- I-Firejail idala ama-sandbox alula isebenzisa izikhala zamagama, i-seccomp-bpf, kanye nokulawula ikhono le-kernel Linux.
- Inamaphrofayili achazwe ngaphambilini, uhlu olumhlophe/olumnyama, kanye nezindlela zangasese zokunciphisa ukufinyelela kwesistimu yamafayela kanye nenethiwekhi.
- Ikuvumela ukuthi uhlukanise iziphequluli, ama-AppImages, amaseva, kanye nemidlalo ngokulawula okuzimele kwe-bandwidth, i-DNS, kanye ne-IP.
- Ihlangana ne-AppArmor kanye ne-SELinux, ingavulwa ngokuzenzakalelayo nge-firecfg, futhi yengeza imali encane kakhulu ohlelweni.
Uma usebenzisa i-GNU/Linux nsuku zonke futhi ukhathazekile nge ukuphepha, ubumfihlo, kanye nezinhlelo ezingathembekileNgokushesha noma kamuva, uzohlangana neFirejail. Le nsiza encane ibilokhu ingenye yezindlela ezilula zokufaka izinhlelo zokusebenza endaweni ehlukanisiwe iminyaka eminingi, ngaphandle kokusetha umshini obonakalayo noma ukwenza izinto ezingenamkhawulo.
Umbono ulula: Usebenzisa uhlelo lwakho "olufakiwe" ngaphakathi kweFirejail Futhi kusukela lapho, leyo nqubo ibona uhlelo lwamafayela, inethiwekhi, abasebenzisi, namadivayisi anqunyelwe kakhulu kunalawo angempela. Ngaleyo ndlela, i- PDF Okusolisayo, isiphequluli esigcwele izandiso noma umdlalo ongavamile ovela ku-itch.io asinaso isikhala esiningi sokudala umonakalo ohlelweni.
Iyini iFirejail futhi isebenza kanjani ngaphakathi?
Ijele Lomlilo liyi- Uhlelo C, lohlobo lwelayisensi ye-SUID kanye ne-GPLv2Isebenza njengebhokisi lesanti lezinqubo ku-GNU/Linux. Umsebenzi wayo ukunciphisa umthelela wohlelo lokusebenza oluphazamisekile ngokudala indawo yokusebenza yamalungelo anqunyelwe lapho inqubo ngayinye inombono wayo "oqoshiwe" wesistimu.
Ezingeni lobuchwepheshe, incike ezintweni eziningana Izici zokuphepha ze-Linux kernelIzikhala zamagama, izihlungi zezingcingo zesistimu ezine-seccomp-bpf, ukulawulwa komthamo, kanye nokuhlukaniswa kwesistimu yamafayela. Ngenxa yalokhu, inqubo esebenza ngaphakathi kwe-sandbox inethebula layo lenqubo, i-network stack, i-mount table, kanye, ngokuvamile, iqoqo lezinsiza ezi-virtualized.
Enye yezimpahla zayo ezinkulu ukuthi Ayinazo izinto eziningi ezincike kuzo futhi izindleko zayo zincane kakhulu.Ayiqalisi ama-daemon angemuva, ayivuli amasokhethi okuphatha, noma ayidingi izinsizakalo ezengeziwe. Iqala nje uma ibizwa futhi isebenzise izinsiza ngenkathi igcina i-sandbox isebenza.
Ngaphezu kwalokho, i-Firejail iza ne amaphrofayili okuphepha achazwe kusengaphambili ezinhlelo eziningi ideskithophu namasevisi: iziphequluli ezifana ne-Firefox ne-Chromium, izidlali zemidiya ezifana ne-VLC, amaklayenti e-BitTorrent afana ne-Transmission, amaklayenti e-imeyili, imidlalo (kufaka phakathi I-Steam), amathuluzi okuxoxa, amaseva afana ne-Apache noma i-Nginx, amaklayenti ssh, Iwayininjll. Uma kungekho phrofayili ethile yohlelo, kusetshenziswa iphrofayili ejwayelekile.
Izindlela zokuphepha eziyinhloko ezisetshenziswa yiFirejail
Ukuze uqonde ngempela lokho okwenziwa yiFirejail, kuyasiza ukubuyekeza izindlela ze-kernel ezisebenzisa ngazo inzuzoAkudingeki ube yi-kernel hacker, kodwa udinga umongo othile ukuze wazi ukuthi yini oyiqinisayo uma udlala ngezinketho zayo.
Izikhala zamagama ze-Linux Zivumela iqembu lezinqubo ukuthi labelane "ngesikhala salo samagama": izihlonzi zenqubo (ama-PID), amagama omethuleli, abasebenzisi, amaphuzu okukhweza, inethiwekhi, njll. I-Firejail idala lawa magama ukuze uhlelo olune-sandbox lubone kuphela izinsiza ezihambisana nalo ngaphakathi kwaleyo ndawo ehlanganisiwe.
Kusukela egatsheni le-kernel 2.6 kuqhubeke, futhi ikakhulukazi kusukela kunguqulo 3.x, kunezinhlobo ezahlukene zezikhala zamagama (i-PID, i-UTS, i-mount, umsebenzisi, inethiwekhi, i-IPC, njll.) zengezwe. I-Firejail ithembele kulezi ukuze... inqubo inenethiwekhi yayo, umuthi wayo wenqubo, kanye nohlelo lwayo lwefayela, konke kuhlukile kolunye uhlelo.
Ngaphezu kwezikhala zamagama, izinsiza ze-Firejail izinqubomgomo zokulawula ukufinyelela kwezinga lesistimu yefayela ngokusekelwe kuhlu olumhlophe kanye nohlu olumnyama. Lokhu kukuvumela ukuthi uchaze iziqondisi ezingafinyelelwa uhlelo lokusebenza, ezinye ezingafundwa kuphela, kanye nezinye ezivinjiwe ngokuphelele, kokubili kuhlu oluyimpande kanye nangaphakathi kwesiqondiso sasekhaya somsebenzisi.
Ngesikhathi esifanayo, okulandelayo kuyasetshenziswa isiqephu-bpfIsihlungi sezingcingo zesistimu sihlotshaniswa nenqubo kanye nenzalo yayo. Isebenzisa ulimi lokuhlunga olusekelwe ku-Berkeley Packet Filter (BPF), i-Firejail ikhawulela ukuthi yiluphi uhlelo lokusebenza olungakwazi ukulusebenzisa. Uma luzama ukwenza okuthile inqubomgomo engavumeli, ucingo luyavinjelwa noma inqubo iyabulawa, okunciphisa kakhulu indawo yokuhlasela.
I-Firejail ihlangana kahle ne- I-AppArmor kanye ne-SELinuxLezi zixazululo I-MAC (Ukulawula Ukufinyelela Okuphoqelekile) kuchaza ukuthi yiziphi izinsiza uhlelo lokusebenza olungazisebenzisa, kuyilapho i-Firejail ingeza ungqimba olwengeziwe lokuhlukaniswa: noma ngabe izinhlelo zokusebenza ezimbili zinemvume kumthombo ofanayo ngokusho kwe-AppArmor, nge-Firejail ungazenza zingakwazi ukuxhumana ngoba ngayinye ihlala ebhokisini layo lesihlabathi.
Izinzuzo ezingokoqobo zokusebenzisa i-Firejail
Kumsebenzisi ojwayelekile, okubalulekile akuyona inkolelo-mbono kodwa yilokho okufezayo ekusetshenzisweni kwansuku zonke: Ukuphepha okwengeziwe ngaphandle kokushintsha indlela osebenza ngayo I-Firejail igxile kakhulu kulokho.
Ngakolunye uhlangothi, kukhona ukuhlukaniswa kwezicelo ezingaba yingoziI-PDF engezwakali kahle, idokhumenti yehhovisi ethunyelwe kuwe nge-imeyili, iwebhusayithi engcolile, noma i-AppImage elandiwe kusuka kumuntu owaziyo ukuthi ukuphi, konke kusebenza endaweni evimbela ikhono labo lokufinyelela ohlelweni.
Ngakolunye uhlangothi, inikeza umkhawulo wezinsizakusebenza eziyinkimbinkimbi kakhuluUngakhawulela inethiwekhi (ungayinqamuli ngokuphelele i-inthanethi, uyinike ikheli layo le-IP, ukhawulele i-bandwidth), unciphise ukufinyelela ohlelweni lwefayela (olumhlophe kanye noluhlu olumnyama), unqume amadivayisi kusuka ku-/dev, ulawule iseva yomsindo, noma ushintshe ngisho namaseva e-DNS uhlelo lokusebenza oluxhumana nawo.
Iphuzu elilodwa elithakazelisayo kakhulu ukuthi ukusetshenziswa okuyisisekelo kulula kakhulu: igama_lohlelo lwe-firejailAkudingeki uhlele amafayela okucushwa ukuze uqalise; amaphrofayili achazwe ngaphambilini amboza ukusetshenziswa okuvamile. Kuphela uma ufuna ukuba yinkimbinkimbi kakhulu lapho kufanele uqale ukulungisa amaphrofayili enziwe ngokwezifiso.
Naphezu kokugxila ku-GNU/Linux, i-Firejail nayo ithuthwe noma ilungiswe ukuze isetshenziswe ezinye izinhlobo zezinhlelo Unix njengezinhlobo ezithile ze-BSD noma ngisho ne-macOS, yize lapho ikhanya khona ngempela kusezindaweni ze-Linux ezine-kernel engu-3.xo noma ngaphezulu.
Ukufaka i-Firejail kanye ne-Firetools ekusakazweni okuhlukene
Ukufaka i-Firejail kulula njengokudonsa umphathi wephakheji wokusabalalisa kwakhoAkuvamile ukufika ifakwe kusengaphambili, kodwa itholakala ezindaweni zokugcina ezisemthethweni cishe kuzo zonke izinhlobo zesimanje.
Kuzinhlelo ezisekelwe ku-Debian kanye ne-Ubuntu, mane usebenzise i-APT: sudo apt ukufaka i-firejailKuma-derivatives afana ne-Linux Mint, Elementary noma afanayo, umyalo ufana ncamashi futhi uzolanda iphakheji kusuka kuma-repository e-distro.
Ku-"pure" Debian ungaphendukela ku- sudo apt-get ukufaka i-firejailNgenkathi ku-Arch Linux kanye nama-derivatives afana ne-Manjaro, iphakheji isendaweni yokugcina esemthethweni futhi ifakiwe nge i-sudo pacman -S firejailE-Gentoo, itholakala esihlahleni esikhulu njenge-sys-apps/firejail futhi ifakwa kusetshenziswa kuvela –buza izinhlelo zokusebenza ze-sys/ijele lomlilo noma uhlobo lwayo lwe-LTS.
Ku-Fedora ungakhetha ukulanda i- I-RPM evela ku-SourceForge bese uyiqalisa nge-`sudo rpm -i`, noma unike amandla indawo yokugcina ethile ye-Copr (isibonelo, `ssabchew/firejail`) bese uyifaka nge-`dnf`. Ku-openSUSE, itholakala ngohlelo lwakudala lwe- ukufakwa ngokuchofoza okukodwa kusukela ezindaweni ezinconywayo ze-Tumbleweed noma i-Leap.
Uma ukusatshalaliswa kwakho kungakunikezi ukupakishwa, ungahlala ukukuhlanganisa kusuka kukhodi yomthombo: git clone https://github.com/netblue30/firejail.git; cd firejail; ./configure && make && sudo make install-stripKuyiphrojekthi elula kakhulu enezinto ezimbalwa ezixhomeke kuyo, ngakho-ke ivame ukuhlanganiswa ngaphandle kwezinkinga.
Ukuze ube ne-graphical interface une-Firetools, evame ukufakwa nomphathi wephakheji ofanayo, isibonelo sudo apt ukufaka ama-firetoolsLe phakheji ingeza isiqalisi esincane kuthreyi yesistimu kanye nezinsiza zokuphatha ama-sandbox ngemidwebo.
Indlela yokusebenzisa i-Firejail kusuka ku-terminal
Indlela eqondile kakhulu yokusebenzisa i-Firejail ngokusebenzisa umugqa we- imiyaloIfilosofi yabo icacile kakhulu: engeza igama elithi firejail kumyalo owufunayo. Akukho okunye.
Isibonelo, ukusebenzisa i-Firefox ene-sandbox ungasebenzisa I-Firefox yejele lomliloye-VLC I-VLC ye-Firejail, yokudlulisa Ukudluliselwa kwe-Firejail-gtk noma nge-gedit ijele lomlilo i-geditI-Firejail ithola uhlelo, ihlole ukuthi kukhona iphrofayili ehambisanayo ku-/etc/firejail bese isebenzisa imikhawulo echaziwe.
Ingasetshenziswa futhi ne izinkonzo noma amademoni iseva, yethulwe njenge izimpandeIsibonelo esijwayelekile kungaba ukuqala i-Nginx nge-`sudo firejail /etc/init.d/nginx start`, noma enye insizakalo ofuna ukuhlala kuyo ngaphakathi kwebhokisi lesanti elinenethiwekhi yalo kanye nesistimu yamafayela elinganiselwe.
Uma ufuna ukwazi nganoma yisiphi isikhathi ukuthi yimaphi ama-sandbox asebenzayo, ungawasebenzisa uhlu lwejele lomliloUhlelo luzokukhombisa uhlu olune-PID, umsebenzisi, kanye nomyalo ohlotshaniswa nendawo ngayinye ehlukanisiwe, okufana kakhulu ne-ps ehlungiwe.
Uma ufuna ukuhlola izinsiza ezisetshenziswa izinhlelo zokusebenza ngaphansi kweFirejail, unomyalo ongaphansi ijele lomlilo - phezulu, ekhombisa ithebula eline-PID, umsebenzisi, inkumbulo yokuhlala, inkumbulo eyabiwe, i-CPU esetshenzisiwe, izinqubo zezingane kanye nesikhathi sokusetshenziswa, konke kugxile ezimweni eziqaliswe ngebhokisi lesanti.
Ukuze ubone uhlu oluphelele lwenqubo ngaphakathi kwebhokisi ngalinye lesanti, ungagijima ijele lomlilo – umuthiokwethula umuthi wenqubo one-firejail yesibonelo "somzali" kanye nazo zonke izinqubo ezilenga kuyo. Uma noma yisiphi isibonelo singasabeli, ijele lomlilo –ukuvala isikhashana=i-PID Ikuvumela ukuthi ubulale lelo sandbox elithile.
Amaphrofayili e-Firejail: ukuthi akuphi nokuthi ungawashintsha kanjani
Amandla eqiniso e-Firejail alele ekuziphatheni kwayo ukumiswa kwamaphrofayiliLawa amafayela okuthungwa achaza indlela uhlelo ngalunye okufanele luhlukaniswe ngayo: yiziphi iziqondiso ezingazibona, yiziphi amakhono e-kernel ezingawasebenzisa, kwenzekani kunethiwekhi, ukuthi ngabe amaseva ehluzo ahlukile ayasebenza yini, njll.
Amaphrofayili esistimu avame ukugcinwa ku- /njll/ijele lomlilo/Uma wenza i-ls kulolo hlu lwemibhalo uzobona iqoqo lamafayela anesandiso se-.profile, ngalinye lihlotshaniswa nohlelo oluthile: i-firefox.profile, i-vlc.profile, i-chromium.profile, i-steam.profile, i-server.profile, njll.
Ukuze wenze ngendlela oyifisayo indlela yokuziphatha kwephrofayili ejwayelekile, vele uyivule ngomhleli wakho owuthandayo, isibonelo nge sudo nano /etc/firejail/firefox.profileLapho ungavumela noma ukhubaze izinqubomgomo ezifana nohlu olumnyama, uhlu olumhlophe, imikhawulo ye-/dev, izinketho zenethiwekhi, ukulawula umsindo, noma ukhubaze ukusheshiswa kwe-3D.
Uma ufuna ukwazi ukuthi yiluphi ulimi olusebenzisa iphrofayili olusekela i-syntax, i-Firejail ifaka ikhasi lomuntu elizinikele: iphrofayili ye-firejail yomuntu 5Ichaza incazelo yomyalo ngamunye (faka phakathi, uhlu olumnyama, uhlu olumhlophe, i-caps.keep, i-net, i-x11, njll.) nokuthi ungawahlanganisa kanjani ukuze ufeze inqubomgomo yokuhlukaniswa oyithandayo.
Uma ufuna ukwenza ngokwezifiso uhlelo ngaphandle kokuthinta iphrofayili yomhlaba wonke ku-/etc, ungakha i- iphrofayela yomsebenzisi wendawoZigcinwa ku-~/.config/firejail/ futhi zinegama elifanayo nephrofayela esemthethweni. Isibonelo, uma ufuna i-VLC ingalokothi ibe nokufinyelela kwe-inthanethi, ungakha i-~/.config/firejail/vlc.profile enokuqukethwe okufana nalokhu:
faka /etc/firejail/vlc.profile
akukho lutho
Ngesikhathi esilandelayo lapho ugijima I-VLC ye-FirejailIphrofayili yesistimu izosetshenziswa kuqala, bese kuba izilungiselelo zakho ezengeziwe, okuphoqelela ukuhlukaniswa okwengeziwe kwenethiwekhi ngaphandle kwesidingo sokushintsha ifayela ku-/etc.
Uhlu olumhlophe, uhlu olumnyama, kanye nokulawula uhlelo lwefayela
Enye yezindlela ezinamandla kakhulu zokusebenzisa i-Firejail yikhono layo lokwenza kanjalo. khawulela iziqondisi ezithile okungafinyelelwa uhlelo lokusebenza. Ufinyelela lokhu ngemithetho yohlu olumhlophe kanye nohlu olumnyama, kokubili kumaphrofayili omhlaba wonke kanye nangokwezifiso.
Uma ufuna, isibonelo, ukuvimbela uhlelo lokusebenza ukuthi lufinyelele kufolda yamadokhumenti yomsebenzisi, ungangeza umugqa uhlu olumnyama ${HOME}/Amadokhumenti kuphrofayela. Ngaphandle kwalokho, ungasebenzisa indlela ephelele efana nohlu olumnyama /home/user/Documents uma ukhetha ukungasebenzisi iziguquguquki.
Ngakolunye uhlangothi, uma ufuna uhlelo lufinyelele kuphela kusethi ethile ye-HOME directory, ungasebenza nalo umhlopheInhlanganisela evamile kakhulu ukuvimba ukufinyelela ku-/boot, /root noma kwezinye iziqondisi ezibucayi, bese ngesikhathi esifanayo unikeza imvume ku-directory eyodwa ye- i-ascargas noma ifolda yesikhashana lapho uzogcina khona lokho okudingayo ngempela.
Imithetho yohlu ihlanganiswe nezinketho ezifana nokuthi –ukufunda kuphela=/njll ukuze isiqondisi esinikeziwe sitholakale, kodwa kuphela kwimodi yokufunda, noma nge –ikhaya langasese, –eliyimfihlo-njll, –ibhini langasese ukusetha izinguqulo zesikhashana zalezo zindlela ngaphakathi kwebhokisi lesihlabathi.
Kumaphrofayili athuthukile ungasebenzisa ngisho neziqondiso zokubopha ezifana nokuthi hlanganisa umsuka, indawo oya kuyo, okuvamile ezindaweni zeseva, ukuze isiqondisi sesistimu sangempela (isibonelo /server/web1) sibonakale ngaphakathi kwe-sandbox njenge-/var/www/html, konke kungaphansi kokulawulwa kokufinyelela okuqinile kakhulu.
Imodi yangasese kanye nezinhlelo zamafayela zesikhashana
Uma ufuna ukuvikela okuphezulu, i-Firejail inikeza imodi enolaka kakhulu: -okuyimfihloUma ivuliwe, uhlelo lokusebenza lubona i-HOME yesikhashana ifakwe kuma-tmpfs, enesakhiwo esincane sefolda, futhi konke elikubhalayo kuzonyamalala lapho ibhokisi lesanti livaliwe.
Le modi ilungele hlola ibhange eliku-inthanethi noma usebenzise izinhlelo zokusebenza ezibucayi kakhulu ngaphandle kokudlulisa izilungiselelo ezijwayelekile, izandiso, ama-cache, umlando, njll. Uma uvula isiphequluli nge-firejail --private, sizosebenzisa ukucushwa kwaso okuzenzakalelayo, ngaphandle kwezengezo noma ukwenza ngokwezifiso, okunciphisa indawo yokuhlasela.
Ungaphinde uthuthukise lokhu kuziphatha nge –yangasese=uhla lwemibhalookubonisa okunye okuphikelelayo IKHAYA, noma ukulixuba ne –i-tmp yangasese y –i-private-cache ukuze iziqondisi ezifana ne-/tmp noma i-~/.cache zibe zesikhashana, kuyilapho ugcina ezinye izakhi zephrofayela "zangempela".
Enye indlela enamandla –imbondela-tmpfsLokhu kudala uhlelo lwefayela oluyi-overlay, oluyi-ephemeral phezu kohlelo lwangempela, ngakho-ke zonke izinguquko zokubhala zihlala kusendlalelo sesikhashana. Lokhu kuvumela, isibonelo, faka iphakheji ngaphakathi kwebhokisi lesanti bese ulihlola ngaphandle kokushiya umkhondo ohlelweni lomsingathi uma uvala iseshini ye-Firejail.
Kulezi zimo, kubalulekile ukuqaphela kakhulu inhlanganisela yezinketho, ngoba uma usebenzisa –akukho phrofayili Futhi uma ungavimbi kahle i-/tmp, usengavumela ukubhala ezingxenyeni zesistimu obungahlosile ukuzithinta. Umkhuba ovamile ukwengeza iziqondiso ezifana ne-`--blacklist=/tmp` noma ukusebenza nabamhlophe abathile kakhulu ukuze unciphise indawo yokubhala.
Ukulawulwa kwenethiwekhi: nqamula ukufinyelela kwe-inthanethi, i-IP ehlukene, kanye nemikhawulo ye-bandwidth
Esinye isici esibalulekile se-Firejail ukuphathwa kwenethiwekhi. Ngepharamitha eyodwa, ungavumela uhlelo lokusebenza ukuthi... akuxhunyiwe ku-inthanethi ngokuphelele noma usethe i-network stack yayo nge-IP ngayinye, i-firewall kanye nethebula le-ARP elihlukile ohlelweni.
Ukuze ukhubaze ukuxhumana, mane usebenzise –net=akukhoIsibonelo, emiyalweni efana ne-`firejail --net=none vlc`, `firejail --net=none clementine`, noma olunye uhlelo ofuna ukuluvimba kwi-inthanethi. Lulungele abadlali bemidiya, ababukeli bezithombe, abahleli bombhalo, noma izinhlelo ezifanayo ezingadingi ukufinyelela inethiwekhi.
Uma ufuna ukusetha inethiwekhi ethile, ungasebenzisa –net=isikhombimsebenzisilapho isikhombikubona ngokuvamile sifana ne-eth0 kumanethiwekhi anezintambo. Ungangeza ngisho –ip=192.168.1.80 ukuze i-sandbox ibe nekheli le-IP langaphakathi elihlukile kunekhompyutha, eliwusizo kakhulu ezimweni zeseva noma ekuhlolweni kwenethiwekhi.
Ngokukhethwa kukho –dns=IP Ungabhala ngaphezulu amaseva e-DNS aleyo sandbox ethile. Isibonelo, inhlanganisela evamile kakhulu yebhange eliku-inthanethi ingaba yinto efana ne-`firejail --private --dns=8.8.8.8 --dns=8.8.4.4 google-chrome`, ukuqinisekisa ukuthi leyo mibuzo ixazululwa kusetshenziswa amaseva e-DNS owacacisile.
I-Firejail ikuvumela futhi khawulela umkhawulokudonsa ngebhokisi lesantiOkokuqala, udala isibonelo esiqanjwe ngegama, isibonelo i-firejail --name=browser --net=eth0 firefox, bese, kusuka kwenye IsikhumuloUsebenzisa imithetho ethi `firejail --bandwidth=browser set eth0 80 20` ukuze uyibeke ku-80 KB/s download kanye no-20 KB/s upload. Ukuze ususe umkhawulo, ungasebenzisa `firejail --bandwidth=browser clear eth0`.
Khumbula ukuthi izinketho ezithile zenethiwekhi (njenge-macvlan) zisebenza kuphela ku- izixhumi ezixhunyiweHhayi ku-Wi-Fi. amalaptop Ngamanethiwekhi angenantambo, kuzodingeka ulungise ukwakheka kwebhokisi lakho lesanti ngokufanele.
Amaseva ehluzo ahlukile kanye nokuvikelwa kuma-keylogger
Ngaphezu kokuhlukaniswa kwenethiwekhi kanye nohlelo lwamafayela, i-Firejail ihlanganisa izindlela zokuqinisa i- Isendlalelo sehluzo se-X11Esikhundleni sokusebenzisa iseshini ye-X "ejwayelekile" yomsebenzisi, ungaqala uhlelo ngaphakathi kwamanye amaseva ehluzo njenge-Xpra noma i-Xephyr.
Ukuze wenze lokhu, kufanele uqale ufake amaphakheji ahambisanayo, ngokuvamile ngomyalo ofana no- sudo apt-get ukufaka i-xpra xserver-xephyr kumasistimu asekelwe ku-Debian/Ubuntu. Uma esekhona, i-Firejail ivumela ukuqalisa izinhlelo zokusebenza usebenzisa –x11=igama_leseva, okudala indawo eyengeziwe yezithombe ezihlukanisiwe.
Isibonelo, ungagijima ijele lomlilo –x11=xephyr –net=none vlc ukuvula i-VLC kuseva ye-Xephyr inethiwekhi ivaliwe, noma ijele lomlilo –x11=xpra –net=none vlc ukukwenza ngaphansi kwe-Xpra. Lokhu kusiza Zivikele kuma-keylogger kanye namadivayisi okuthwebula isikrini okungenzeka ukuthi isebenza kuseshini enkulu ye-X.
Uma ungayicacisi ngokusobala iseva yehluzo, inketho –x11 Zama i-Xpra kuqala, bese kuba yi-Xephyr, bese ekugcineni kube nesandiso sokuphepha se-X11 uma izinketho zangaphambilini zingatholakali. Kuye ngendawo yakho yokusabalalisa kanye nedeskithophu, ezinye izinhlanganisela zingase zingasebenzi kahle, futhi kungadingeka ulungise izilungiselelo ngesandla.
Sebenzisa i-Firejail "ngokuzenzakalelayo" kuzinhlelo zakho zokusebenza
Uma ufisa, ungenza izinhlelo ezithile, noma zonke lezo ezinephrofayili, zisebenze. Siempre Ngaphansi kwe-Firejail, ngaphandle kokuthayipha igama elithi "firejail" njalo. Ngenxa yalokho, kukhona ithuluzi elisizayo. i-firecfg.
Lapho isebenza i-sudo firecfgLolu hlelo luskena ama-binary afakiwe futhi ludala izixhumanisi ezingokomfanekiso ku-/usr/local/bin kuzo zonke izinhlelo zokusebenza ezinephrofayili ku-/etc/firejail. Lezi zixhumanisi zikhomba ku-/usr/bin/firejail, ukuze uma umsebenzisi esebenzisa i-“firefox”, i-Firejail empeleni ibizwa ngephrofayili ehambisanayo.
Uma ushintsha umqondo wakho futhi ufuna ukuqala kabusha izinhlelo ngaphandle kwe-sandboxing, ungasusa lokho kulungiselelwa nge i-firecfg –cleannoma susa ngesandla ama-symlink ku-/usr/local/bin. Enye indlela iwukumisa uhlelo lokusebenza oluthile ngale ndlela, udale ngesandla isixhumanisi esingokomfanekiso nge sudo ln -s /usr/bin/firejail /usr/local/bin/program_name.
Ezindaweni ezinezithombe ungahlela futhi amafayela edeskithophu Kuziqalisi zakho zedeskithophu, engeza i-`firejail` emugqeni womyalo. Isibonelo, kufayela le-`firefox.desktop` elenziwe ngokwezifiso, setha umugqa we-`Exec` ku-`Exec=firejail firefox`. Ngale ndlela, ukuchofoza ngakunye kusithonjana kuzoqalisa uhlelo oluvele luhlanganisiwe.
Uma ufaka i-Firetools, uzothola ne-graphical sandbox manager encane ekhombisa izinhlelo zokusebenza ezinamaphrofayili atholakalayo. Ukusuka lapho, ungaziqalisa, ubone ukuthi yini esebenzayo, uhlole ukusetshenziswa kwezinsiza, noma ulungise amanye amapharamitha ngaphandle kokusebenzisa i-terminal.
Ukuphathwa Okuthuthukisiwe: ukufaka i-sandbox, ukulungisa amaphutha, kanye ne-AppArmor/SELinux
Kungaba usizo kakhulu emisebenzini yokuphatha ethuthukisiwe faka “ngaphakathi” kwebhokisi lesihlabathiI-Firejail ivumela lokhu ngenketho ethi –join, exhumanisa igobolondo elisha nesikhala segama senqubo ekhona.
Inqubo ejwayelekile kungaba ukwenza uhlu lwejele lomlilo Ukuze ubone ama-PID ezimo, thola inombolo yenqubo eyinhloko ye-sandbox (isibonelo, 5394) bese wenza i-sudo firejail –join=5394I-Firejail izogxumela enkambisweni yokuqala yengane ngaphakathi kwebhokisi lesihlabathi futhi ikushiye usesimweni esinjengempande kuleyo ndawo ehlukanisiwe.
Uma usufikile lapho, ungasebenzisa imiyalo efana df -h, i-ip addr, ps aux noma yiliphi ithuluzi lokuxilonga ukuze ubone ukuthi uhlelo lokusebenza lubonani ngaphakathi kwebhokisi lesanti. Uma usuqedile, vele usebenzise i-`exit` ukuze uphume bese ubuyela endaweni evamile.
Ukuze uthole izinkinga zokucushwa noma uqonde ukuthi yini evimba uhlelo lokusebenza, unezinketho ezilandelayo –ukulungisa iphutha y –ukulandelelaLokhu kubonisa ulwazi lokulungisa amaphutha kanye nezingcingo zesistimu ngenkathi umyalo usebenza. Ziwusizo ikakhulukazi lapho iphrofayili enolaka kakhulu ivimbela uhlelo ukuthi lusebenze. ibhuthini noma ukusebenza ngokujwayelekile.
I-Firejail ihambisana kahle ne- I-AppArmor kanye ne-SELinuxEkusabalalisweni okuvumela i-AppArmor ngokuzenzakalelayo, amaphrofayili amaningi e-Firejail aklanyelwe ukuhambisana namaphrofayili e-AppArmor, enezela ungqimba olwengeziwe lokuhlukaniswa ngaphandle kokuphula izinqubomgomo ezikhona. Izibonelo zemithetho ethile yokuqinisa izinsizakalo ezifana namaseva ewebhu, i-SSH, noma izinhlelo zokusebenza zedeskithophu ezibalulekile ziyatholakala ku-GitHub nakumadokhumenti asemthethweni.
Uma uzosebenzisa i-Firejail kumaseva anabasebenzisi abaningi, kungcono ukubuyekeza ukucushwa ku- /etc/firejail/firejail.config, vumela izinketho ezifana ne-force-nonewprivs futhi ukhawulele ukuthi abasebenzisi bangayisebenzisa nini i-/usr/bin/firejail ngokulungisa iqembu labo kanye nezimvume (isibonelo, ngokudala iqembu elithi “firejail” kanye nokukhawulela i-SUID kumalungu alo).
I-Firejail inikeza Ibhalansi ethakazelisayo kakhulu phakathi kokuphepha nenduduzo.Ayithathi indawo ye-virtualization ephelele, kodwa ngemisebenzi eminingi yansuku zonke, ukuhlolwa kwesofthiwe okusheshayo, noma ukuhlukanisa iziphequluli, i-AppImages, i-Wine, nemidlalo, inikeza isivikelo esimangalisayo ngobunzima obuphansi kakhulu. Ukuqonda okuphelele kwamaphrofayili ayo, izinketho zenethiwekhi, izindlela zangasese, kanye nokuhlanganiswa ne-AppArmor/SELinux kukuvumela ukuthi uyihlele ngendlela oyithandayo futhi uqinise ideskithophu yakho ye-Linux ngaphandle kokulahla ukusetshenziswa kwayo.
Umbhali oshisekayo ngomhlaba wamabhayithi nobuchwepheshe ngokujwayelekile. Ngiyathanda ukwabelana ngolwazi lwami ngokubhala, futhi yilokho engizokwenza kule bhulogi, ngikubonise zonke izinto ezithakazelisayo kakhulu ngamagajethi, isofthiwe, ihadiwe, izitayela zobuchwepheshe, nokuningi. Inhloso yami ukukusiza ukuthi uzulazule emhlabeni wedijithali ngendlela elula nejabulisayo.