documentation:different_models:jail
Releases
Current version
Git/Latestdiff: 1.5.6
Latest Snapshots
Produced after each commit or rebase to new upstream version
GIT
RSBAC source code, can be unstable sometimes
Events
No events planned
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| documentation:different_models:jail [2006/05/02 13:40] – (old revision restored) 127.0.0.1 | documentation:different_models:jail [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1 | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | The JAIL module provides a new call rsbac_jail, which makes a chroot call (with chdir("/" | ||
| - | Some of these restrictions can be turned off by flags to the syscall or the rsbac_jail command line wrapper, these are marked with an * in the following list. The rsbac_jail system call also takes the allowed IP-Address for binding (may be 0.0.0.0 for any) as parameter. | ||
| - | |||
| - | Both chroot and IP address limits are optional. | ||
| - | |||
| - | Processes in a jail may not: | ||
| - | * Add or remove kernel modules. | ||
| - | * Shutdown or reboot the system. | ||
| - | * Mount or umount filesystems. | ||
| - | * Create sockets of other types than UNIX and INET (IPv4). | ||
| - | * Use other INET (IPv4) addresses than given (optionally, | ||
| - | * Create INET raw sockets. | ||
| - | * Access IPC objects outside this jail. | ||
| - | * Create device special files (to prevent unwanted device accesses). | ||
| - | * Signal, trace or get status from processes outside this jail. | ||
| - | * Change Linux file modes to include suid or sgid flags. | ||
| - | * Set rlimits. | ||
| - | * Modify settings of any non-rlimit SCD or NETDEV target. | ||
| - | * Access RSBAC attributes. | ||
| - | * Access RSBAC Network Templates. | ||
| - | * Switch off Linux DAC. | ||
| - | * Switch RSBAC modules, softmode or log settings. | ||
| - | * Access any other namespaces than its own (if enabled) | ||
| - | |||
| - | All processes in jails are listed in / | ||
| - | |||
| - | Possible switches controling access in details: | ||
| - | |||
| - | * -I addr = limit to IP address, | ||
| - | * -R dir = chroot to dir, | ||
| - | * -N = enclose process in its private namespace, (process won't be able to see any filesystem tree that was mounted after it was jailed, 2.6 kernel only !) | ||
| - | * -C cap-list | ||
| - | use bit-vector, numeric value or list names of desired caps, | ||
| - | A = all, FS_MASK = all filesystem related, | ||
| - | * -L = list all Linux capabilities, | ||
| - | * -S = list all SCD targets, | ||
| - | * -v = verbose, -i = allow access to IPC outside this jail, | ||
| - | * -n = allow all network families, not only UNIX and INET (IPv4), | ||
| - | * -r = allow INET (IPv4) raw sockets (e.g. for ping), | ||
| - | * -a = auto-adjust INET any address 0.0.0.0 to jail address, if set, | ||
| - | * -o = additionally allow to/from remote INET (IPv4) address 127.0.0.1, | ||
| - | * -d = allow read access on devices, -D allow write access | ||
| - | * -e = allow GET_STATUS_DATA on devices, -E allow MODIFY_SYSTEM_DATA | ||
| - | * -t = allow *_OPEN on tty devices | ||
| - | * -G scd ... = allow GET_STATUS_DATA on these scd targets | ||
| - | * -M scd ... = allow MODIFY_SYSTEM_DATA on these scd targets | ||
| - | Deprecated old options, please use -G and -M: | ||
| - | * -l = allow to modify rlimits (-M rlimit), | ||
| - | * -c = allow to modify system clock (-M SCD clock time_strucs), | ||
| - | * -m = allow to lock memory (-M mlock), | ||
| - | * -p = allow to modify priority (-M priority), | ||
| - | * -k = allow to get kernel symbols (-G ksyms) | ||
documentation/different_models/jail.1146577225.txt.gz · Last modified: 2006/05/17 12:31 (external edit)