayile ngaphakathi kwendawo yokubeka amagama ngokunyusa kwikhonkco lezikhombisi ezinqwenelekayo ezivela kwinkqubo yokubamba.
Ibhola yeblue 0.4.0
IBubblewrap okwangoku ikwinguqulelo yayo engu-0.4.0 esanda kukhutshwa. Ikhowudi yeprojekthi ibhalwe ngo-C kwaye ihanjiswa phantsi kwelayisensi ye-LGPLv2 +.
Inguqulelo entsha iphawulekile ekuphunyezweni kwenkxaso yokujoyina indawo yamagama kunye neenkqubo Abasebenzisi abakhona (indawo yamagama e-pid).
Iiflegi "–userns", "–userns2" kunye "–pidns" zongezwe ukulawula uqhagamshelo lwezithuba zamagama.
Eli nqaku alisebenzi kwimowudi esekiweyo kwaye ifuna imowudi eyahlukileyo enokuthi isebenze ngaphandle kwamalungelo engcambu, kodwa ifuna ukuba izithuba zomsebenzisi zinikwe amandla kwinkqubo (ikhubazeke ngokungagqibekanga kwi-Debian kunye ne-RHEL / CentOS) kwaye ayikhupheli ngaphandle ukubakho ukuxhaphaza okunokubakho ekubeni semngciphekweni komda "weendawo zokusebenzisa amagama".
Kumanqaku amatsha eBubblewrap 0.4, ukubanakho kokwakha nethala leencwadi le-musl C endaweni ye-glibc kuyajongwa, kunye nenkxaso yokugcina ulwazi lwegama lendawo kwifayile yezibalo kwifomathi yeJSON.
Ikhowudi yeBubblewrap, kunye namaxwebhu malunga nayo, kunokuboniswana ngayo neGithub, ikhonkco yile.