Releases

Current version
Git/Latestdiff: 1.5.6

Latest Snapshots
Produced after each commit or rebase to new upstream version

GIT
RSBAC source code, can be unstable sometimes

Events

No events planned

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

--- documentation:different_models:jail [2005/09/20 07:50] – (old revision restored) 127.0.0.1
+++ documentation:different_models:jail [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1
@@ Line 1: / Line 1: @@
-The JAIL module provides a new call rsbac_jail, which makes a chroot call (with chdir("/")) and adds further restrictions on the calling process and all subprocesses.
-Some of these restrictions can be turned off by flags to the syscall or the rsbac_jail command line wrapper, these are marked with an * in the following list. The rsbac_jail system call also takes the allowed IP-Address for binding (may be 0.0.0.0 for any) as parameter.
-Both chroot and IP address limits are optional.
-Processes in a jail may not:
-  * Add or remove kernel modules.
-  * Shutdown or reboot the system.
-  * Mount or umount filesystems.
-  * Create sockets of other types than UNIX and INET (IPv4).
-  * Use other INET (IPv4) addresses than given (optionally, the ANY address 0.0.0.0 can be silently changed to the given address).
-  * Create INET raw sockets.
-  * Access IPC objects outside this jail.
-  * Create device special files (to prevent unwanted device accesses).
-  * Signal, trace or get status from processes outside this jail.
-  * Change Linux file modes to include suid or sgid flags.
-  * Set rlimits.
-  * Modify settings of any non-rlimit SCD or NETDEV target.
-  * Access RSBAC attributes.
-  * Access RSBAC Network Templates.
-  * Switch off Linux DAC.
-  * Switch RSBAC modules, softmode or log settings.
-All processes in jails are listed in /proc/rsbac-info/jails, if RSBAC proc support has been enabled.

//