19 lines
635 B
Markdown
19 lines
635 B
Markdown
# FreeBSD mapping notes (draft)
|
|
|
|
## Isolation domains
|
|
- Use **jails** to isolate tools/workers.
|
|
- Map `domain_id` to a jail instance.
|
|
|
|
## Capabilities
|
|
- Use **Capsicum** to restrict tool runners.
|
|
- Capabilities are represented as scoped grants in the cognitive kernel and realized via Capsicum + pre-opened descriptors.
|
|
|
|
## Eventing
|
|
- Use **kqueue** for event-driven IO in the cognitive runtime.
|
|
- Provenance logs are append-only files (optionally per-domain datasets on ZFS).
|
|
|
|
## Resource control
|
|
- rctl, login classes, cpuset can enforce limits.
|
|
- Budgeting logic lives in the cognitive runtime; enforcement uses kernel primitives.
|
|
|