The JAIL module provides a new call rsbac_jail, which makes a chroot call (with chdir(”/”)) and adds further restrictions on the calling process and all subprocesses. Some of these restrictions can be turned off by flags to the syscall or the rsbac_jail command line wrapper, these are marked with an * in the following list. The rsbac_jail system call also takes the allowed IP-Address for binding (may be 0.0.0.0 for any) as parameter.

Both chroot and IP address limits are optional.

Processes in a jail may not:

• Add or remove kernel modules.
• Shutdown or reboot the system.
• Mount or umount filesystems.
• Create sockets of other types than UNIX and INET (IPv4).
• Use other INET (IPv4) addresses than given (optionally, the ANY address 0.0.0.0 can be silently changed to the given address).
• Create INET raw sockets.
• Access IPC objects outside this jail.
• Create device special files (to prevent unwanted device accesses).
• Signal, trace or get status from processes outside this jail.
• Change Linux file modes to include suid or sgid flags.
• Set rlimits.
• Modify settings of any non-rlimit SCD or NETDEV target.
• Access RSBAC attributes.
• Access RSBAC Network Templates.
• Switch off Linux DAC.
• Switch RSBAC modules, softmode or log settings.
• Access any other namespaces than its own (if enabled)

All processes in jails are listed in /proc/rsbac-info/jails, if RSBAC proc support has been enabled.

Possible switches controling access in details:

• -I addr = limit to IP address,
• -R dir = chroot to dir,
• -N = enclose process in its private namespace, (process won’t be able to see any filesystem tree that was mounted after it was jailed, 2.6 kernel only !)
• -C cap-list = limit Linux capabilities for jailed processes,

use bit-vector, numeric value or list names of desired caps, A = all, FS_MASK = all filesystem related,

• -L = list all Linux capabilities,
• -S = list all SCD targets,
• -v = verbose, -i = allow access to IPC outside this jail,
• -n = allow all network families, not only UNIX and INET (IPv4),
• -r = allow INET (IPv4) raw sockets (e.g. for ping),
• -a = auto-adjust INET any address 0.0.0.0 to jail address, if set,
• -o = additionally allow to/from remote INET (IPv4) address 127.0.0.1,
• -d = allow read access on devices, -D allow write access
• -e = allow GET_STATUS_DATA on devices, -E allow MODIFY_SYSTEM_DATA
• -t = allow *_OPEN on tty devices
• -G scd ... = allow GET_STATUS_DATA on these scd targets
• -M scd ... = allow MODIFY_SYSTEM_DATA on these scd targets

Deprecated old options, please use -G and -M:

• -l = allow to modify rlimits (-M rlimit),
• -c = allow to modify system clock (-M SCD clock time_strucs),
• -m = allow to lock memory (-M mlock),
• -p = allow to modify priority (-M priority),
• -k = allow to get kernel symbols (-G ksyms)

Table of Contents: RSBAC Handbook
Back: Security Models