70a6427140
PR: kern/103464 Submitted by: brueffer (correct markup) Reviewed by: brueffer MFC after: 2 weeks
172 lines
4.0 KiB
Groff
172 lines
4.0 KiB
Groff
.\"
|
|
.\" ----------------------------------------------------------------------------
|
|
.\" "THE BEER-WARE LICENSE" (Revision 42):
|
|
.\" <phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you
|
|
.\" can do whatever you want with this stuff. If we meet some day, and you think
|
|
.\" this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
|
|
.\" ----------------------------------------------------------------------------
|
|
.\"
|
|
.\" $FreeBSD$
|
|
.\"
|
|
.Dd January 6, 2009
|
|
.Dt JAIL 2
|
|
.Os
|
|
.Sh NAME
|
|
.Nm jail , jail_attach
|
|
.Nd imprison current process and future descendants
|
|
.Sh LIBRARY
|
|
.Lb libc
|
|
.Sh SYNOPSIS
|
|
.In sys/param.h
|
|
.In sys/jail.h
|
|
.Ft int
|
|
.Fn jail "struct jail *jail"
|
|
.Ft int
|
|
.Fn jail_attach "int jid"
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Fn jail
|
|
system call sets up a jail and locks the current process in it.
|
|
.Pp
|
|
The argument is a pointer to a structure describing the prison:
|
|
.Bd -literal -offset indent
|
|
struct jail {
|
|
u_int32_t version;
|
|
char *path;
|
|
char *hostname;
|
|
char *jailname;
|
|
unsigned int ip4s;
|
|
unsigned int ip6s;
|
|
struct in_addr *ip4;
|
|
struct in6_addr *ip6;
|
|
};
|
|
.Ed
|
|
.Pp
|
|
.Dq Li version
|
|
defines the version of the API in use.
|
|
.Dv JAIL_API_VERSION
|
|
is defined for the current version.
|
|
.Pp
|
|
The
|
|
.Dq Li path
|
|
pointer should be set to the directory which is to be the root of the
|
|
prison.
|
|
.Pp
|
|
The
|
|
.Dq Li hostname
|
|
pointer can be set to the hostname of the prison.
|
|
This can be changed
|
|
from the inside of the prison.
|
|
.Pp
|
|
The
|
|
.Dq Li jailname
|
|
pointer is an optional name that can be assigned to the jail
|
|
for example for managment purposes.
|
|
.Pp
|
|
The
|
|
.Dq Li ip4s
|
|
and
|
|
.Dq Li ip6s
|
|
give the numbers of IPv4 and IPv6 addresses that will be passed
|
|
via their respective pointers.
|
|
.Pp
|
|
The
|
|
.Dq Li ip4
|
|
and
|
|
.Dq Li ip6
|
|
pointers can be set to an arrays of IPv4 and IPv6 addresses to be assigned to
|
|
the prison, or NULL if none.
|
|
IPv4 addresses must be in network byte order.
|
|
.Pp
|
|
The
|
|
.Fn jail_attach
|
|
system call attaches the current process to an existing jail,
|
|
identified by
|
|
.Fa jid .
|
|
.Sh RETURN VALUES
|
|
If successful,
|
|
.Fn jail
|
|
returns a non-negative integer, termed the jail identifier (JID).
|
|
It returns \-1 on failure, and sets
|
|
.Va errno
|
|
to indicate the error.
|
|
.Pp
|
|
.Rv -std jail_attach
|
|
.Sh PRISON?
|
|
Once a process has been put in a prison, it and its descendants cannot escape
|
|
the prison.
|
|
.Pp
|
|
Inside the prison, the concept of
|
|
.Dq superuser
|
|
is very diluted.
|
|
In general,
|
|
it can be assumed that nothing can be mangled from inside a prison which
|
|
does not exist entirely inside that prison.
|
|
For instance the directory
|
|
tree below
|
|
.Dq Li path
|
|
can be manipulated all the ways a root can normally do it, including
|
|
.Dq Li "rm -rf /*"
|
|
but new device special nodes cannot be created because they reference
|
|
shared resources (the device drivers in the kernel).
|
|
The effective
|
|
.Dq securelevel
|
|
for a process is the greater of the global
|
|
.Dq securelevel
|
|
or, if present, the per-jail
|
|
.Dq securelevel .
|
|
.Pp
|
|
All IP activity will be forced to happen to/from the IP number specified,
|
|
which should be an alias on one of the network interfaces.
|
|
All connections to/from the loopback address
|
|
.Pf ( Li 127.0.0.1
|
|
for IPv4,
|
|
.Li ::1
|
|
for IPv6) will be changed to be to/from the primary address
|
|
of the jail for the given address family.
|
|
.Pp
|
|
It is possible to identify a process as jailed by examining
|
|
.Dq Li /proc/<pid>/status :
|
|
it will show a field near the end of the line, either as
|
|
a single hyphen for a process at large, or the hostname currently
|
|
set for the prison for jailed processes.
|
|
.Sh ERRORS
|
|
The
|
|
.Fn jail
|
|
system call
|
|
will fail if:
|
|
.Bl -tag -width Er
|
|
.It Bq Er EINVAL
|
|
The version number of the argument is not correct.
|
|
.It Bq Er EAGAIN
|
|
No free JID could be found.
|
|
.El
|
|
.Pp
|
|
Further
|
|
.Fn jail
|
|
calls
|
|
.Xr chroot 2
|
|
internally, so it can fail for all the same reasons.
|
|
Please consult the
|
|
.Xr chroot 2
|
|
manual page for details.
|
|
.Sh SEE ALSO
|
|
.Xr chdir 2 ,
|
|
.Xr chroot 2
|
|
.Sh HISTORY
|
|
The
|
|
.Fn jail
|
|
system call appeared in
|
|
.Fx 4.0 .
|
|
The
|
|
.Fn jail_attach
|
|
system call appeared in
|
|
.Fx 5.1 .
|
|
.Sh AUTHORS
|
|
The jail feature was written by
|
|
.An Poul-Henning Kamp
|
|
for R&D Associates
|
|
.Dq Li http://www.rndassociates.com/
|
|
who contributed it to
|
|
.Fx .
|