Basanda kukhipha izindaba zokuthi kwatholakala ukuthi kusengozini (sekuvele kuhlu ngaphansi kwe-CVE-2022-31214) kuthuluzi le-sandboxing lohlelo lokusebenza lwe-Firejail, kunemininingwane yokuthi iphutha elitholiwe lingavumela umsebenzisi wasendaweni ukuthi abe yimpande kusistimu yokusingatha.
I-Firejail isebenzisa indlela yezikhala zamagama, i-AppArmor, nokuhlunga ikholi yesistimu (seccomp-bpf) ku-Linux ukuze ihlukaniswe, kodwa idinga amalungelo aphakeme ukuze ilungiselele ukukhishwa okukodwa, ekuthola ngokubophezela kusisetshenziswa sefulegi lempande ye-suid noma iqalise nge-sudo.
Ukuba sengozini kungenxa yephutha kumqondo wenketho ethi “–join=" », idizayinelwe ukuxhuma endaweni engayodwa esivele iyasebenza (efana nomyalo wokungena endaweni ye-sandbox) enendawo echazwe yi-ID yenqubo esebenza kuyo. Esigabeni sangaphambi kokwethulwa, i-firejail ithola amalungelo enqubo eshiwo futhi iwasebenzise kunqubo entsha ehlanganisa imvelo ngenketho ethi “–join”.
Ngaphambi kokuxhumana, ihlola ukuthi inqubo eshiwo iyasebenza yini endaweni ye-firejail. Lokhu kuhlola kuhlola ubukhona befayela /run/firejail/mnt/join. Ukuxhaphaza ubungozi, umhlaseli angakwazi ukulingisa indawo yejele elingelona elodwa le-firejail usebenzisa indawo yegama yokukhweza bese uxhuma kuyo usebenzisa inketho ethi "--join".
Uma ukulungiselelwa kungayiniki amandla imodi yokwenqabela ukuthola amalungelo angeziwe ezinqubweni ezintsha (prctl NO_NEW_PRIVS), i-firejail izoxhumanisa umsebenzisi endaweni eqanjiwe futhi izame ukusebenzisa ukucushwa kwendawo yegama lomsebenzisi kwezihlonzi zomsebenzisi (umsebenzisi wendawo yegama) yenqubo ye-init ( I-PID 1).
Iningi lomqondo ongemuva komsebenzi wokuhlanganisa likukhodi yomthombo kusukela kufayela elithi `src/firejail/join.c`. Izigaba ezibalulekile zekhodi zibulawa nge amalungelo aphakeme (i-UID 0 esebenzayo). I-ID yenqubo iphasiswe njengomyalo impikiswano yomugqa iyahlolwa ukuze kutholwe ukuthi ingabe ingu-resitsheni bese unquma ezinye zezindawo zayo ukuthi Kusebenza nakunqubo entsha yokungena.
Indlela yokunquma eyinhloko yokunquma ukuthi ujoyine inqubo eqondiwe impumelelo ubukhona befayela endaweni yamagama yokukhweza yethagethi, inqubo etholakala ku-/run/firejail/mnt/join. Lokhu kuqinisekisa kwenziwa ku-f`is_ready_for_join()` umsebenzi. Ifayela livulwa kusetshenziswa i-lAmafulegi `O_RDONLY|O_CLOEXEC` kanye nomphumela we-trace `fstat()` kufanele ukuhlangabezana nalezi zidingo ezilandelayo:
– ifayela kumele libe yifayela elijwayelekile.
- ifayela kumele libe ngelika-ussid 0 (njengoba libonwa kumsebenzisi wokuqala
indawo yegama).
– ifayela kumele libe yibhayithi elingu-1 ngosayizi.
Ngenxa yalokho, inqubo exhunywe nge-"firejail --join" izophelela endaweni yamagama i-ID yomsebenzisi yasekuqaleni ngamalungelo angashintshiwe, kodwa endaweni ehlukile yokukhweza, elawulwa ngokuphelele umhlaseli.
Igobolondo "elihlanganisiwe" eliphumayo manje selizophila kumsebenzisi wokuqala
namespace, nokho, igcina amalungelo omsebenzisi ajwayelekile indawo yegama yokukhweza kuzoba yileso esilawulwa umhlaseli. Njengoba
ukucushwa kwe-nonewprivs akukasetshenziswa, umhlaseli angakwazi manje
sebenzisa izinhlelo ze-setuid-root ngaphakathi kwalesi sikhala samagama
Ikakhulukazi, umhlaseli angasebenzisa izinhlelo ze-setuid-root esikhaleni sephuzu lokukhweza elidalile, elivumela ukuthi, ngokwesibonelo, liguqule ukucushwa kwe-/etc/sudoers noma amapharamitha e-PAM ekulawuleni kwefayela layo futhi athole amandla okusebenzisa imiyalo njengempande. usebenzisa i-sudo noma izinsiza zayo.
Okokugcina, kufanelekile ukusho ukuthi ukuxhashazwa okusebenzayo kuthuthukisiwe, kwahlolwa ezinguqulweni zamanje ze-openSUSE, i-Debian, i-Arch, i-Gentoo ne-Fedora nensizakalo ye-firejail efakiwe.
Inkinga yalungiswa ngenguqulo ye-firejail engu-0.9.70. Njengokulungisa ukuphepha, ungasetha ukucushwa (/etc/firejail/firejail.config) kokuthi "akukho ukujoyina" kanye "nokuphoqa-nonewprivs yebo".
Okokugcina uma unentshisekelo yokwazi kabanzi ngakho, ungabheka imininingwane kufayela le- isixhumanisi esilandelayo.