The JAIL module provides a new call rsbac_jail, which makes a chroot call (with chdir(”/”)) and adds further restrictions on the calling process and all subprocesses. Some of these restrictions can be turned off by flags to the syscall or the rsbac_jail command line wrapper, these are marked with an * in the following list. The rsbac_jail system call also takes the allowed IP-Address for binding (may be 0.0.0.0 for any) as parameter.
Both chroot and IP address limits are optional.
Processes in a jail may not:
Add or remove kernel modules.
Shutdown or reboot the system.
Mount or umount filesystems.
Create sockets of other types than UNIX and INET (IPv4).
Use other INET (IPv4) addresses than given (optionally, the ANY address 0.0.0.0 can be silently changed to the given address).
Create INET raw sockets.
Access IPC objects outside this jail.
Create device special files (to prevent unwanted device accesses).
Signal, trace or get status from processes outside this jail.
Change Linux file modes to include suid or sgid flags.
Set rlimits.
Modify settings of any non-rlimit SCD or NETDEV target.
-
Access
RSBAC Network Templates.
Switch off Linux DAC.
Switch
RSBAC modules, softmode or log settings.
Access any other namespaces than its own (if enabled)
All processes in jails are listed in /proc/rsbac-info/jails, if RSBAC proc support has been enabled.
Possible switches controling access in details:
-I addr = limit to IP address,
-R dir = chroot to dir,
-N = enclose process in its private namespace, (process won’t be able to see any filesystem tree that was mounted after it was jailed, 2.6 kernel only !)
-C cap-list = limit Linux capabilities for jailed processes,
use bit-vector, numeric value or list names of desired caps, A = all, FS_MASK = all filesystem related,
-L = list all Linux capabilities,
-S = list all SCD targets,
-v = verbose, -i = allow access to IPC outside this jail,
-n = allow all network families, not only UNIX and INET (IPv4),
-r = allow INET (IPv4) raw sockets (e.g. for ping),
-a = auto-adjust INET any address 0.0.0.0 to jail address, if set,
-o = additionally allow to/from remote INET (IPv4) address 127.0.0.1,
-d = allow read access on devices, -D allow write access
-e = allow GET_STATUS_DATA on devices, -E allow MODIFY_SYSTEM_DATA
-t = allow *_OPEN on tty devices
-G scd ... = allow GET_STATUS_DATA on these scd targets
-M scd ... = allow MODIFY_SYSTEM_DATA on these scd targets
Deprecated old options, please use -G and -M:
-l = allow to modify rlimits (-M rlimit),
-c = allow to modify system clock (-M SCD clock time_strucs),
-m = allow to lock memory (-M mlock),
-p = allow to modify priority (-M priority),
-k = allow to get kernel symbols (-G ksyms)
Table of Contents: RSBAC Handbook
Back: Security Models