jail.2 (233648) | jail.2 (234712) |
---|---|
1.\" Copyright (c) 1999 Poul-Henning Kamp. 2.\" Copyright (c) 2009 James Gritton. 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright --- 9 unchanged lines hidden (view full) --- 18.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24.\" SUCH DAMAGE. 25.\" | 1.\" Copyright (c) 1999 Poul-Henning Kamp. 2.\" Copyright (c) 2009 James Gritton. 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright --- 9 unchanged lines hidden (view full) --- 18.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24.\" SUCH DAMAGE. 25.\" |
26.\" $FreeBSD: head/lib/libc/sys/jail.2 233648 2012-03-29 05:02:12Z eadler $ | 26.\" $FreeBSD: head/lib/libc/sys/jail.2 234712 2012-04-26 17:36:05Z jamie $ |
27.\" 28.Dd February 8, 2012 29.Dt JAIL 2 30.Os 31.Sh NAME 32.Nm jail , 33.Nm jail_get , 34.Nm jail_set , --- 207 unchanged lines hidden (view full) --- 242and 243.Fn jail_get 244return a non-negative integer, termed the jail identifier (JID). 245They return \-1 on failure, and set 246.Va errno 247to indicate the error. 248.Pp 249.Rv -std jail_attach jail_remove | 27.\" 28.Dd February 8, 2012 29.Dt JAIL 2 30.Os 31.Sh NAME 32.Nm jail , 33.Nm jail_get , 34.Nm jail_set , --- 207 unchanged lines hidden (view full) --- 242and 243.Fn jail_get 244return a non-negative integer, termed the jail identifier (JID). 245They return \-1 on failure, and set 246.Va errno 247to indicate the error. 248.Pp 249.Rv -std jail_attach jail_remove |
250.Sh PRISON? 251Once a process has been put in a prison, it and its descendants cannot escape 252the prison. 253.Pp 254Inside the prison, the concept of 255.Dq superuser 256is very diluted. 257In general, 258it can be assumed that nothing can be mangled from inside a prison which 259does not exist entirely inside that prison. 260For instance the directory 261tree below 262.Dq Li path 263can be manipulated all the ways a root can normally do it, including 264.Dq Li "rm -rf /*" 265but new device special nodes cannot be created because they reference 266shared resources (the device drivers in the kernel). 267The effective 268.Dq securelevel 269for a process is the greater of the global 270.Dq securelevel 271or, if present, the per-jail 272.Dq securelevel . 273.Pp 274All IP activity will be forced to happen to/from the IP number specified, 275which should be an alias on one of the network interfaces. 276All connections to/from the loopback address 277.Pf ( Li 127.0.0.1 278for IPv4, 279.Li ::1 280for IPv6) will be changed to be to/from the primary address 281of the jail for the given address family. 282.Pp 283It is possible to identify a process as jailed by examining 284.Dq Li /proc/<pid>/status : 285it will show a field near the end of the line, either as 286a single hyphen for a process at large, or the name currently 287set for the prison for jailed processes. | |
288.Sh ERRORS 289The 290.Fn jail 291system call 292will fail if: 293.Bl -tag -width Er 294.It Bq Er EPERM 295This process is not allowed to create a jail, either because it is not --- 114 unchanged lines hidden (view full) --- 410.Pp 411Further 412.Fn jail , 413.Fn jail_set , 414and 415.Fn jail_attach 416call 417.Xr chroot 2 | 250.Sh ERRORS 251The 252.Fn jail 253system call 254will fail if: 255.Bl -tag -width Er 256.It Bq Er EPERM 257This process is not allowed to create a jail, either because it is not --- 114 unchanged lines hidden (view full) --- 372.Pp 373Further 374.Fn jail , 375.Fn jail_set , 376and 377.Fn jail_attach 378call 379.Xr chroot 2 |
418internally, so it can fail for all the same reasons. | 380internally, so they can fail for all the same reasons. |
419Please consult the 420.Xr chroot 2 421manual page for details. 422.Sh SEE ALSO 423.Xr chdir 2 , 424.Xr chroot 2 , 425.Xr jail 8 426.Sh HISTORY --- 24 unchanged lines hidden --- | 381Please consult the 382.Xr chroot 2 383manual page for details. 384.Sh SEE ALSO 385.Xr chdir 2 , 386.Xr chroot 2 , 387.Xr jail 8 388.Sh HISTORY --- 24 unchanged lines hidden --- |