Kutshanje bavakalise iindaba ukuba kuchongwe ubungozi (sele zidweliswe phantsi kwe-CVE-2022-31214) kwiFirejail app sandboxing isixhobo, kucacisiwe ukuba isiphene esichongiweyo sinokuvumela umsebenzisi wasekhaya ukuba abe yingcambu kwindlela yokusingatha.
I-Firejail isebenzisa indlela yesithuba segama, i-AppArmor, kunye nenkqubo yokucofa umnxeba (seccomp-bpf) kwi-Linux ukuze ibekwe yodwa, kodwa ifuna amalungelo aphakamileyo okumisela uphehlelelo olulodwa, olufumana ngokunxibelelanisa ne-suid okanye into eluncedo yeflegi.
Ukuba sesichengeni kungenxa yempazamo kwingqiqo yokhetho "-join=". », yenzelwe ukudibanisa kwimeko-bume ezimeleyo esele iqhutywa (ifana nomyalelo wokungena kwindawo yebhokisi yesanti) nendawo-bume echazwe yi-ID yenkqubo esebenzayo kuyo. Kwinqanaba langaphambi kokuqaliswa, i-firejail ibona amalungelo enkqubo ekhankanyiweyo kwaye iwasebenzise kwinkqubo entsha edibanisa imo engqongileyo ngokhetho "-join".
Ngaphambi kokudibanisa, ijonga ukuba inkqubo ekhankanyiweyo iyasebenza kwindawo ye-firejail. Olu qwalaselo luvavanya ubukho befayile /run/firejail/mnt/join. Ukuxhaphaza ukuba sesichengeni, umhlaseli unokulinganisa indawo eyintsomi engekho yodwa ye-firejail usebenzisa isithuba segama sokunyuka kwaye emva koko uqhagamshele kuyo usebenzisa i "-join" ukhetho.
Ukuba uqwalaselo alwenzi indlela yokwalela ukufumana amalungelo awongezelelweyo kwiinkqubo ezintsha (prctl NO_NEW_PRIVS), i-firejail iyakuqhagamshela umsebenzisi kubume bendawo eyidummy kwaye izame ukusebenzisa izicwangciso zesithuba segama lomsebenzisi we-ID yomsebenzisi (indawo yegama lomsebenzisi) yenkqubo ye-init. (PID 1).
Uninzi lwengqiqo emva komsebenzi wokudibanisa kwikhowudi yomthombo ukusuka kwifayile `src/firejail/join.c`. Amacandelo abalulekileyo ekhowudi aphunyezwa nge amalungelo aphezulu (i-UID esebenzayo 0). I-ID yenkqubo ipasiswe njengomyalelo ingxoxo yomgca iyahlolwa ukufumanisa ukuba i-rumxhasi kwaye umisele ezinye zeepropathi zayo ukuba Isebenza nakwinkqubo entsha yokungena.
Owona mlinganiselo uphambili wokuthatha isigqibo sokujoyina inkqubo ekujoliswe kuyo impumelelo bubukho befayile kwindawo ekujoliswe kuyo, inkqubo efunyenwe kwi/run/firejail/mnt/join. Olu qinisekiso lwenziwa kwi-futhambiso `lulungele_ukudibanisa_()`. Ifayile ivulwa kusetyenziswa lnjenge `O_RDONLY|O_CLOEXEC` iiflegi kunye `fstat()` landa isiphumo kufuneka ukuhlangabezana nezi mfuno zilandelayo:
– ifayile kufuneka ibe yifayile eqhelekileyo.
- ifayile kufuneka ibe ye-ID yomsebenzisi 0 (njengoko kubonwa kumsebenzisi wokuqala
indawo yamagama).
– ifayile kufuneka ibe 1 byte ngobukhulu.
Nje ngeziphumo, inkqubo eqhagamshelwe nge-"firejail -join" iya kuphelisa kwindawo yamagama i-ID yomsebenzisi yoqobo ngamalungelo angatshintshanga, kodwa kwindawo eyahlukileyo yentaba, elawulwa ngokupheleleyo ngumhlaseli.
Iqokobhe "elidityanisiweyo" elinesiphumo liya kuhlala kumsebenzisi wokuqala
indawo yegama, isagcina amalungelo akhethekileyo omsebenzisi aqhelekileyo, nangona kunjalo indawo yegama yokunyuka iya kuba yile ilawulwa ngumhlaseli. Unikezwe ukuba
uqwalaselo lwe-nonewprivs alukhange lusetyenziswe, umhlaseli unako ngoku
sebenzisa iinkqubo zengcambu-zengcambu ngaphakathi kwesi sithuba segama sentaba
Ngokukodwa, umhlaseli unokuqhuba iinkqubo zengcambu ye-setuid kwindawo yencopho ayenzileyo, evumela umzekelo ukutshintsha /etc/sudoers useto okanye PAM parameters kuluhlu lwefayile yakhe kwaye ufumane amandla okwenza imiyalelo njengengcambu usebenzisa i-sudo okanye izixhobo zayo. .
Ekugqibeleni, kuyafaneleka ukukhankanya ukuba ukuxhaphaza okusebenzayo kuye kwaphuhliswa, kuvavanywa kwiinguqulelo zangoku ze-openSUSE, i-Debian, i-Arch, i-Gentoo kunye ne-Fedora kunye ne-firejail utility efakwe.
Umba walungiswa kwi-firejail version 0.9.70. Njengesisombululo sokhuseleko, unokuseta uqwalaselo (/etc/firejail/firejail.config) ukuba "ungajoyini" kwaye "force-nonewprivs ewe".
Gqibela ukuba unomdla wokwazi okungakumbi ngayo, ungazijonga iinkcukacha kwi ukulandela ikhonkco.