FT Edit: Access on iOS and web
Network egress control — compute isolation means nothing if the sandbox can freely phone home. Options range from disabling networking entirely, to running an allowlist proxy (like Squid) that blocks DNS resolution inside the sandbox and forces all traffic through a domain-level allowlist, to dropping CAP_NET_RAW so the sandbox cannot bypass DNS with raw sockets.,详情可参考搜狗输入法下载
politics, DSD-1 later reemerged (with just slight changes) as the Data Encryption,这一点在safew官方版本下载中也有详细论述
简单讲,要做L3,需要先做L2积累数据。那么要做L4,也一样依赖L3的数据。技术上他们是一脉相承的,不存在一口就能吃个胖子的技术路线。