for FreeBSD Proposed Implementation Measurement Insulation of applications that resembles the system calls to developing OpenBSD System Calls Plegde and Unveil. Insulation in Plegde is carried out through the prohibition of contacting the system calls unused in the application, and in Unveil via selective access opening only for individual file paths that the application can operate. For the application, the semblance of a white list of system calls and file paths is generated, and all other calls and paths are prohibited.
The difference in the FreeBSD of the PLEGDE and Unveil analogue is reduced to the provision of an additional layer that allows you to isolate applications without making changes to their code or with minimal changes. Recall that OpenBSD Plegde and Unveil are aimed at close integration with the basic environment and are used through the addition of special annotations into the code of each application. To simplify the protection organization, the filters allow you to do without detail at the level of individual system calls and manipulate system call classes (input / output, reading files, write files, sockets, IOCTL, SYSTL, starting processes, etc.). The access restriction functions can be called in the application code as you perform certain actions, for example, access to sockets and files can be closed after opening the necessary files and setting the network connection.
Plegde and Unveil port author intends to provide an opportunity to insulate arbitrary applications, for which the Curtain utility is proposed, allowing you to apply rules to applications defined in a separate file. The proposed configuration includes a file with Basic settings , defining system call classes and typical file paths specific to certain applications (work with sound, network interaction, output to log, etc.), as well as file with the rules of access of specific applications.