===== Using JAIL ===== Before starting with RSBAC jails your should read the [[documentation:rsbac_handbook:security_models:jail|JAIL description]]. All processes in jails are listed in /proc/rsbac-info/jails, if RSBAC proc support has been enabled. To create a jail, start a program with the rsbac_jail command. Several parameters allow to remove some restrictions. Possible switches controlling access in details: * -I addr = limit to IP address * -R dir = chroot to dir * -N = enclose process in its private namespace, process won't be able to see any filesystem tree that was mounted after it was jailed, 2.6 kernel only ! * -C cap-list = limit Linux capabilities for jailed processes, use bit-vector, numeric value or list names of desired caps, A = all, FS_MASK = all filesystem related * -L = list all Linux capabilities * -S = list all SCD targets * -v = verbose startup * -i = allow access to IPC outside this jail * -n = allow all network families, not only UNIX and INET (IPv4) * -r = allow INET (IPv4) raw sockets (e.g. for ping) * -a = auto-adjust INET any address 0.0.0.0 to jail address, if set * -o = additionally allow to/from remote INET (IPv4) address 127.0.0.1 * -d = allow read access on devices, -D allow write access * -e = allow GET_STATUS_DATA on devices, -E allow MODIFY_SYSTEM_DATA * -t = allow *_OPEN on tty devices * -G scd ... = allow GET_STATUS_DATA on these scd targets * -M scd ... = allow MODIFY_SYSTEM_DATA on these scd targets Deprecated old options, please use -G and -M: * -l = allow to modify rlimits (-M rlimit) * -c = allow to modify system clock (-M SCD clock time_strucs) * -m = allow to lock memory (-M mlock) * -p = allow to modify priority (-M priority) * -k = allow to get kernel symbols (-G ksyms) Example to start the Mozilla browser in a jail: rsbac_jail -d -D -P -G priority -M priority mozilla \\ ---- **Table of Contents:** [[documentation:rsbac_handbook|RSBAC Handbook]]\\ **Previous:** [[.:rc|RC]]\\ **Next:** [[.:cap|CAP]]\\ **Alternative:** [[documentation:rsbac_handbook:configuration_basics:setting_up_modules|Setting up Modules]]