freebsd-dev/lib/libc/sys/jail.2
Mike Barcroft fd7a8150fb o In struct prison, add an allprison linked list of prisons (protected
by allprison_mtx), a unique prison/jail identifier field, two path
  fields (pr_path for reporting and pr_root vnode instance) to store
  the chroot() point of each jail.
o Add jail_attach(2) to allow a process to bind to an existing jail.
o Add change_root() to perform the chroot operation on a specified
  vnode.
o Generalize change_dir() to accept a vnode, and move namei() calls
  to callers of change_dir().
o Add a new sysctl (security.jail.list) which is a group of
  struct xprison instances that represent a snapshot of active jails.

Reviewed by:	rwatson, tjr
2003-04-09 02:55:18 +00:00

136 lines
3.3 KiB
Groff

.\"
.\"----------------------------------------------------------------------------
.\""THE BEER-WARE LICENSE" (Revision 42):
.\"<phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you
.\"can do whatever you want with this stuff. If we meet some day, and you think
.\"this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
.\"----------------------------------------------------------------------------
.\"
.\"$FreeBSD$
.\"
.Dd April 8, 2003
.Dt JAIL 2
.Os
.Sh NAME
.Nm jail
.Nd imprison current process and future decendants
.Sh LIBRARY
.Lb libc
.Sh SYNOPSIS
.In sys/param.h
.In sys/jail.h
.Ft int
.Fn jail "struct jail *jail"
.Ft int
.Fn jail_attach "int jid"
.Sh DESCRIPTION
The
.Fn jail
system call sets up a jail and locks the current process in it.
.Pp
The argument is a pointer to a structure describing the prison:
.Bd -literal -offset indent
struct jail {
u_int32_t version;
char *path;
char *hostname;
u_int32_t ip_number;
};
.Ed
.Pp
.Dq Li version
defines the version of the API in use. It should be set to zero at this time.
.Pp
The
.Dq Li path
pointer should be set to the directory which is to be the root of the
prison.
.Pp
The
.Dq Li hostname
pointer can be set to the hostname of the prison. This can be changed
from the inside of the prison.
.Pp
The
.Dq Li ip_number
can be set to the IP number assigned to the prison.
.Pp
The
.Fn jail_attach
system call attaches the current process to an existing jail,
identified by
.Va jid .
.Sh RETURN VALUES
If successful,
.Fn jail
returns a non-negative integer, termed the jail identifier (JID).
It returns -1 on failure, and sets
.Va errno
to indicate the error.
.Pp
If successful,
.Fn jail_attach
returns 0.
It returns -1 on failure, and sets
.Va errno
to indicate the error.
.Sh PRISON?
Once a process has been put in a prison, it and its decendants cannot escape
the prison.
.Pp
Inside the prison, the concept of "superuser" is very diluted. In general,
it can be assumed that nothing can be mangled from inside a prison which
does not exist entirely inside that prison. For instance the directory
tree below
.Dq Li path
can be manipulated all the ways a root can normally do it, including
.Dq Li "rm -rf /*"
but new device special nodes cannot be created because they reference
shared resources (the device drivers in the kernel).
.Pp
All IP activity will be forced to happen to/from the IP number specified,
which should be an alias on one of the network interfaces.
.Pp
It is possible to identify a process as jailed by examining
.Dq Li /proc/<pid>/status :
it will show a field near the end of the line, either as
a single hyphen for a process at large, or the hostname currently
set for the prison for jailed processes.
.Sh ERRORS
The
.Fn jail
system call
will fail if:
.Bl -tag -width Er
.It Bq Er EINVAL
The version number of the argument is not correct.
.El
.Pp
Further
.Fn jail
calls
.Xr chroot 2
internally, so it can fail for all the same reasons.
Please consult the
.Xr chroot 2
manual page for details.
.Sh SEE ALSO
.Xr chdir 2 ,
.Xr chroot 2
.Sh HISTORY
The
.Fn jail
system call appeared in
.Fx 4.0 .
The
.Fn jail_attach
system call appeared in
.Fx 5.1 .
.Sh AUTHORS
The jail feature was written by
.An Poul-Henning Kamp
for R&D Associates
.Dq Li http://www.rndassociates.com/
who contributed it to
.Fx .