| jail.8 (187670) | jail.8 (192896) |
|---|---|
| 1.\" 2.\" Copyright (c) 2000, 2003 Robert N. M. Watson | 1.\" 2.\" Copyright (c) 2000, 2003 Robert N. M. Watson |
| 3.\" Copyright (c) 2008 James Gritton |
|
| 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright --- 15 unchanged lines hidden (view full) --- 26.\" 27.\" ---------------------------------------------------------------------------- 28.\" "THE BEER-WARE LICENSE" (Revision 42): 29.\" <phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you 30.\" can do whatever you want with this stuff. If we meet some day, and you think 31.\" this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp 32.\" ---------------------------------------------------------------------------- 33.\" | 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright --- 15 unchanged lines hidden (view full) --- 27.\" 28.\" ---------------------------------------------------------------------------- 29.\" "THE BEER-WARE LICENSE" (Revision 42): 30.\" <phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you 31.\" can do whatever you want with this stuff. If we meet some day, and you think 32.\" this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp 33.\" ---------------------------------------------------------------------------- 34.\" |
| 34.\" $FreeBSD: head/usr.sbin/jail/jail.8 187670 2009-01-24 15:56:44Z bz $ | 35.\" $FreeBSD: head/usr.sbin/jail/jail.8 192896 2009-05-27 14:30:26Z jamie $ |
| 35.\" | 36.\" |
| 36.Dd January 24, 2009 | 37.Dd May 27, 2009 |
| 37.Dt JAIL 8 38.Os 39.Sh NAME 40.Nm jail | 38.Dt JAIL 8 39.Os 40.Sh NAME 41.Nm jail |
| 41.Nd "imprison process and its descendants" | 42.Nd "create or modify a system jail" |
| 42.Sh SYNOPSIS 43.Nm | 43.Sh SYNOPSIS 44.Nm |
| 45.Op Fl dhi 46.Op Fl J Ar jid_file 47.Op Fl l u Ar username | Fl U Ar username 48.Op Fl c | m 49.Op Ar parameter=value ... 50.Br 51.Nm |
|
| 44.Op Fl hi 45.Op Fl n Ar jailname 46.Op Fl J Ar jid_file 47.Op Fl s Ar securelevel 48.Op Fl l u Ar username | Fl U Ar username | 52.Op Fl hi 53.Op Fl n Ar jailname 54.Op Fl J Ar jid_file 55.Op Fl s Ar securelevel 56.Op Fl l u Ar username | Fl U Ar username |
| 49.Ar path hostname [ip[,..]] command ... | 57.Op Ar path hostname [ip[,..]] command ... 58.Br 59.Nm 60.Op Fl r Ar jail |
| 50.Sh DESCRIPTION 51The 52.Nm | 61.Sh DESCRIPTION 62The 63.Nm |
| 53utility imprisons a process and all future descendants. | 64utility creates a new jail or modifies an existing jail, optionally 65imprisoning the current process (and future descendants) inside it. |
| 54.Pp 55The options are as follows: | 66.Pp 67The options are as follows: |
| 56.Bl -tag -width ".Fl u Ar username" | 68.Bl -tag -width indent 69.It Fl d 70Allow making changes to a 71.Va 72dying jail. |
| 57.It Fl h | 73.It Fl h |
| 58Resolve 59.Va hostname | 74Resolve the 75.Va host.hostname 76parameter (or 77.Va hostname ) |
| 60and add all IP addresses returned by the resolver 61to the list of | 78and add all IP addresses returned by the resolver 79to the list of |
| 62.Va ip-addresses 63for this prison. | 80.Va ip 81addresses for this prison. |
| 64This may affect default address selection for outgoing IPv4 connections 65of prisons. 66The address first returned by the resolver for each address family 67will be used as primary address. | 82This may affect default address selection for outgoing IPv4 connections 83of prisons. 84The address first returned by the resolver for each address family 85will be used as primary address. |
| 68See 69.Va ip-addresses 70further down for details. | 86See the 87.Va ip4.addr 88and 89.Va ip6.addr 90parameters further down for details. |
| 71.It Fl i 72Output the jail identifier of the newly created jail. 73.It Fl n Ar jailname | 91.It Fl i 92Output the jail identifier of the newly created jail. 93.It Fl n Ar jailname |
| 74Assign and administrative name to the jail that can be used for management 75or auditing purposes. 76The system will 77.Sy not enforce 78the name to be unique. | 94Set the jail's name. 95This is deprecated and is equivalent to setting the 96.Va name 97parameter. |
| 79.It Fl J Ar jid_file 80Write a 81.Ar jid_file 82file, containing jail identifier, path, hostname, IP and 83command used to start the jail. 84.It Fl l 85Run program in the clean environment. 86The environment is discarded except for --- 6 unchanged lines hidden (view full) --- 93are set to the target login's default values. 94.Ev USER 95is set to the target login. 96.Ev TERM 97is imported from the current environment. 98The environment variables from the login class capability database for the 99target login are also set. 100.It Fl s Ar securelevel | 98.It Fl J Ar jid_file 99Write a 100.Ar jid_file 101file, containing jail identifier, path, hostname, IP and 102command used to start the jail. 103.It Fl l 104Run program in the clean environment. 105The environment is discarded except for --- 6 unchanged lines hidden (view full) --- 112are set to the target login's default values. 113.Ev USER 114is set to the target login. 115.Ev TERM 116is imported from the current environment. 117The environment variables from the login class capability database for the 118target login are also set. 119.It Fl s Ar securelevel |
| 101Sets the | 120Set the |
| 102.Va kern.securelevel | 121.Va kern.securelevel |
| 103sysctl variable to the specified value inside the newly created jail. | 122MIB entry to the specified value inside the newly created jail. 123This is deprecated and is equivalent to setting the 124.Va securelevel 125parameter. |
| 104.It Fl u Ar username 105The user name from host environment as whom the 106.Ar command 107should run. 108.It Fl U Ar username 109The user name from jailed environment as whom the 110.Ar command 111should run. | 126.It Fl u Ar username 127The user name from host environment as whom the 128.Ar command 129should run. 130.It Fl U Ar username 131The user name from jailed environment as whom the 132.Ar command 133should run. |
| 112.It Ar path | 134.It Fl c 135Create a new jail. 136The 137.Va jid 138and 139.Va name 140parameters (if specified) must not refer to an existing jail. 141.It Fl m 142Modify an existing jail. 143One of the 144.Va jid 145or 146.Va name 147parameters must exist and refer to an existing jail. 148.It Fl cm 149Create a jail if it does not exist, or modify a jail if it does exist. 150.It Fl r 151Remove the 152.Ar jail 153specified by jid or name. 154All jailed processes are killed, and all children of this jail are also 155removed. 156.El 157.Pp 158At least one of the 159.Fl c , 160.Fl m 161or 162.Fl r 163options must be specified. 164.Pp 165.Ar Parameters 166are listed in 167.Dq name=value 168form, following the options. 169Some parameters are boolean, and do not have a value but are set by the 170name alone with or without a 171.Dq no 172prefix, e.g. 173.Va persist 174or 175.Va nopersist . 176Any parameters not set will be given default values, often based on the 177current environment. 178.Pp 179The pseudo-parameter 180.Va command 181specifies that the current process should enter the new (or modified) jail, 182and run the specified command. 183It must be the last parameter specified, because it includes not only 184the value following the 185.Sq = 186sign, but also passes the rest of the arguments to the command. 187.Pp 188Instead of supplying named 189.Ar parameters , 190four fixed parameters may be supplied in order on the command line: 191.Ar path , 192.Ar hostname , 193.Ar ip , 194and 195.Ar command . 196As the 197.Va jid 198and 199.Va name 200parameters aren't in this list, this mode will always create a new jail, and 201the 202.Fl c 203and 204.Fl o 205options don't apply (and must not exist). 206.Pp 207Jails have a set a core parameters, and modules can add their own jail 208parameters. 209The current set of available parameters can be retrieved via 210.Dq Nm sysctl Fl d Va security.jail.param . 211The core parameters are: 212.Bl -tag -width indent 213.It Va jid 214The jail identifier. 215This will be assigned automatically to a new jail (or can be explicitly 216set), and can be used to identify the jail for later modification, or 217for such commands as 218.Xr jls 8 219or 220.Xr jexec 8 . 221.It Va name 222The jail name. 223This is an arbitrary string that identifies a jail (except it may not 224contain a 225.Sq \&. ) . 226Like the 227.Va jid , 228it can be passed to later 229.Nm 230commands, or to 231.Xr jls 8 232or 233.Xr jexec 8 . 234If no 235.Va name 236is supplied, a default is assumed that is the same as the 237.Va jid . 238.It Va path |
| 113Directory which is to be the root of the prison. | 239Directory which is to be the root of the prison. |
| 114.It Ar hostname 115Hostname of the prison. 116.It Ar ip-addresses 117None, one or more IPv4 and IPv6 addresses assigned to the prison. 118The first address of each address family that was assigned to the jail will 119be used as the source address in case source address selection on unbound 120sockets cannot find a better match. | 240The 241.Va command 242(if any) is run from this directory, as are commands from 243.Xr jexec 8 . 244.It Va ip4.addr 245A comma-separated list of IPv4 addresses assigned to the prison. 246If this is set, the jail is restricted to using only these address. 247Any attempts to use other addresses fail, and attempts to use wildcard 248addresses silently use the jailed address instead. 249For IPv4 the first address given will be kept used as the source address 250in case source address selection on unbound sockets cannot find a better 251match. |
| 121It is only possible to start multiple jails with the same IP address, 122if none of the jails has more than this single overlapping IP address | 252It is only possible to start multiple jails with the same IP address, 253if none of the jails has more than this single overlapping IP address |
| 123assigned to itself for the address family in question. 124.It Ar command 125Pathname of the program which is to be executed. | 254assigned to itself. 255.Pp 256A list of zero elements (an empty string) will stop the jail from using IPv4 257entirely; setting the boolean parameter 258.Ar noip4 259will not restrict the jail at all. 260.It Va ip6.addr 261A list of IPv6 addresses assigned to the prison, the counterpart to 262.Ar ip4.addr 263above. 264.It Va host.hostname 265Hostname of the prison. 266If not specified, a jail will use the system hostname. 267.It Va securelevel 268The value of the jail's 269.Va kern.securelevel 270sysctl. 271A jail never has a lower securelevel than the default system, but by 272setting this parameter it may have a higher one. 273If the system securelevel is changed, any jail securelevels will be at 274least as secure. 275.It Va enforce_statfs 276This determines which information processes in a jail are able to get 277about mount points. 278It affects the behaviour of the following syscalls: 279.Xr statfs 2 , 280.Xr fstatfs 2 , 281.Xr getfsstat 2 282and 283.Xr fhstatfs 2 284(as well as similar compatibility syscalls). 285When set to 0, all mount points are available without any restrictions. 286When set to 1, only mount points below the jail's chroot directory are 287visible. 288In addition to that, the path to the jail's chroot directory is removed 289from the front of their pathnames. 290When set to 2 (default), above syscalls can operate only on a mount-point 291where the jail's chroot directory is located. 292.It Va persist 293Setting this boolean parameter allows a jail to exist without any 294processes. 295Normally, a jail is destroyed as its last process exits. 296A new jail must have either the 297.Va persist 298parameter or 299.Va command 300pseudo-parameter set. 301.It Va cpuset 302The ID of the cpuset associated with this jail (read-only). 303.It Va dying 304This is true if the jail is in the process of shutting down (read-only). 305.It Va parent 306The 307.Va jid 308of the parent of this jail, or zero if this is a top-level jail 309(read-only). 310.It Va allow.* 311Some restrictions of the jail environment may be set on a per-jail 312basis. 313With the exception of 314.Va allow.set_hostname , 315these boolean parameters are off by default. 316.Bl -tag -width indent 317.It Va allow.set_hostname 318The jail's hostname may be changed via 319.Xr hostname 1 320or 321.Xr sethostname 3 . 322.It Va allow.sysvipc 323A process within the jail has access to System V IPC primitives. 324In the current jail implementation, System V primitives share a single 325namespace across the host and jail environments, meaning that processes 326within a jail would be able to communicate with (and potentially interfere 327with) processes outside of the jail, and in other jails. 328.It Va allow.raw_sockets 329The prison root is allowed to create raw sockets. 330Setting this parameter allows utilities like 331.Xr ping 8 332and 333.Xr traceroute 8 334to operate inside the prison. 335If this is set, the source IP addresses are enforced to comply 336with the IP address bound to the jail, regardless of whether or not 337the 338.Dv IP_HDRINCL 339flag has been set on the socket. 340Since raw sockets can be used to configure and interact with various 341network subsystems, extra caution should be used where privileged access 342to jails is given out to untrusted parties. 343.It Va allow.chflags 344Normally, priveleged users inside a jail are treated as unprivileged by 345.Xr chflags 2 . 346When this parameter is set, such users are treated as privileged, and 347may manipulate system file flags subject to the usual constraints on 348.Va kern.securelevel . 349.It Va allow.mount 350privileged users inside the jail will be able to mount and unmount file 351system types marked as jail-friendly. 352The 353.Xr lsvfs 1 354command can be used to find file system types available for mount from 355within a jail. 356.It Va allow.quotas 357The prison root may administer quotas on the jail's filesystem(s). 358This includes filesystems that the jail may share with other jails or 359with non-jailed parts of the system. 360.It Va allow.socket_af 361Sockets within a jail are normally restricted to IPv4, IPv6, local 362(UNIX), and route. This allows access to other protocol stacks that 363have not had jail functionality added to them. 364.It Va allow.jails 365The prison root may create child jails under this jail. See the 366.Va "Hierarchical Jails" 367section for more information. |
| 126.El | 368.El |
| 369.El |
|
| 127.Pp 128Jails are typically set up using one of two philosophies: either to 129constrain a specific application (possibly running with privilege), or 130to create a 131.Dq "virtual system image" 132running a variety of daemons and services. 133In both cases, a fairly complete file system install of 134.Fx 135is 136required, so as to provide the necessary command line tools, daemons, 137libraries, application configuration files, etc. 138However, for a virtual server configuration, a fair amount of 139additional work is required so as to configure the 140.Dq boot 141process. 142This manual page documents the configuration steps necessary to support 143either of these steps, although the configuration steps may be 144refined based on local requirements. | 370.Pp 371Jails are typically set up using one of two philosophies: either to 372constrain a specific application (possibly running with privilege), or 373to create a 374.Dq "virtual system image" 375running a variety of daemons and services. 376In both cases, a fairly complete file system install of 377.Fx 378is 379required, so as to provide the necessary command line tools, daemons, 380libraries, application configuration files, etc. 381However, for a virtual server configuration, a fair amount of 382additional work is required so as to configure the 383.Dq boot 384process. 385This manual page documents the configuration steps necessary to support 386either of these steps, although the configuration steps may be 387refined based on local requirements. |
| 145.Pp 146Please see the 147.Xr jail 2 148man page for further details. | |
| 149.Sh EXAMPLES 150.Ss "Setting up a Jail Directory Tree" 151To set up a jail directory tree containing an entire 152.Fx 153distribution, the following 154.Xr sh 1 155command script can be used: 156.Bd -literal --- 127 unchanged lines hidden (view full) --- 284with any machine (virtual or not) you will need to set a root password, time 285zone, etc. 286Some of these steps apply only if you intend to run a full virtual server 287inside the jail; others apply both for constraining a particular application 288or for running a virtual server. 289.Pp 290Start a shell in the jail: 291.Pp | 388.Sh EXAMPLES 389.Ss "Setting up a Jail Directory Tree" 390To set up a jail directory tree containing an entire 391.Fx 392distribution, the following 393.Xr sh 1 394command script can be used: 395.Bd -literal --- 127 unchanged lines hidden (view full) --- 523with any machine (virtual or not) you will need to set a root password, time 524zone, etc. 525Some of these steps apply only if you intend to run a full virtual server 526inside the jail; others apply both for constraining a particular application 527or for running a virtual server. 528.Pp 529Start a shell in the jail: 530.Pp |
| 292.Dl "jail /data/jail/192.0.2.100 testhostname 192.0.2.100 /bin/sh" | 531.Bd -literal -offset indent 532jail path=/data/jail/192.0.2.100 host.hostname=testhostname \\ 533 ip4.addr=192.0.2.100 command=/bin/sh 534.Ed |
| 293.Pp 294Assuming no errors, you will end up with a shell prompt within the jail. 295You can now run 296.Pa /usr/sbin/sysinstall 297and do the post-install configuration to set various configuration options, 298or perform these actions manually by editing 299.Pa /etc/rc.conf , 300etc. --- 53 unchanged lines hidden (view full) --- 354in the examples below. 355To start a virtual server environment, 356.Pa /etc/rc 357is run to launch various daemons and services. 358To do this, first bring up the 359virtual host interface, and then start the jail's 360.Pa /etc/rc 361script from within the jail. | 535.Pp 536Assuming no errors, you will end up with a shell prompt within the jail. 537You can now run 538.Pa /usr/sbin/sysinstall 539and do the post-install configuration to set various configuration options, 540or perform these actions manually by editing 541.Pa /etc/rc.conf , 542etc. --- 53 unchanged lines hidden (view full) --- 596in the examples below. 597To start a virtual server environment, 598.Pa /etc/rc 599is run to launch various daemons and services. 600To do this, first bring up the 601virtual host interface, and then start the jail's 602.Pa /etc/rc 603script from within the jail. |
| 362.Pp 363NOTE: If you plan to allow untrusted users to have root access inside the 364jail, you may wish to consider setting the 365.Va security.jail.set_hostname_allowed 366sysctl variable to 0. 367Please see the management discussion later in this document as to why this 368may be a good idea. 369If you do decide to set this variable, 370it must be set before starting any jails, and once each boot. | |
| 371.Bd -literal -offset indent 372ifconfig ed0 inet alias 192.0.2.100/32 373mount -t procfs proc /data/jail/192.0.2.100/proc | 604.Bd -literal -offset indent 605ifconfig ed0 inet alias 192.0.2.100/32 606mount -t procfs proc /data/jail/192.0.2.100/proc |
| 374jail /data/jail/192.0.2.100 testhostname 192.0.2.100 \\ 375 /bin/sh /etc/rc | 607jail path=/data/jail/192.0.2.100 host.hostname=testhostname \\ 608 ip4=addr.192.0.2.100 command=/bin/sh /etc/rc |
| 376.Ed 377.Pp 378A few warnings will be produced, because most 379.Xr sysctl 8 380configuration variables cannot be set from within the jail, as they are 381global across all jails and the host environment. 382However, it should all 383work properly. --- 53 unchanged lines hidden (view full) --- 437the intended use of the jail, you may also want to run 438.Pa /etc/rc.shutdown 439from within the jail. 440To kill processes from outside the jail, use the 441.Xr jexec 8 442utility in conjunction with the one of the 443.Xr kill 1 444commands above. | 609.Ed 610.Pp 611A few warnings will be produced, because most 612.Xr sysctl 8 613configuration variables cannot be set from within the jail, as they are 614global across all jails and the host environment. 615However, it should all 616work properly. --- 53 unchanged lines hidden (view full) --- 670the intended use of the jail, you may also want to run 671.Pa /etc/rc.shutdown 672from within the jail. 673To kill processes from outside the jail, use the 674.Xr jexec 8 675utility in conjunction with the one of the 676.Xr kill 1 677commands above. |
| 678You may also remove the jail with 679.Nm 680.Ar -r , 681which will killall the jail's processes with 682.Dv SIGKILL . |
|
| 445.Pp 446The 447.Pa /proc/ Ns Ar pid Ns Pa /status | 683.Pp 684The 685.Pa /proc/ Ns Ar pid Ns Pa /status |
| 448file contains, as its last field, the hostname of the jail in which the | 686file contains, as its last field, the name of the jail in which the |
| 449process runs, or 450.Dq Li - 451to indicate that the process is not running within a jail. 452The 453.Xr ps 1 454command also shows a 455.Ql J 456flag for processes in a jail. | 687process runs, or 688.Dq Li - 689to indicate that the process is not running within a jail. 690The 691.Xr ps 1 692command also shows a 693.Ql J 694flag for processes in a jail. |
| 457However, the hostname for a jail may be, by 458default, modified from within the jail, so the 459.Pa /proc 460status entry is unreliable by default. 461To disable the setting of the hostname 462from within a jail, set the 463.Va security.jail.set_hostname_allowed 464sysctl variable in the host environment to 0, which will affect all jails. 465You can have this sysctl set on each boot using 466.Xr sysctl.conf 5 . 467Just add the following line to 468.Pa /etc/sysctl.conf : | |
| 469.Pp | 695.Pp |
| 470.Dl security.jail.set_hostname_allowed=0 471.Pp | |
| 472You can also list/kill processes based on their jail ID. 473To show processes and their jail ID, use the following command: 474.Pp 475.Dl "ps ax -o pid,jid,args" 476.Pp 477To show and then kill processes in jail number 3 use the following commands: 478.Bd -literal -offset indent 479pgrep -lfj 3 480pkill -j 3 481.Ed 482or: 483.Pp 484.Dl "killall -j 3" 485.Ss "Jails and File Systems" 486It is not possible to 487.Xr mount 8 488or 489.Xr umount 8 490any file system inside a jail unless the file system is marked | 696You can also list/kill processes based on their jail ID. 697To show processes and their jail ID, use the following command: 698.Pp 699.Dl "ps ax -o pid,jid,args" 700.Pp 701To show and then kill processes in jail number 3 use the following commands: 702.Bd -literal -offset indent 703pgrep -lfj 3 704pkill -j 3 705.Ed 706or: 707.Pp 708.Dl "killall -j 3" 709.Ss "Jails and File Systems" 710It is not possible to 711.Xr mount 8 712or 713.Xr umount 8 714any file system inside a jail unless the file system is marked |
| 491jail-friendly. 492See 493.Va security.jail.mount_allowed 494in the 495.Va "Sysctl MIB Entries" 496section. | 715jail-friendly and the jail's 716.Va allow.mount 717parameter is set. |
| 497.Pp 498Multiple jails sharing the same file system can influence each other. 499For example a user in one jail can fill the file system also 500leaving no space for processes in the other jail. 501Trying to use 502.Xr quota 1 503to prevent this will not work either as the file system quotas 504are not aware of jails but only look at the user and group IDs. 505This means the same user ID in two jails share the same file 506system quota. 507One would need to use one file system per jail to make this working. 508.Ss "Sysctl MIB Entries" | 718.Pp 719Multiple jails sharing the same file system can influence each other. 720For example a user in one jail can fill the file system also 721leaving no space for processes in the other jail. 722Trying to use 723.Xr quota 1 724to prevent this will not work either as the file system quotas 725are not aware of jails but only look at the user and group IDs. 726This means the same user ID in two jails share the same file 727system quota. 728One would need to use one file system per jail to make this working. 729.Ss "Sysctl MIB Entries" |
| 509Certain aspects of the jail containments environment may be modified from 510the host environment using 511.Xr sysctl 8 512MIB variables. 513Currently, these variables affect all jails on the system, although in 514the future this functionality may be finer grained. 515.Bl -tag -width XXX 516.It Va security.jail.allow_raw_sockets 517This MIB entry determines whether or not prison root is allowed to 518create raw sockets. 519Setting this MIB to 1 allows utilities like 520.Xr ping 8 521and 522.Xr traceroute 8 523to operate inside the prison. 524If this MIB 525is set, the source IP addresses are enforced to comply 526with the IP address bound to the jail, regardless of whether or not 527the 528.Dv IP_HDRINCL 529flag has been set on the socket. 530Since raw sockets can be used to configure 531and interact with various network subsystems, extra caution should be used 532where privileged access to jails is given out to untrusted parties. 533As such, 534by default this option is disabled. 535.It Va security.jail.enforce_statfs 536This MIB entry determines which information processes in a jail are 537able to get about mount-points. 538It affects the behaviour of the following syscalls: 539.Xr statfs 2 , 540.Xr fstatfs 2 , 541.Xr getfsstat 2 542and 543.Xr fhstatfs 2 544(as well as similar compatibility syscalls). 545When set to 0, all mount-points are available without any restrictions. 546When set to 1, only mount-points below the jail's chroot directory are 547visible. 548In addition to that, the path to the jail's chroot directory is removed 549from the front of their pathnames. 550When set to 2 (default), above syscalls can operate only on a mount-point 551where the jail's chroot directory is located. 552.It Va security.jail.set_hostname_allowed 553This MIB entry determines whether or not processes within a jail are 554allowed to change their hostname via 555.Xr hostname 1 556or 557.Xr sethostname 3 . 558In the current jail implementation, the ability to set the hostname from 559within the jail can impact management tools relying on the accuracy of jail 560information in 561.Pa /proc . 562As such, this should be disabled in environments where privileged access to 563jails is given out to untrusted parties. 564.It Va security.jail.socket_unixiproute_only 565The jail functionality binds an IPv4 address to each jail, and limits 566access to other network addresses in the IPv4 space that may be available 567in the host environment. 568However, jail is not currently able to limit access to other network 569protocol stacks that have not had jail functionality added to them. 570As such, by default, processes within jails may only access protocols 571in the following domains: 572.Dv PF_LOCAL , PF_INET , 573and 574.Dv PF_ROUTE , 575permitting them access to 576.Ux 577domain sockets, 578IPv4 addresses, and routing sockets. 579To enable access to other domains, this MIB variable may be set to 5800. 581.It Va security.jail.sysvipc_allowed 582This MIB entry determines whether or not processes within a jail have access 583to System V IPC primitives. 584In the current jail implementation, System V primitives share a single 585namespace across the host and jail environments, meaning that processes 586within a jail would be able to communicate with (and potentially interfere 587with) processes outside of the jail, and in other jails. 588As such, this functionality is disabled by default, but can be enabled 589by setting this MIB entry to 1. 590.It Va security.jail.chflags_allowed 591This MIB entry determines how a privileged user inside a jail will be 592treated by 593.Xr chflags 2 . 594If zero, such users are treated as unprivileged, and are unable to set 595or clear system file flags; if non-zero, such users are treated as 596privileged, and may manipulate system file flags subject to the usual 597constraints on 598.Va kern.securelevel . 599.It Va security.jail.mount_allowed 600This MIB entry determines if a privileged user inside a jail will be 601able to mount and unmount file system types marked as jail-friendly. 602The 603.Xr lsvfs 1 604command can be used to find file system types available for mount from within 605a jail. 606This functionality is disabled by default, but can be enabled by setting this 607MIB entry to 1. 608.It Va security.jail.jail_max_af_ips 609This MIB entry determines how may address per address family a prison 610may have. The default is 255. 611.El 612.Pp 613The read-only sysctl variable | 730The read-only entry |
| 614.Va security.jail.jailed 615can be used to determine if a process is running inside a jail (value 616is one) or not (value is zero). 617.Pp | 731.Va security.jail.jailed 732can be used to determine if a process is running inside a jail (value 733is one) or not (value is zero). 734.Pp |
| 618The 619.Va security.jail.list 620MIB entry is read-only and it returns an array of 621.Vt "struct xprison" 622defined in 623.In sys/jail.h . 624It is recommended to use the 625.Xr jls 8 626utility to see current active list of jails. | 735The variable 736.Va security.jail.max_af_ips 737determines how may address per address family a prison may have. 738The default is 255. |
| 627.Pp | 739.Pp |
| 628There are currently two MIB related variables that have per-jail settings. | 740There are currently two MIB variables that have per-jail settings. |
| 629Changes to these variables by a jailed process do not effect the host 630environment, only the jail environment. 631The variables are 632.Va kern.securelevel 633and 634.Va kern.hostname . | 741Changes to these variables by a jailed process do not effect the host 742environment, only the jail environment. 743The variables are 744.Va kern.securelevel 745and 746.Va kern.hostname . |
| 747.Ss "Hierarchical Jails" 748By setting a jail's 749.Va allow.jails 750parameter, processes within a jail may be able to create jails of their own. 751These child jails are kept in a hierarchy, with jails only able to see and/or 752modify the jails they created (or those jails' children). 753Each jail has a read-only 754.Va parent 755parameter, containing the 756.Va jid 757of the jail that created it; a 758.Va jid 759of 0 indicates the jail is a child of the current jail (or is a top-level 760jail if the current process isn't jailed). 761.Pp 762Jailed processes are not allowed to confer greater permissions than they 763themselves are given, e.g. if a jail is created with 764.Va allow.nomount , 765it is not able to create a jail with 766.Va allow.mount 767set. 768Similarly, such restrictions as 769.Va ip4.addr 770and 771.Va securelevel 772may not be bypassed in child jails. 773.Pp 774A child jail may in turn create its own child jails if its own 775.Va allow.jails 776parameter is set (remember it is off by default). 777These jails are visible to and can be modified by their parent and all 778ancestors. 779.Pp 780Jail names reflect this hierarchy, with a full name being an MIB-type string 781separated by dots. 782For example, if a base system process creates a jail 783.Dq foo , 784and a process under that jail creates another jail 785.Dq bar , 786then the second jail will be seen as 787.Dq foo.bar 788in the base system (though it is only seen as 789.Dq bar 790to any processes inside jail 791.Dq foo ) . 792Jids on the other hand exist in a single space, and each jail must have a 793unique jid. 794.Pp 795Like the names, a child jail's 796.Va path 797is relative to its creator's own 798.Va path . 799This is by virtue of the child jail being created in the chrooted 800environment of the first jail. |
|
| 635.Sh SEE ALSO 636.Xr killall 1 , 637.Xr lsvfs 1 , 638.Xr newaliases 1 , 639.Xr pgrep 1 , 640.Xr pkill 1 , 641.Xr ps 1 , 642.Xr quota 1 , 643.Xr chroot 2 , | 801.Sh SEE ALSO 802.Xr killall 1 , 803.Xr lsvfs 1 , 804.Xr newaliases 1 , 805.Xr pgrep 1 , 806.Xr pkill 1 , 807.Xr ps 1 , 808.Xr quota 1 , 809.Xr chroot 2 , |
| 644.Xr jail 2 , | 810.Xr jail_set 2 , |
| 645.Xr jail_attach 2 , 646.Xr procfs 5 , 647.Xr rc.conf 5 , 648.Xr sysctl.conf 5 , 649.Xr devfs 8 , 650.Xr halt 8 , 651.Xr inetd 8 , 652.Xr jexec 8 , --- 7 unchanged lines hidden (view full) --- 660.Xr sysctl 8 , 661.Xr syslogd 8 , 662.Xr umount 8 663.Sh HISTORY 664The 665.Nm 666utility appeared in 667.Fx 4.0 . | 811.Xr jail_attach 2 , 812.Xr procfs 5 , 813.Xr rc.conf 5 , 814.Xr sysctl.conf 5 , 815.Xr devfs 8 , 816.Xr halt 8 , 817.Xr inetd 8 , 818.Xr jexec 8 , --- 7 unchanged lines hidden (view full) --- 826.Xr sysctl 8 , 827.Xr syslogd 8 , 828.Xr umount 8 829.Sh HISTORY 830The 831.Nm 832utility appeared in 833.Fx 4.0 . |
| 834Hierarchical/extensible jails were introduced in 835.Fx 8.0 . |
|
| 668.Sh AUTHORS 669.An -nosplit 670The jail feature was written by 671.An Poul-Henning Kamp 672for R&D Associates 673.Pa http://www.rndassociates.com/ 674who contributed it to 675.Fx . 676.Pp 677.An Robert Watson 678wrote the extended documentation, found a few bugs, added 679a few new features, and cleaned up the userland jail environment. 680.Pp 681.An Bjoern A. Zeeb 682added multi-IP jail support for IPv4 and IPv6 based on a patch 683originally done by 684.An Pawel Jakub Dawidek 685for IPv4. | 836.Sh AUTHORS 837.An -nosplit 838The jail feature was written by 839.An Poul-Henning Kamp 840for R&D Associates 841.Pa http://www.rndassociates.com/ 842who contributed it to 843.Fx . 844.Pp 845.An Robert Watson 846wrote the extended documentation, found a few bugs, added 847a few new features, and cleaned up the userland jail environment. 848.Pp 849.An Bjoern A. Zeeb 850added multi-IP jail support for IPv4 and IPv6 based on a patch 851originally done by 852.An Pawel Jakub Dawidek 853for IPv4. |
| 854.Pp 855.An James Gritton 856added the extensible jail parameters and hierchical jails. |
|
| 686.Sh BUGS 687Jail currently lacks the ability to allow access to 688specific jail information via 689.Xr ps 1 690as opposed to 691.Xr procfs 5 . 692Similarly, it might be a good idea to add an 693address alias flag such that daemons listening on all IPs 694.Pq Dv INADDR_ANY 695will not bind on that address, which would facilitate building a safe 696host environment such that host daemons do not impose on services offered 697from within jails. 698Currently, the simplest answer is to minimize services 699offered on the host, possibly limiting it to services offered from 700.Xr inetd 8 701which is easily configurable. | 857.Sh BUGS 858Jail currently lacks the ability to allow access to 859specific jail information via 860.Xr ps 1 861as opposed to 862.Xr procfs 5 . 863Similarly, it might be a good idea to add an 864address alias flag such that daemons listening on all IPs 865.Pq Dv INADDR_ANY 866will not bind on that address, which would facilitate building a safe 867host environment such that host daemons do not impose on services offered 868from within jails. 869Currently, the simplest answer is to minimize services 870offered on the host, possibly limiting it to services offered from 871.Xr inetd 8 872which is easily configurable. |