Don FreeBSD, ana ba da shawarar aiwatar da tsarin keɓewar aikace-aikacen, mai tunawa da alƙawarin da kuma buɗe kiran tsarin da aikin OpenBSD ya haɓaka. Ana samun keɓewa a cikin plegde ta hanyar hana damar yin amfani da kiran tsarin da ba a yi amfani da su a cikin aikace-aikacen ba, kuma a cikin buɗewa ta hanyar zaɓin buɗe dama ga hanyoyin fayil ɗaya kaɗai wanda aikace-aikacen zai iya aiki da su. Don aikace-aikacen, an ƙirƙiri nau'in farin jerin kira na tsarin da hanyoyin fayil, kuma duk sauran kira da hanyoyi an hana su.
Bambanci tsakanin analogue na plegde da buɗewa da ake haɓakawa don FreeBSD ya zo ne ga samar da ƙarin Layer wanda ke ba ku damar ware aikace-aikacen ba tare da yin canje-canje ga lambar su ba ko tare da ƙaramin canje-canje. Ka tuna cewa a cikin OpenBSD, plegde da buɗewa suna da nufin haɗa kai tare da mahallin da ke ƙasa kuma ana amfani da su ta ƙara bayanai na musamman ga lambar kowane aikace-aikacen. Don sauƙaƙe ƙungiyar kariya, masu tacewa suna ba ku damar ba da dalla-dalla a matakin kiran tsarin mutum ɗaya da sarrafa nau'ikan kiran tsarin (shigarwa/fitarwa, fayilolin karantawa, fayilolin rubutu, sockets, ioctl, sysctl, ƙaddamar da tsari, da sauransu). . Ana iya kiran ayyukan ƙuntatawa damar shiga cikin lambar aikace-aikacen kamar yadda ake aiwatar da wasu ayyuka, misali, ana iya hana samun dama ga soket da fayiloli bayan buɗe fayilolin da suka dace da kafa haɗin yanar gizo.
Marubucin tashar jiragen ruwa na plegde da bayyanawa don FreeBSD yana da niyyar samar da ikon ware aikace-aikacen sabani, wanda aka ba da shawarar amfani da labule, wanda ke ba ku damar amfani da ƙa'idodin da aka ayyana a cikin wani fayil daban zuwa aikace-aikace. Tsarin da aka tsara ya haɗa da fayil tare da saitunan asali waɗanda ke ayyana azuzuwan kiran tsarin da hanyoyin fayil na yau da kullun musamman ga wasu aikace-aikacen (aiki tare da sauti, hulɗar cibiyar sadarwa, shiga, da sauransu), kazalika da fayil tare da ka'idojin samun dama ga takamaiman aikace-aikace.
Ana iya amfani da kayan aikin labule don ware mafi yawan abubuwan amfani da ba a canza su ba, tsarin sabar sabar, aikace-aikacen hoto, har ma da duk zaman tebur. Ana iya amfani da labule tare da keɓance hanyoyin keɓancewa daga tsarin Jail da Capsicum. Hakanan yana yiwuwa a tsara keɓewar gida, lokacin da aka ƙaddamar da aikace-aikacen gaji ƙa'idodin da aka saita don aikace-aikacen iyaye, ƙara su tare da ƙuntatawa ɗaya. Wasu ayyukan kernel (wuyan gyara, POSIX/SysV IPC, PTYs) ana kuma kiyaye su ta hanyar shingen shinge wanda ke hana samun damar abubuwan kwaya waɗanda ba a ƙirƙira su ta hanyar halin yanzu ko na iyaye ba.
Tsari na iya saita keɓantawar kansa ta hanyar kiran curtainctl ko ta amfani da libcurtain's plegde() da buɗe () ayyuka, kama da waɗanda aka samu a cikin OpenBSD. Don waƙa da makullai yayin da aikace-aikacen ke gudana, an samar da sysctl 'security.curtain.log_level'. Ana kunna damar yin amfani da ka'idojin X11 da Wayland daban ta hanyar tantance zaɓuɓɓukan "-X"/"-Y" da "-W" yayin gudanar da labule, amma goyon bayan aikace-aikacen hoto bai riga ya daidaita ba kuma yana da matsaloli da yawa waɗanda ba a warware su ba ( matsaloli galibi suna bayyana lokacin amfani da X11, kuma ana aiwatar da tallafin Wayland mafi kyau). Masu amfani za su iya ƙara ƙarin hani ta ƙirƙirar fayilolin dokokin gida (~/.curtain.conf). Misali, don ba da izinin rubutu daga Firfox kawai zuwa ~/ Zazzagewa/ directory, zaku iya ƙara sashin “[firefox]” tare da ƙa'idar "~/Zazzagewa/: rw +".
Aiwatar da tsarin ya haɗa da madaidaicin kernel na mac_curtain don kulawar samun dama ta tilas (MAC, Control Access Control), saitin faci don kernel na FreeBSD tare da aiwatar da masu sarrafa da masu tacewa, ɗakin karatu na libcurtain don amfani da plegde da buɗe ayyukan a cikin aikace-aikace, kayan aikin labule, fayilolin sanyi misali, gwaje-gwajen saiti da faci don wasu shirye-shirye a sararin mai amfani (misali, don amfani da $TMPDIR don haɗa aiki tare da fayilolin wucin gadi). Inda zai yiwu, marubucin ya yi niyyar rage adadin canje-canjen da ke buƙatar faci ga kwaya da aikace-aikace.
source: budenet.ru