===== The JAIL module =====

The JAIL module provides a new call rsbac_jail, which makes a chroot call (with chdir("/")) and adds further restrictions on the calling process and all subprocesses.
Some of these restrictions can be turned off by flags to the syscall or the rsbac_jail command line wrapper, these are marked with an * in the following list. The rsbac_jail system call also takes the allowed IP-Address for binding (may be 0.0.0.0 for any) as parameter.

Both chroot and IP address limits are optional.

Processes in a jail may not:
  * Add or remove kernel modules.
  * Shutdown or reboot the system.
  * Mount or umount filesystems.
  * Create sockets of other types than UNIX and INET (IPv4).
  * Use other INET (IPv4) addresses than given (optionally, the ANY address 0.0.0.0 can be silently changed to the given address).
  * Create INET raw sockets.
  * Access IPC objects outside this jail.
  * Create device special files (to prevent unwanted device accesses).
  * Signal, trace or get status from processes outside this jail.
  * Change Linux file modes to include suid or sgid flags.
  * Set rlimits.
  * Modify settings of any non-rlimit SCD or NETDEV target.
  * Access RSBAC attributes.
  * Access RSBAC Network Templates.
  * Switch off Linux DAC.
  * Switch RSBAC modules, softmode or log settings.
  * Access any other namespaces than its own (if enabled)

All processes in jails are listed in /proc/rsbac-info/jails, if RSBAC proc support has been enabled.

More details are given on the [[documentation:rsbac_handbook:configuration_basics:setting_up_modules:jail|configuration page]]

\\ 
----
**Table of Contents:** [[documentation:rsbac_handbook|RSBAC Handbook]]\\
**Back:** [[documentation:rsbac_handbook:security_models|Security Models]]\\