documentation:different_models:jail
=>  Releases

Current version
Git/Latestdiff: 1.5.6

Latest Snapshots
Produced after each commit or rebase to new upstream version

GIT
RSBAC source code, can be unstable sometimes

=>  Events

No events planned

This is an old revision of the document!

The JAIL module provides a new call rsbac_jail, which makes a chroot call (with chdir(“/”)) and adds further restrictions on the calling process and all subprocesses. Some of these restrictions can be turned off by flags to the syscall or the rsbac_jail command line wrapper, these are marked with an * in the following list. The rsbac_jail system call also takes the allowed IP-Address for binding (may be 0.0.0.0 for any) as parameter.

Both chroot and IP address limits are optional.

Processes in a jail may not:

  • Add or remove kernel modules.
  • Shutdown or reboot the system.
  • Mount or umount filesystems.
  • Create sockets of other types than UNIX and INET (IPv4).
  • Use other INET (IPv4) addresses than given (optionally, the ANY address 0.0.0.0 can be silently changed to the given address).
  • Create INET raw sockets.
  • Access IPC objects outside this jail.
  • Create device special files (to prevent unwanted device accesses).
  • Signal, trace or get status from processes outside this jail.
  • Change Linux file modes to include suid or sgid flags.
  • Set rlimits.
  • Modify settings of any non-rlimit SCD or NETDEV target.
  • Access RSBAC attributes.
  • Access RSBAC Network Templates.
  • Switch off Linux DAC.
  • Switch RSBAC modules, softmode or log settings.
  • Access any other namespaces than its own (if enabled)

All processes in jails are listed in /proc/rsbac-info/jails, if RSBAC proc support has been enabled.

Possible switches controling access in details:

-I addr = limit to IP address, -R dir = chroot to dir, -N = enclose process in its private namespace, (process won't be able to see any filesystem tree that was mounted after it was jailed). 2.6 kernel only ! -C cap-list = limit Linux capabilities for jailed processes, 

             use bit-vector, numeric value or list names of desired caps,
             A = all, FS_MASK = all filesystem related,

-L = list all Linux capabilities, -S = list all SCD targets, -v = verbose, -i = allow access to IPC outside this jail, -n = allow all network families, not only UNIX and INET (IPv4), -r = allow INET (IPv4) raw sockets (e.g. for ping), -a = auto-adjust INET any address 0.0.0.0 to jail address, if set, -o = additionally allow to/from remote INET (IPv4) address 127.0.0.1, -d = allow read access on devices, -D allow write access -e = allow GET_STATUS_DATA on devices, -E allow MODIFY_SYSTEM_DATA -t = allow *_OPEN on tty devices -G scd … = allow GET_STATUS_DATA on these scd targets -M scd … = allow MODIFY_SYSTEM_DATA on these scd targets Deprecated old options, please use -G and -M: -l = allow to modify rlimits (-M rlimit), -c = allow to modify system clock (-M SCD clock time_strucs), -m = allow to lock memory (-M mlock), -p = allow to modify priority (-M priority), -k = allow to get kernel symbols (-G ksyms)

//
documentation/different_models/jail.1139908782.txt.gz · Last modified: 2006/05/02 13:40 (external edit)

documentation/different_models/jail.1139908782.txt.gz · Last modified: 2006/05/02 13:40 (external edit)
This website is kindly hosted by m-privacy