I-Bubblewrap iyithuluzi okusebenzayo ukuhlela umsebenzi we-sandbox ku-Linux bese ugijima ezingeni lesicelo somsebenzisi esingenalungelo. Ngokwenzayo, iBubblewrap isetshenziswa yiphrojekthi yeFlatpak njengolwelwesi oluphakathi lokuhlukanisa izinhlelo zokusebenza ezethulwe kumaphakeji esoftware.
Ngokuzihlukanisa, iLinux isebenzisa ubuchwepheshe bokubona iziqukathi zendabuko ezisuselwa ekusetshenzisweni kwamaqoqo, izikhala zamagama, iSeccomp neSELinux. Ukwenza imisebenzi enelungelo lokumisa isitsha, i-Bubblewrap iqalwa ngamalungelo ezimpande (ifayela elisebenzisekayo elinefulegi elizimele), lilandelwe ukusethwa kabusha kwelungelo ngemuva kokuqala kwesiqukathi.
Akunasidingo sokunika amandla izikhala zamagama womsebenzisi kusistimu, ikuvumela ukuthi usebenzise isethi yakho yama-id ezitsheni, ngoba ngokuzenzakalela ayisebenzi ekunikezelweni okuningi.
Mayelana neBubblewrap
I-Bubblewrap ibekwe njengokusetshenziswa okunomkhawulo kwe-suida kusuka kusethi engezansi yemisebenzi yamagama ezikhala zomsebenzisi ukukhipha wonke ama-id womsebenzisi nacubungula kusuka emvelweni ngaphandle kwaleyo yamanje, sebenzisa izindlela I-CLONE_NEWUSER ne-CLONE_NEWPID.
Ukuvikelwa okungeziwe, izinhlelo ezisebenza ku-Bubblewrap ziqala ngemodi PR_SET_NO_NEW_PRIVS, evimbela amalungelo amasha, isibonelo, nefulegi le-setuid.
Ukuhlukaniswa ezingeni lesistimu yefayela kwenziwa ngokwakha indawo entsha yokubeka igama ngokuzenzakalela, lapho ukwahlukaniswa kwezimpande kungenalutho kusetshenziswa i-tmpfs.
Uma kunesidingo, izingxenye zangaphandle ze-FS zinamathiselwe kulesi sigaba ku- «ukukhweza -bopha»(Isibonelo, ukuqala ngenketho«bwrap -ro-bind / usr / usr', Isigaba se / usr sidluliswa sisuka kumsingathi ngemodi yokufunda kuphela).
Amandla wenethiwekhi anqunyelwe ukufinyelela kusixhumi esibonakalayo se-loopback kuguqulwe ukuhlukaniswa kwesitaki senethiwekhi ngezinkomba I-CLONE_NEWNET ne-CLONE_NEWUTS.
Umehluko omkhulu ngephrojekthi efanayo yeFirejail, okusebenzisa futhi isiqalisi se-setuid, ukuthi ku-Bubblewrap, ungqimba lwesitsha lufaka kuphela ubuncane bezici ezidingekayo nayo yonke imisebenzi ethuthukile edingeka ukwethula izinhlelo zokusebenza zokuqhafaza, ukuxhumana nedeskithophu, nokuhlunga izingcingo ePulseaudio, kulethwa ohlangothini lweFlatpak bese isebenza ngemuva kokuthi amalungelo esethwe kabusha.
IFirejail, ngakolunye uhlangothi, ihlanganisa yonke imisebenzi ehlobene ibe yifayela elilodwa elisebenzisekayo, ukwenza ucwaningo lwakho olunzima kube nzima nokugcina ukuphepha kusezingeni elifanele.
I-Bubblewrap ngokuyisisekelo iyasebenza ngokusebenzisa i- kwakha isikhala segama elingenalutho kusistimu yefayela lesikhashana okuzobhujiswa ngemuva kokuphothulwa kokucutshungulwa kwesandbox
Ngokusebenzisa amaswishi, umsebenzisi angakha imvelo yohlelo lwefayela olufunayo ngaphakathi kwe-namespace yokukhweza ngokufaka isixhumanisi semikhombandlela oyifunayo kusuka kusistimu yokusingathwa.
I-Bubblewrap 0.4.0
Njengamanje iBubblewrap inguhlobo lwayo olungu-0.4.0 esanda kukhishwa. Ikhodi yephrojekthi ibhalwe ngo-C futhi isatshalaliswa ngaphansi kwelayisensi ye-LGPLv2 +.
Uhlobo olusha kuyaziwa ngokuqaliswa kokwesekwa kokujoyina izikhala zamagama nezinqubo abasebenzisi abakhona (izikhala zamagama ze-pid).
Amafulegi "–userns", "–userns2" ne "–pidns" afakiwe ukulawula ukuxhumana kwezindawo zamagama.
Lesi sici asisebenzi kumodi ye-setuid futhi sidinga imodi ehlukile engasebenza ngaphandle kwamalungelo empande, kepha idinga ukuthi izikhala zamagama abasebenzisi zinikwe amandla kusistimu (ikhutshazwe ngokuzenzakalela ku-Debian naku-RHEL / CentOS) futhi ayikhiphi ithuba lokuxhaphaza okungenzeka ukuba sengozini okusele kunqenqemeni "lwemikhawulo yamagama abasebenzisi".
Okwezici ezintsha zeBubblewrap 0.4, kungenzeka nokwakha ngomtapo wezincwadi we-musl C esikhundleni se-glibc, nokusekelwa kokugcina ulwazi lwe-namespace kufayela lezibalo ngefomethi ye-JSON.
Ikhodi ye-Bubblewrap, kanye nemibhalo emayelana nayo, kungaboniswana nayo eGithub, isixhumanisi yilokhu.