Indlela yokusebenzisa i-AppArmor ku-Linux futhi uthole izinguquko zesikripthi

Uma usebenza ne-GNU/Linux futhi ukhathazekile ngokuphepha kwezikripthi zakho nezinsizakalo, uzohlangana nazo ngokushesha noma kamuva. I-AppArmor njengengxenye ebalulekile yokulawula lokho inqubo ngayinye engakwenzaAkukhona nje ukuqinisa uhlelo: uma lusetshenziswa kahle, luphinde lukusize ukuthola ukuthi yini eshintsha lapho kungafanele khona, isibonelo kukhodi ye-a iskripthi obucayi.

Emigqeni elandelayo sizobona, ngokuthula kodwa ngokunembile, Iyini i-AppArmor, futhi iqhathaniswa kanjani nezinye izinhlelo ezifana ne-SELinux?, indlela yokuyisebenzisa nokuyiphatha ekusakazweni okuvamile (ikakhulukazi i-Debian ne-Ubuntu), indlela yokudala nokulungisa amaphrofayili akho, futhi ekugcineni, indlela yokusebenzisa konke lokhu kanye namasu alula e-shell ukuze thola izinguquko kukhodi yesikripthi noma iziqondisi ku Linux ngaphandle kwesidingo sokusetha ukuqapha kwesikhathi sangempela.

Iyini i-AppArmor futhi kungani ibalulekile kuma-script akho?

I-AppArmor (Isivikelo Sohlelo Lokusebenza) iyi- indlela yokulawula ukufinyelela okuphoqelekile, noma I-MACkuhlanganiswe ne-kernel ye-Linux ngokusebenzisa isikhombimsebenzisi se-Linux Security Modules (LSM). Esikhundleni sokuthembela kuphela ezimvumeni zakudala zomsebenzisi/zeqembu (imodeli yendabuko ye-DAC), ingeza ungqimba olwengeziwe oluchaza ngokuqinile lokho uhlelo ngalunye olungakwenza.

Empeleni, imibuzo ye-kernel i-AppArmor ngaphambi kokwenza izingcingo ezithile zesistimu (ukuvula amafayela, ukudala amasokhethi, ukusebenzisa amanye ama-binary, ukusebenzisa amakhono athile, njll.) ukunquma ukuthi inqubo yokufaka isicelo igunyaziwe yini ngokuya ngephrofayili yayo yokuphepha. Uma umthetho ukuvumela, kuyasetshenziswa; uma kungenjalo, kuyavinjelwa noma kungene ngemvume, kuye ngokuthi imodi injani.

Iyunithi eyisisekelo ku-AppArmor yi- iphrofayili: isethi yemithetho ehlotshaniswa ne-executable ekhonjwe yindlela yayo ephelele, isibonelo /usr/sbin/sshd o /bin/pingNgokungafani ne-SELinux, Imithetho yephrofayela isebenza ngokulinganayo kubo bonke abasebenzisi abasebenzisa leyo binary; izimvume Unix Ezendabuko zisekhona, kodwa i-AppArmor yenza okungaphezu kwalokho, ichaza kabanzi ububanzi.

Amaphrofayili agcinwa njengamafayela ombhalo ocacile ku- /etc/apparmor.d/ futhi ngokuvamile zilayishwa ku-kernel ngesikhathi ibhuthiniIphrofayili ngayinye ingasebenza kumodi okuqinile (ukuphoqelela)lapho ukwephulwa kwemithetho kuvinjelwa futhi kubhalwe phansi, noma kumodi ukhululekile (ukhononda)lapho zivunyelwe khona kodwa ziqoshwa khona ku- izingodo ukuze uzibuyekeze kamuva.

Ngokomlando, i-AppArmor yasungulwa yi-Novell ngo-2005 futhi yayisetshenziswa kakhulu ku- I-SUSE kanye ne-openSUSEKodwa-ke, i-Canonical iyifake ku-kernel mainline kusukela kunguqulo 2.6.36. Namuhla, ifakiwe ngokuzenzakalelayo ekusatshalalisweni okuningi njenge-Ubuntu kanye ne-derivatives yayo noma i-Debian (inikwe amandla kusukela ku-Debian 10 kuya phambili), kanti ezinye ezifana ne-Fedora noma i-RHEL azikwenzi lokho. Baqhubeka nokuthembela ku-SELinux njengesixazululo sabo esiyinhloko se-MAC.

I-DAC, i-MAC, i-AppArmor kanye ne-SELinux: zihluke kanjani?

Ukuze uqonde ukuthi i-AppArmor iletha ini etafuleni, kuyasiza ukuhlukanisa amamodeli amabili emvume ahlala ndawonye ku-Linux: I-DAC (Ukulawula Ukufinyelela Okungadingekile) kanye ne-MAC (Ukulawula Ukufinyelela Okuphoqelekile)I-DAC yileyo obulokhu uyazi: umnikazi, iqembu, abanye, ama-bits rwxAma-ACL, njll. Umsebenzisi ngamunye angaphatha izimvume zakhe zefayela ngaphakathi kwemikhawulo ethile.

Imodeli ye-MAC, ngakolunye uhlangothi, Akuyona into evunyelwe ngumthethoIzinqumo zokufinyelela zisekelwe ezinqubweni zomhlaba wonke ezichazwe umlawuli futhi ziphoqelelwa uhlelo, kungakhathaliseki ukuthi ubani ongumnikazi wefayela. Yilapho i-AppArmor ne-SELinux zingena khona, zombili zisebenza njenge ukusetshenziswa okubili okuhlukile kwe-MAC ngaphansi kwesixhumi esibonakalayo se-LSMkodwa ngefilosofi ehlukene kakhulu yokusetshenziswa.

I-SELinux isebenzisa amalebula okuphepha (izimo) ahlotshaniswa nezinqubo, amafayela, amasokhethi, njll., futhi yenza izinqumo ngokusekelwe ekuhlanganisweni kwamalebula kanye nezindima, izinhlobo, kanye nolunye ulimi olusetshenziswayo. Lokhu kuyinika amandla ukulawula okunezinhlayiya kakhulu, kodwa futhi nobunzima obukhulu kokubili ukuphatha kanye nokuhlola. I-AppArmor, ngakolunye uhlangothi, isekelwe ku izindlela zamafayelaIphrofayili ihlotshaniswa nendlela ethile ye-executable futhi ichaza ukuthi yiziphi izinsiza ezingasetshenziswa yi-binary.

Lokhu kwenza amaphrofayili e-AppArmor abe njalo kulula ukufunda, ukubhala, nokunakekela kumphathi ojwayelekile. Ngenxa yalokho, okunye ukuguquguquka kwe-SELinux kuyancishwa, okuvumela ukulawula izinhlobo eziningi zokusebenza nezimo. Ekusatshalalisweni okuningi, i-AppArmor isibe inketho ewusizo kakhulu qinisa izinsizakalo ezijwayelekile ngaphandle kokuhlanya nge-syntax.

Ngomongo wezikripthi kanye nokwenza okuzenzakalelayo, i-AppArmor ikuvumela ukuthi ukhawulele lokho iskripthi esithile esingakwenza (isibonelo, ukuthi yiziphi iziqondisi esingazifunda noma sizishintshe, noma ukuthi singavula yini ukuxhumana kwenethiwekhi), futhi ngenxa yemodi yaso yokukhalaza, nayo iyakwazi thola ukufinyelela okungalindelekile ngaphambi kokubavimba.

Izimo ze-AppArmor, amaphrofayili, kanye nokuqapha

Ngaphambi kokusebenzisa i-AppArmor ukuvikela noma yini, kufanele uhlole ukuthi iyasebenza yini ohlelweni lwakho. Ekusabalalisweni kwesimanje njenge-Ubuntu noma i-Debian, ivame ukuhlanganiswa, kodwa Akuwona wonke amaphrofayili ahlala esebenza, futhi awasebenzi kuwo wonke.ngakho-ke kufanelekile ukubheka.

Ukuhlola ngokushesha ukuthi I-AppArmor inikwe amandla, ungasebenzisa:

sudo aa-enabled

Lo myalo uphendula ngokuyisisekelo nge- "Yebo" uma imojuli isebenza noma "Cha" ngaphandle kwalokho (isibonelo, uma i-kernel ingazange iqalwe ngokusekelwa kwe-AppArmor noma isevisi ingalayishwanga).

Uma ufuna ukubona imininingwane yawo wonke amaphrofayela alayishiwe kanye nesimo sawo, umyalo wokhiye es:

sudo aa-status

Okukhiphayo kwe aa-status Ibonisa, phakathi kwezinye izinto, inani lamaphrofayili alayishiwe, ukuthi mangaki akwimodi yokuphoqelela, ukuthi mangaki akwimodi yokukhononda, kanye nohlu lwemizila ehlotshaniswa nayo ngayinye. Lolu lwazi luwusizo kakhulu ekubeni ne- Isithombe esisheshayo sezinga langempela lokuvikela elinikezwa yi-AppArmor emshinini wakho.

Isibonelo, ungase ubone into efana nalokhu:

apparmor module is loaded.
46 profiles are loaded.
44 profiles are in enforce mode.
/snap/bin/evince
/snap/bin/evince/previewer
...
2 profiles are in complain mode.
/snap.code.code
...

Amaphrofayili amaningi akumodi ukuphoqelelaUma inqubomgomo yomhlaba wonke iqinile, izoba ngcono kakhulu. Amaphrofayili akwimodi isikhalazo Abavimbi ukuthengiselana, kodwa babhala phansi konke ukwephulwa, okuwusizo kakhulu kukho Lungisa amaphrofayili ngaphandle kokuphazamisa izinsizakalo noma ukuhlola lokho isicelo esizama ukukwenza.

Ukufaka nokusebenzisa i-AppArmor ku-Debian naku-Ubuntu

Kumamodeli amanje e-Debian kanye ne-Ubuntu, ukwesekwa kwe-AppArmor sekufakiwe kakade ku-kernel ejwayelekile, ngakho-ke Ukuqalisa uhlelo kuyindaba yokufaka amaphakheji adingekayo nokuqinisekisa ukuthi imodyuli iyaqala ebhuthini lesistimu.

apt -y install apparmor apparmor-profiles apparmor-utils

Iphakheji ama-apparmor-utils Inikeza amathuluzi aku-inthanethi e- imiyalo ukuhlola izimo (aa-status), shintsha izindlela zephrofayela (aa-enforce, aa-complain), dala amaphrofayili amasha (aa-genprof), buyekeza izingodo (aa-logprof), njll.

Kwezinye izindawo, kungadingeka futhi phoqa i-kernel ukuthi iqalise nge-AppArmor njengohlelo lwe-LSM olusebenzayo. Indlela ejwayelekile ku-Ubuntu ukwengeza amapharamitha ku-GRUB nge:

perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub
update-grub
reboot

Ngemva kokuqala kabusha, i-AppArmor kufanele ilayishwe, ongayiqinisekisa ngayo aa-status o apparmor_status (leli lokugcina liyigama elihlukile elivame kakhulu).

Uma udinga ukwandisa iqoqo lamaphrofayela achazwe ngaphambilini agcinwa umphakathi, ungafaka futhi:

apt install apparmor-profiles-extra

Lawa maphrofayili engeziwe amboza inani elihle lezinsizakalo nezinhlelo zokusebenza, eziningi zazo ivezwe kunethiwekhi futhi kuyathakazelisa kakhulu ukuyigcina.

Ukuphathwa kwephrofayela okuyisisekelo: ukuphoqelela, ukukhononda, ukukhubaza, nokulayisha kabusha

Uma usuyisebenzisile i-AppArmor, isihluthulelo ukuphatha amaphrofayili ngendlela efanele. Ifayela ngalinye elingaphakathi /etc/apparmor.d/ Ichaza imithetho yephrofayela, futhi igama layo livame ukuhambisana nendlela esebenzisekayo, ithatha indawo yezinhlayiya ngama-peri. Isibonelo, /etc/apparmor.d/bin.ping yiphrofayili ye-/bin/ping.

Ngokuvamile, akufanele uhlele lawa mafayela ngesandla ukuze ushintshe imodi; yilokho okwenziwa amanye amathuluzi. izinsiza ezithileIsibonelo, ukuphoqa iphrofayili ethile ukuthi ingene imodi eqinile (ukuphoqelela) ungasebenzisa:

sudo aa-enforce /usr/sbin/cupsd

Ngakolunye uhlangothi, uma ufuna ukudala iphrofayela ku- imodi yokuphumula (ukukhononda) Ngenxa yokuthi usola ukuthi kubangela izinkinga noma ufuna ukuyilungisa ngaphandle kokuvimba ithrafikhi, ungenza okulandelayo:

sudo aa-complain /usr/sbin/privoxy

Le miyalo yamukela indlela esebenzisekayo kanye indlela eya kufayela lephrofayelaEqinisweni, uma ufuna ukushintsha imodi yomhlaba wonke yawo wonke amaphrofayili achazwe ku /etc/apparmor.d/Ungagijima:

sudo aa-complain /etc/apparmor.d/*

noma ngakolunye uhlangothi:

sudo aa-enforce /etc/apparmor.d/*

Ezimweni ezimbi kakhulu, ungase ufune khubaza okwesikhashana iphrofayela ethileNgenxa yalokhu kukhona aa-disable:

sudo aa-disable /etc/apparmor.d/usr.sbin.cupsd

Futhi uma okudingayo ukuhlolisisa konke okwenziwa uhlelo lokusebenza, ngisho nalokho okuvame ukuvunyelwa, unemodi yokuhlola ene aa-audit, okwenza zonke izingcingo eziqashwe ziqoshwa ngaphandle kokubavimba.

Uma uguqula iphrofayili ngesandla noma ufuna ukuyilayisha kabusha kusuka kufayela layo, ungasebenzisa apparmor_parser ukulayisha noma ukulayisha kabusha amaphrofayili athile:

cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a # cargar
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r # recargar

Futhi uma unesifiso sokulayisha kabusha wonke amaphrofayili asebenzayo ohlelweni, ungasebenzisa iskripthi se-init (noma esilingana naso ku-systemd ekusakazweni kwesimanje):

/etc/init.d/apparmor reload

Hlola futhi uqonde amaphrofayili akhona

Amaphrofayili alayishwe ku-kernel ayisibonakaliso samafayela ahlala ku- /etc/apparmor.d/Ukuze ubhale okuqukethwe kwesikhombisi ungenza:

sudo ls /etc/apparmor.d

Uzobona amagama anjengokuthi usr.sbin.sshd, usr.bin.mannjll. Amaphrofayili amaningi okusatshalaliswa ngokwawo ahlelwe ngama-subdirectory afana nalawa /etc/apparmor.d/localyakhelwe ukuhlukahluka kwendawo ngaphandle kokushintsha iphrofayili eyinhloko.

Uma unesifiso sokwazi futhi ufuna ukubona imithetho yephrofayela ethile, mane nje:

sudo cat /etc/apparmor.d/usr.sbin.sshd

Uma uqala ukubuka, uhlelo lwe-syntax lungase lubonakale lomile kancane, kodwa imigqa eminingi ilula kuchazwe ngamagama alula okusiza ukuqonda injongo yebhulokhi ngayinye. Kunoma ikuphi, uma ungakhululekile nge-syntax, kungcono ukungawahleli lawa mafayela ngesandla bese usebenzisa amathuluzi okukhiqiza nokulungisa asebenzisanayo.

Thola izinqubo ngaphandle kwephrofayela bese ubeka phambili lokho okufanele ukuvalele

Akuzona zonke izinhlelo ohlelweni lwakho ezizoba nephrofayili ehlobene ne-AppArmor. Eqinisweni, eziningi ngeke zibe nayo. Lezo ongase uzivale kuqala ngokuvamile... labo abavezwe kunethiwekhikungaba ngoba zivula amachweba noma ngoba ziphatha idatha engaba yingozi.

I-AppArmor ifaka ithuluzi aa-unconfined Ukubhala izinqubo ezilalele kunethiwekhi kodwa ezingenayo iphrofayili:

aa-unconfined

Uma ungeza ipharamitha --paranoidUsizo luzobonisa zonke izinqubo ezisebenzayo ezigcina okungenani uxhumano olulodwa lwenethiwekhi olusebenzayo futhi azivaliwe:

aa-unconfined --paranoid

Lolu hlu lusebenza njengomhlahlandlela wokukusiza ukuthi unqume ukuthi uzoqala kuphi. Isibonelo, ungathola ukuthi isevisi yewebhu, i-proxy, noma i-daemon yedathabheyisi... Basebenza ngaphandle kwenqubomgomo ye-AppArmorokuyisimemo sokudala iphrofayili ezinikele kubo.

Ukudala amaphrofayili amasha nge-aa-genprof kanye ne-aa-logprof

Ukudala iphrofayela kusukela ekuqaleni kungaba yinto eyesabekayo, kodwa i-AppArmor inikeza amathuluzi "emodi yokufunda" enza umsebenzi ube lula kakhulu. Umqondo ulula: Usebenzisa uhlelo kwimodi yokukhalaza, uluvumele lwenze umsebenzi walo, bese wakha iphrofayili kusuka kumalogi. kukhiqizwe yi-AppArmor.

Ukusetshenziswa okuyinhloko kwalokhu aa-genprof. I-syntax yayo eyisisekelo ithi:

sudo aa-genprof nombre_ejecutable

Isibonelo, ukukhiqiza iphrofayili ye dhclient (iklayenti le-DHCP), ungaqala:

sudo aa-genprof dhclient

Inqubo evamile yokusebenza ifana nalokhu: i-aa-genprof idala iphrofayili yokuqala engenalutho noma evulekile kakhuluIyayilayisha kwimodi yokukhalaza bese ikucela ukuthi uyilayishe, kwenye Isikhumulo, sebenzisa uhlelo lokusebenza ofuna ukulufaka kuphrofayela (kulokhu, qalisa noma uphoqelele ukuthengwa kwe-IP entsha nge-dhclient).

Ngesikhathi uhlelo lusebenza, i-AppArmor ibhala phansi zonke izenzo ebezizovinjelwa kumodi yokuphoqelela. Bese kuthi, uma ubuyela ku-aa-genprof bese ukhetha inketho yokuskena imicimbi, ithuluzi likunikeza uhlu olusebenzisanayo lokwephulwa okutholiwe kanye neziphakamiso zomthetho.

Isibonelo somcimbi wokuqala kungaba ukwenziwa kwesikripthi esisizayo:

Perfil: /usr/sbin/dhclient
Ejecutar: /usr/sbin/dhclient-script
Severity: desconocido
(I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / (D)eny / Abo(r)t / (F)inalizar

Kusukela lapha, unquma ukuthi wenzeni ngezinqubo zengane: qala iskripthi esinephrofayili efanayo (Ifa), ngephrofayili engaphansi (Ingane), ngephrofayili ezinikele (Iphrofayela/Eqanjwe Igama), ngaphandle kokuzibopha (Akunamingcele) noma ukuvimbela ukuqaliswa kwayo (Yeka).

I-AppArmor iphinde iphathe amandlaokuyizimvume ezikhethekile ze-kernel ezigcinelwe ekuqaleni izimpande (isibonelo, ukusebenzisa amasokhethi angavuthiwe, ukushintsha isikhathi sesistimu, njll.). Ngesikhathi sokubhala iphrofayili, uzobona izinto ezinjengalezi:

Perfil: /usr/sbin/dhclient
Capability: net_raw
Severity: 8
(A)llow / (D)eny / (I)gnorar / Audi(t) / Abo(r)t / (F)inalizar

Esimweni ngasinye, unquma ukuthi uyayivumela, uyayiphika, uyayishaya indiva (hhayi ukudala umthetho), uyayihlola, noma uyayihoxisa. Kunjalo naku ukufinyelela ifayelalapho uzoboniswa khona imizila ethile, izindlela zokufinyelela (ukufunda, ukubhala, njll.) kanye nezifinyezo ezingase zisetshenziswe kabusha.

I-Las izifinyezo Ziyiqoqo lemithetho evamile ehlanganiswe kumafayela angasetshenziswa kabusha (isibonelo, <abstractions/nameservice> ngakho konke okuhlobene nokulungiswa kwamagama). Esikhundleni sokwengeza umthetho okhululekile we /etc/nsswitch.confUngafaka isifinyezo futhi wenze iphrofayili ibe lula.

Ekupheleni kwenqubo, i-aa-genprof inikeza ukulondoloza amaphrofayili aguquliwe bese iwalayisha kabusha ngokuzenzakalelayo kwimodi yokuphoqelela, ukuze uhlelo lube kuvinjelwe yimithetho osanda kuyivumaUma uthola ukuziphatha okusha kamuva, ungakusebenzisa futhi. aa-genprof noma, ngokuqondile, aa-logprof mayelana nezingodo eziqoshiwe.

Eqinisweni, I-aa-genprof imane nje iyiskripthi esincane esisebenzisa i-aa-logprof ngaphansi.Idala iphrofayili engenalutho, iyisetha kwimodi yokukhalaza, iqalise uhlelo, bese ibiza i-`aa-logprof` ukwakha iphrofayili kusukela ekuphulweni kwemithetho okulogiwe. Ungasebenzisa aa-logprof ngokwehlukana noma nini lapho ufuna ukulungisa amaphrofayili akhona ngokusekelwe emicimbini emisha.

Ukuthola izinguquko kukhodi kanye neziqondisi kusetshenziswa igobolondo kanye ne-hash

Ngaphezu kwamakhono okulawula ukufinyelela, ezimweni eziningi kuyathakazelisa thola ukuthi ikhodi yesikripthi noma okuqukethwe kohlu lwemibhalo kushintshile yini phakathi kokubulawa, isibonelo ukudubula isipele esigcwele kuphela uma kukhona izinguquko, esikhundleni sokwenza izinguquko eziqhubekayo eziqhubekayo.

Asikhulumi ngokuqapha ngesikhathi sangempela lapha (ngalokho obungadinga inotify kanye namathuluzi asuselwe), kodwa kunalokho ukuhlola okukodwa: usebenzisa iskripthi esihlola isimo sesikhombisi futhi, uma sibona izinguquko uma siqhathaniswa nesikhathi sokugcina, sithatha isinyathelo.

Indlela elula kakhulu yesiqondisi esiphelele, ngaphandle kokukhetha, ihilela ukusebenzisa statUhlaka olulandelayo lubonisa lo mbono:

DIR_TO_CHECK='/dir/to/check'
OLD_STAT_FILE='/home/johndoe/old_stat.txt'

uma; khona-ke
OLD_STAT=$(ikati «$OLD_STAT_FILE»)
futhi
OLD_STAT="akukho lutho"
fi

I-NEW_STAT=$(isibalo -t «$DIR_TO_CHECK»)

uma; khona-ke
echo 'Uhlu lwezincwadi lushintshile. Yenza okuthile!'
# Lapha wenza ama-backups, ukuqinisekiswa, njll.
phendula «$NEW_STAT» > «$OLD_STAT_FILE»
fi

I-logic ilula kakhulu: Ugcina umphumela we-`stat` kufayela, bese kuthi ngokulandelayo uwuqhathanise. ngomphumela omusha. Uma kuhlukile, ucabanga ukuthi kukhona okushintshile (usayizi, izikhathi, njll.) kufolda. Le ndlela iyashesha kodwa ayisebenzi kahle, futhi ayikuvumeli ukuthi ukhiphe kalula izindlela ezincane.

Uma ufuna ukuhlola isiqondisi kodwa ngaphandle kwamafayela athile noma ama-subdirectory (isibonelo a tmp/ amafayela endawo noma amalogi), ungahlanganisa into eyinkimbinkimbi ngokuhlanganisa find, du, sort y sha1sum ukuthola "isinyathelo" sesimo sesihlahla esikuthandayo.

Isibonelo sesikripthi singaba:

DIR_TO_CHECK='/dir/to/check'
PATH_TO_EXCLUDE="/dir/to/check/tmp*"
OLD_SUM_FILE='/home/johndoe/old_sum.txt'

uma; khona-ke
OLD_SUM=$(ikati «$OLD_SUM_FILE»)
futhi
OLD_SUM="akukho lutho"
fi

NEW_SUM=$(thola «$DIR_TO_CHECK»/* \! -indlela «$PATH_TO_EXCLUDE» -print0 \
| xargs -0 du -b –time –exclude=»$PATH_TO_EXCLUDE» \
| hlunga -k4,4 \
| sha1sum \
| awk '{print $1}')

uma; khona-ke
echo «Uhlu lwemibhalo lushintshile. "Yenza okuthile!"
phinda «$NEW_SUM» > «$OLD_SUM_FILE»
fi

Isihluthulelo lapha sisemgqeni lapho kwenziwa khona ukubala. ISAMU ESISHA:

• find ... \! -path "$PATH_TO_EXCLUDE" -print0Wonke amafayela ngaphansi kohlu lwemibhalo abhalwe ngaphandle kwalawo afana nephethini okufanele akhishwe. -print0 Kwenza amagama ahlukaniswe ngohlamvu olungenalutho ukuze kugwenywe ukuphazamiseka ngezikhala nezinhlamvu ezingavamile.
• xargs -0 du -b --time --exclude=...Kufayela ngalinye elitholiwe, usayizi ngamabhayithi kanye nolwazi lwesitembu sesikhathi (kuye ngokuthi izinketho) uyabalwa, kwakhiwe uhlu lapho umugqa ngamunye umelela into yesistimu yefayela futhi lapho Imizila engafuneki ayisekho futhi.
• sort -k4,4Uhlu luhlelwe ngokwekholomu equkethe indlela (ngokuvamile eyesine), ukuze i-oda libe yinto enqunyiwe futhi noma yiluphi ushintsho lubonakale ochungechungeni.
• sha1sum | awk '{print $1}': kubalwe isamba se-SHA1 yohlu lonke, okudala unyawo olufushane "olumele" isimo esiphelele sohlu lwemibhalo (ngaphandle kwalabo abakhishwe). Ushintsho olulodwa ngobukhulu, indlela, noma isitembu sesikhathi luzobangela ukuthi unyawo lushintshe.

Ngale ndlela, isikhathi ngasinye lapho usebenzisa iskripthi uzokwazi ukuthi, phakathi kokugijima okukodwa nokulandelayo, Into ebalulekile esihlahleni ishintshiwe, yengezwe, isusiwe, noma iqanjwe kabushaFuthi lokho kukuvumela ukuthi uhlanganyele kwezinye izenzo: ukuvuselela amakhophi aphelele, ukwenza ukuhlolwa kobuqotho, ukulayisha kabusha izinsizakalo, njll.

I-AppArmor ingena kanjani ekutholakaleni koshintsho lwesikripthi?

Amasu achazwe ngenhla, ngokwawo, asevele ekuvumela bona izinguquko kukhodi yesikripthi noma ezinsizeni ezihambisana nayoKodwa uma uhlanganisa lokhu ne-AppArmor, ungaya phambili futhi uthole uhlelo lokuphepha ngokwalo lukuxwayise lapho iskripthi siqala ukwenza izinto ebesingahlosiwe ukuzenza.

Cabanga ukuthi uneskripthi okufanele sifunde kuphela isethi yamafayela bese sibhalela kufolda ethile. Uma uchaza iphrofayili ye-AppArmor evumela kuphela... ukufunda ku-/opt/misdatos/ bese ubhala ku-/var/log/miscript/Noma yimuphi umzamo wokufinyelela kwamanye amasayithi uzodala izehlakalo zokwephulwa kwemithetho kumarekhodi (kwimodi yokukhalaza) noma uzovinjelwa ngokuphelele (kwimodi yokuphoqelela).

Ngakho-ke, uma othile eguqula iskripthi (noma esishintsha ngesinonya) ukuze asuse amafayela ku- /etc/ noma ithumela idatha ngenethiwekhi, i-AppArmor izosebenza njengenethi yokuphepha. Ngaphezu kwalokho, ukubuyekeza amalogi nge aa-logprof noma ngqo ku- /var/log/syslog/journalctlunga thola ukuziphatha okungavamile okwembula izinguquko kukhodi noma ku-logic yokwenza.

Isu eliwusizo ukuhlanganisa zombili izindlela:

• Ngakolunye uhlangothi, kusetshenziswa iskripthi esincane se-hash (esisekelwe ku- stat noma ngesamba sokuqukethwe) hlola ukuthi ikhodi yesikripthi kanye nezinsiza zayo zishintshile yini kusukela ekubuyekezweni kokugcina.
• Ngakolunye uhlangothi, ukubeka iskripthi ngaphansi kwephrofayili ye-AppArmor elungiswe kahle ekhawulela ukuziphatha kwayo kanye Qopha noma yimuphi umzamo wokuphambuka kuskripthi.

Uma zombili izinhlelo zinikeza izimpawu (i-hash ehlukile kanye nokwephulwa okusha ku-AppArmor), unesibonakaliso esicacile sokuthi kukhona okushintshile futhi kufanelekile ukuhlola ngokucophelela.

Izinkinga ezivamile ezihlobene nokuhlinzekwa kwe-AppArmor kanye ne-Linux VM

Ezindaweni zamafu njenge-Azure, i-AppArmor ivame ukuhambisana nezinye izingxenye ezibalulekile zesistimu, njenge i-cloud-init kanye ne-ejenti ye-Azure LinuxUma zidalwe imishini engokoqobo Kusukela ngezithombe ezenziwe ngokwezifiso, akuvamile ukuhlangana namaphutha okunikeza, nakuba kungengenxa ye-AppArmor ngqo, athinta izinsizakalo ezingase zivinjelwe amaphrofayili.

Icala elijwayelekile: lapho kuthunyelwa i-VM esithombeni, isimo sihlala sikhona creating isikhathi eside bese kuqhubekela phambili failed ngemiyalezo efana nale:

Provisioning failed. OS Provisioning for VM 'sentilo' did not finish in the allotted time...

Kulungile:

OSProvisioningInternalError: The VM encountered an error during deployment...

Ukuze kutholakale lezi zinkinga, umuntu ukhetha ilogi yekhonsoli yochungechunge Ukunika amandla ukuxilongwa kwe-Azure boot kukuvumela ukuthi ubone konke kusukela kuzinketho zomugqa womyalo we-kernel kuya ku-systemd target sequences, i-cloud-init kanye nokusebenza kwe-ejenti ye-Azure, ukucushwa kwenethiwekhi, kanye nokukhiqizwa kokhiye. ssh, Njll

Lezi zingobo zihlola, isibonelo, ukuthi umgomo usufeziwe yini. "Inethiwekhi ikwi-inthanethi", uma i-cloud-init isiqedile izigaba zayo (init-local, init, amamojula wokucushwa kanye nawokugcina), uma amadiski e-ISO okunikeza efakwe kahle (adinga umshayeli we-UDF) noma uma i-ejenti ye-Azure imaka Finished provisioning.

Amaphutha avamile afaka:

• Imojula ye-UDF ivinjiwe noma ayikhoIdiski yokunikeza ayifakiwe futhi i-cloud-init ayikwazi ukufunda imethadatha, okuholela emilayezweni ethi "Akukho metadata ye-Azure etholakele".
• Izinkinga ze-Unicode kumalebula e-VM noma amaphasiwedi, ikakhulukazi ngezinguqulo ezindala ze-cloud-init ezingaphathi kahle izinhlamvu ezingezona eze-ASCII.
• Ukuhlanganiswa kwe /var/tmp nge-noexecokuvimbela i-cloud-init ukuthi isebenze dhclient uma ikopishwa kuleyo ndlela ezinguqulweni ezingaphambi kuka-20.3.

Konke lokhu kungaxazululwa ngokubuyekeza izinguqulo zakamuva ze-cloud-init, ukulungisa amapharamitha okukhweza, nokuqinisekisa ukuthi amamojula e-kernel adingekayo (njenge-UDF) awavalelwanga ngaphakathi /etc/modprobe.d/Uma usebenzisa ne-AppArmor kulawa ma-VM, kufanelekile ukuhlola lokho gwema amaphrofayili anemingcele ngokweqile ezithinta izingxenye ezifana ne-cloud-init, i-dhclient, i-systemd-networkd noma i-Azure agent, njengoba zingaphazamisa ukuhlinzekwa.

Khubaza ngokuphelele i-AppArmor (uma kungekho enye indlela)

Nakuba kunconywa ukulungisa amaphrofayili nezindlela kunokukhetha indlela elula yokuphuma, ezimweni ezithile kakhulu kungadingeka khubaza ngokuphelele i-AppArmorIsibonelo, ukuqeda ukuthi kubangela inkinga engavamile endaweni yokuhlola.

sudo /etc/init.d/apparmor stop
sudo update-rc.d -f apparmor remove

Futhi, uma ufuna ukuyivuselela kamuva, vele uyiqale bese uyibhalisa futhi emazingeni okuqalisa azenzakalelayo:

sudo /etc/init.d/apparmor start
sudo update-rc.d apparmor defaults

Khumbula ukuthi ukukhubaza i-AppArmor kususa lonke ungqimba lokuvikela lwe-MAC olunikezayo, okushiya izinqubo zisengozini futhi. kunqunyelwe kuphela yizimvume zendabuko ze-DACInto enengqondo kakhulu ongayenza ukusebenzisa lesi silinganiso kuphela ngezinjongo ezithile zokuxilonga, futhi uma inkinga isitholakele, yivule kabusha bese ulungisa amaphrofayili angqubuzanayo.

Naphezu kwakho konke lokho okushiwoyo, kungenzeka ukuhlanganisa ukusetshenziswa kwe-AppArmor ukuze unciphise ukuziphatha kwezikripthi nezinsizakalo ngamasu alula okushintshashintsha kanye nokuqhathanisa ngaphandle kwezinkinga eziningi. bona izinguquko kukhodi kanye neziqondisi ezibalulekile zesistimu ye-LinuxLokhu kunikeza ungqimba olwengeziwe lokuthula kwengqondo lapho uphatha imishini ekukhiqizweni noma efwini futhi awufuni lutho luhambe ngaphandle kolwazi lwakho.