===== The JAIL module =====

The JAIL module provides a new call rsbac_jail, which makes a chroot call (with chdir("/")) and adds further restrictions on the calling process and all subprocesses.
Some of these restrictions can be turned off by flags to the syscall or the rsbac_jail command line wrapper, these are marked with an * in the following list. The rsbac_jail system call also takes the allowed IP-Address for binding (may be 0.0.0.0 for any) as parameter.

Both chroot and IP address limits are optional.

Processes in a jail may not:
  * Add or remove kernel modules.
  * Shutdown or reboot the system.
  * Mount or umount filesystems.
  * Create sockets of other types than UNIX and INET (IPv4).
  * Use other INET (IPv4) addresses than given (optionally, the ANY address 0.0.0.0 can be silently changed to the given address).
  * Create INET raw sockets.
  * Access IPC objects outside this jail.
  * Create device special files (to prevent unwanted device accesses).
  * Signal, trace or get status from processes outside this jail.
  * Change Linux file modes to include suid or sgid flags.
  * Set rlimits.
  * Modify settings of any non-rlimit SCD or NETDEV target.
  * Access RSBAC attributes.
  * Access RSBAC Network Templates.
  * Switch off Linux DAC.
  * Switch RSBAC modules, softmode or log settings.
  * Access any other namespaces than its own (if enabled)

All processes in jails are listed in /proc/rsbac-info/jails, if RSBAC proc support has been enabled.

Possible switches controling access in details:

  * -I addr = limit to IP address,
  * -R dir  = chroot to dir,
  * -N = enclose process in its private namespace, (process won't be able to see any filesystem tree that was mounted after it was jailed, 2.6 kernel only !)
  * -C cap-list  = limit Linux capabilities for jailed processes,
use bit-vector, numeric value or list names of desired caps,
A = all, FS_MASK = all filesystem related,
  * -L = list all Linux capabilities,
  * -S = list all SCD targets,
  * -v = verbose, -i = allow access to IPC outside this jail,
  * -n = allow all network families, not only UNIX and INET (IPv4),
  * -r = allow INET (IPv4) raw sockets (e.g. for ping),
  * -a = auto-adjust INET any address 0.0.0.0 to jail address, if set,
  * -o = additionally allow to/from remote INET (IPv4) address 127.0.0.1,
  * -d = allow read access on devices, -D allow write access
  * -e = allow GET_STATUS_DATA on devices, -E allow MODIFY_SYSTEM_DATA
  * -t = allow *_OPEN on tty devices
  * -G scd ... = allow GET_STATUS_DATA on these scd targets
  * -M scd ... = allow MODIFY_SYSTEM_DATA on these scd targets
Deprecated old options, please use -G and -M:
  * -l = allow to modify rlimits (-M rlimit),
  * -c = allow to modify system clock (-M SCD clock time_strucs),
  * -m = allow to lock memory (-M mlock),
  * -p = allow to modify priority (-M priority),
  * -k = allow to get kernel symbols (-G ksyms)


\\ 
----
**Table of Contents:** [[documentation:rsbac_handbook|RSBAC Handbook]]\\
**Back:** [[documentation:rsbac_handbook:security_models|Security Models]]\\