The JAIL module provides a new call rsbac_jail, which makes a chroot call (with chdir(”/”)) and adds further restrictions on the calling process and all subprocesses. Some of these restrictions can be turned off by flags to the syscall or the rsbac_jail command line wrapper, these are marked with an * in the following list. The rsbac_jail system call also takes the allowed IP-Address for binding (may be 0.0.0.0 for any) as parameter.

Both chroot and IP address limits are optional.

Processes in a jail may not:

• Add or remove kernel modules.
• Shutdown or reboot the system.
• Mount or umount filesystems.
• Create sockets of other types than UNIX and INET (IPv4).
• Use other INET (IPv4) addresses than given (optionally, the ANY address 0.0.0.0 can be silently changed to the given address).
• Create INET raw sockets.
• Access IPC objects outside this jail.
• Create device special files (to prevent unwanted device accesses).
• Signal, trace or get status from processes outside this jail.
• Change Linux file modes to include suid or sgid flags.
• Set rlimits.
• Modify settings of any non-rlimit SCD or NETDEV target.
• Access RSBAC attributes.
• Access RSBAC Network Templates.
• Switch off Linux DAC.
• Switch RSBAC modules, softmode or log settings.
• Access any other namespaces than its own (if enabled)

All processes in jails are listed in /proc/rsbac-info/jails, if RSBAC proc support has been enabled.

More details are given on the configuration page

Table of Contents: RSBAC Handbook
Back: Security Models