Ku-FreeBSD, ukuqaliswa kokusebenza kwendlela yokuhlukanisa kuhlongozwa, okukhumbuza i-plegde kanye nokwembula izingcingo zesistimu ezithuthukiswe iphrojekthi ye-OpenBSD. Ukuzihlukanisa ku-plegde kufinyelelwa ngokuvimbela ukufinyelela kumakholi wesistimu angasetshenziswa kuhlelo lokusebenza, futhi ekuvezeni ngokukhetha ngokuvula ukufinyelela ezindleleni zefayela ngazinye uhlelo olungasebenza ngazo. Ngohlelo lokusebenza, kwakhiwa uhlobo lohlu olumhlophe lwezingcingo zesistimu nezindlela zefayela, futhi zonke ezinye izingcingo nezindlela azivunyelwe.
Umehluko phakathi kwe-analogue ye-plegde kanye nokuvezwa okuthuthukisiwe kwe-FreeBSD wehlela ekuhlinzekweni kwesendlalelo esengeziwe esikuvumela ukuthi uhlukanise izinhlelo zokusebenza ngaphandle kokwenza izinguquko kukhodi yazo noma ngezinguquko ezincane. Khumbula ukuthi ku-OpenBSD, i-plegde ne-unveil ihloselwe ukuhlanganiswa okuqinile nendawo engaphansi futhi isetshenziswa ngokwengeza izichasiselo ezikhethekile kukhodi yohlelo ngalunye. Ukwenza kube lula ukuhlelwa kokuvikela, izihlungi zikuvumela ukuthi ukhiphe imininingwane ngezinga lezingcingo zesistimu ngayinye futhi ulawule izigaba zezingcingo zesistimu (okokufaka/okukhiphayo, amafayela okufunda, amafayela okubhala, amasokhethi, ioctl, i-sysctl, ukuqaliswa kwenqubo, njll.) . Imisebenzi yokuvinjelwa kokufinyelela ingabizwa kukhodi yesicelo njengoba kwenziwa izenzo ezithile, isibonelo, ukufinyelela kumasokhethi namafayela kunganqatshelwa ngemva kokuvula amafayela adingekayo nokusungula uxhumano lwenethiwekhi.
Umbhali we-port of plegde kanye ne-unveil ye-FreeBSD uhlose ukuhlinzeka ngekhono lokuhlukanisa izinhlelo zokusebenza eziphikisanayo, lapho kuhlongozwa khona insiza yamakhethini, okukuvumela ukuthi usebenzise imithetho echazwe efayeleni elihlukile kuzinhlelo zokusebenza. Ukulungiselelwa okuhlongozwayo kuhlanganisa ifayela elinezilungiselelo eziyisisekelo ezichaza izigaba zezingcingo zesistimu nezindlela zefayela ezivamile eziqondene nezinhlelo ezithile zokusebenza (ukusebenza ngomsindo, ukusebenzisana kwenethiwekhi, ukuloga, njll.), kanye nefayela elinemithetho yokufinyelela yezinhlelo zokusebenza ezithile.
Umsebenzi wamakhethini ungasetshenziswa ukuhlukanisa izinsiza eziningi ezingalungiswanga, izinqubo zeseva, izinhlelo zokusebenza zezithombe, kanye namaseshini edeskithophu. Ikhethini lingasetshenziswa ngokuhambisana nezindlela zokuzihlukanisa ezihlinzekwa yi-Jail kanye ne-Capsicum subsystems. Kungenzeka futhi ukuhlela ukuhlukaniswa okufakwe isidleke, lapho izinhlelo zokusebenza eziqalisiwe zithatha ifa lemithetho ebekiwe yohlelo lokusebenza lomzali, izengezelele ngemikhawulo ngayinye. Eminye imisebenzi ye-kernel (izindawo zokulungisa iphutha, i-POSIX/SysV IPC, i-PTYs) ivikelwe futhi yindlela yokuvimbela evimbela ukufinyelela ezintweni ze-kernel ezingadalwanga inqubo yamanje noma yomzali.
Inqubo ingalungiselela ukuhlukaniswa kwayo ngokubiza i-curtainctl noma ngokusebenzisa i-libcurtain's plegde() kanye nemisebenzi ye-unveil(), efana naleyo etholakala ku-OpenBSD. Ukuze ulandelele izikhiya ngenkathi uhlelo lokusebenza lusebenza, i-sysctl 'security.curtain.log_level' inikezwa. Ukufinyelela kuzimiso ze-X11 kanye ne-Wayland kunikwe amandla ngokuhlukana ngokucacisa izinketho ze-β-Xβ/β-Yβ kanye βno-β-Wβ uma usebenzisa ikhethini, kodwa ukusekelwa kwezithombe akukazinzisiswa ngokwanele futhi kunenqwaba yezinkinga ezingaxazululiwe ( izinkinga zivela kakhulu uma usebenzisa i-X11 , futhi ukwesekwa kwe-Wayland kusetshenziswa kangcono kakhulu). Abasebenzisi bangangeza imikhawulo eyengeziwe ngokudala amafayela emithetho yendawo (~/.curtain.conf). Isibonelo, ukuze uvumele ukubhala kusuka ku-Firfox kuphela ku-~/Downloads/ directory, ungakwazi ukwengeza ingxenye ethi "[firefox]" ngomthetho othi "~/Ukulanda/ : rw +".
Ukuqaliswa kuhlanganisa imojula ye-mac_curtain kernel yokulawula ukufinyelela okuyisibopho (i-MAC, Ukulawulwa Kokufinyelela Okuphoqelekile), isethi yeziqephu ze-FreeBSD kernel nokuqaliswa kwezibambi nezihlungi ezidingekayo, umtapo wezincwadi we-libcurtain wokusebenzisa i-plegde nokwembula imisebenzi ezinhlelweni zokusebenza, insiza yekhethini, isibonelo samafayela okumisa, isethi yokuhlola namapeshi kwezinye izinhlelo esikhaleni somsebenzisi (isibonelo, ngokusebenzisa i-$TMPDIR ukuhlanganisa umsebenzi namafayela esikhashana). Lapho kungenzeka khona, umbhali uhlose ukunciphisa inani lezinguquko ezidinga ama-patches ku-kernel kanye nezinhlelo zokusebenza.
Source: opennet.ru