Ubungozi obuyingozi bukhonjwe eFirejail, eConnman naseGNU Guix

Ezinsukwini ezimbalwa ezedlule bazenze baziwa izindaba ze ukuthola ukuthikamezeka okuthile ucabanga ukuthi iyingozi eFirejail, eConnman naseGNU Guix. Futhi yilokho esimweni se ubungozi obukhonjwe ohlelweni lokusebenzisa izinhlelo zokusebenza ze-sandboxed I-Firejail  (CVE-2021-26910) lokhu ivumela ukukhuphula amalungelo kumsebenzisi wezimpande.

I-Firejail sebenzisa izikhala zamagama, I-AppArmor nokuhlunga amakholi wesistimu (seccomp-bpf) ukuzehlukaniswe ku-Linux, kepha kudinga amalungelo aphakeme ukumisa i-boot ehlukanisiwe, engatholwa ngokubophezela ekusetshenzisweni nefulegi lempande ye-suid noma ngokusebenza nge-Sudo.

Ukuba sengozini kubangelwa yiphutha lekhodi ukuxhasa uhlelo lwefayela le-OverlayFS, esetshenziselwa ukudala isendlalelo esingeziwe ngaphezulu kohlelo lwamafayela olukhulu ukusindisa ushintsho olwenziwe ngenqubo eyedwa. Inqubo eyedwa icatshangelwa ukuthola ukufinyelela kokufundwa kohlelo lwamafayela oluyisisekelo, futhi yonke imisebenzi yokubhala iqondiselwa ekugcineni kwesikhashana futhi ayithinti uhlelo lwangempela lwefayela.

Ngephutha, Izingxenye ze-OverlayFS zifakwe enkombeni yasekhaya yomsebenzisingokwesibonelo ngaphakathi "/home/test/.

Lapho usetha indawo ye-sandbox, IFirejail ibheka ukuthi impande yesahlukaniso sesikhashana se-OverlayFS ayinakuguqulwa ngumsebenzisi ongenalungelo. Ukuba sengozini kubangelwa isimo somjaho ngenxa yokuthi ukusebenza akwenziwa nge-athomu futhi kunomzuzwana omfushane phakathi kwesheke nokukhweza, okusivumela ukuthi sithathe indawo yomhlahlandlela wempande yomlilo ngomkhombandlela lapho umsebenzisi wamanje enokufinyelela kokubhala ( selokhu .firejail yadalwa enkombeni yomsebenzisi, umsebenzisi angayiqamba kabusha).

Ukuba nokufinyelela kokubhala kumkhombandlela we-firejail kukuvumela ukuthi ubhale ngaphezulu amaphuzu wokukhweza ImbondelaFS enesixhumanisi esingokomfanekiso bese ushintsha noma yiliphi ifayela kusistimu. Umcwaningi ulungiselele uhlobo olusebenzayo lokuxhaphaza, oluzoshicilelwa ngesonto elilodwa ngemuva kokukhishwa kokulungiswa. Inkinga ivela kusukela enguqulweni engu-0.9.30. Ku-version 0.9.64.4, ukuba sengozini kuvinjelwe ngokukhubaza ukwesekwa kwe-OverlayFS.

Ukuvimba ukuba sengozini ngenye indlela, futhi ungakhubaza i-OverlayFS ngokungeza ipharamitha "overlayfs" ngevelu ethi "cha" ku /etc/firejail/firejail.config.

Ukuba sengozini kwesibili Okuyingozi okhonjiwe (i-CVE-2021-26675) bekuku-configurator yenethiwekhi Sbongiseni, esande kakhulu ezinhlelweni ze-Linux ezishumekiwe namadivayisi we-IoT. Ukuba sengozini kungavumela ukwenziwa kwesilawuli kude kwekhodi yomhlaseli.

Inkinga kungenxa yokuchichima kwesibambi kukhodi ye-dnsproxy Futhi ingaxhashazwa ngokubuyisa izimpendulo ezenziwe ngokukhethekile ezivela kuseva ye-DNS lapho ummeleli we-DNS amiswe khona ukuqondisa kabusha ithrafikhi. UTesla, osebenzisa iConnMan, ubike inkinga. Ukuba sengozini kulungisiwe ekukhishwe izolo kweConnMan 1.39.

Okokugcina, obunye ubungozi bokuphepha ukuthi udedele, bekukwabiwa I-GNU Guix futhi ihlobene nokwakheka kokubeka amafayela we-suid-root ku-directory / run / setuid-program.

Iningi lezinhlelo ezikulesi sikhombisi zithunyelwe ngamafulegi we-setuid-root kanye ne-setgid-root, kepha azenzelwanga ukusebenza ne-setgid-root, engahle isetshenziselwe ukukhulisa amalungelo kuhlelo.

Kodwa-ke, iningi lalezi zinhlelo zenzelwe ukusebenza njengezimpande ze-setuid, kepha hhayi njengempande ye-setgid. Ngakho-ke, lokhu kulungiswa kubeka engcupheni yokukhuphuka kwelungelo lendawo (abasebenzisi beGuix "ekusatshalalisweni kwangaphandle" abathinteki).

Le bug ilungisiwe futhi abasebenzisi bayelulekwa ukuthi bavuselele uhlelo lwabo….

Akukho ukuxhashazwa kwale nkinga okwaziwayo kuze kube manje

Okokugcina uma unesifiso sokwazi okwengeziwe ngakho Mayelana namanothi wobungozi obikiwe, ungabheka imininingwane maqondana nalokhu kuzixhumanisi ezilandelayo.

I-Firejail, UConnman y I-GNU Guix


Yiba ngowokuqala ukuphawula

Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.