documentation:rsbac_handbook:configuration_basics:setting_up_modules:jail
=>  Releases

Current version
Git/Latestdiff: 1.5.6

Latest Snapshots
Produced after each commit or rebase to new upstream version

GIT
RSBAC source code, can be unstable sometimes

=>  Events

No events planned

Using JAIL

Before starting with RSBAC jails your should read the JAIL description.

All processes in jails are listed in /proc/rsbac-info/jails, if RSBAC proc support has been enabled.

To create a jail, start a program with the rsbac_jail command. Several parameters allow to remove some restrictions. Possible switches controlling access in details:

  • -I addr = limit to IP address
  • -R dir = chroot to dir
  • -N = enclose process in its private namespace, process won't be able to see any filesystem tree that was mounted after it was jailed, 2.6 kernel only !
  • -C cap-list = limit Linux capabilities for jailed processes, use bit-vector, numeric value or list names of desired caps, A = all, FS_MASK = all filesystem related
  • -L = list all Linux capabilities
  • -S = list all SCD targets
  • -v = verbose startup
  • -i = allow access to IPC outside this jail
  • -n = allow all network families, not only UNIX and INET (IPv4)
  • -r = allow INET (IPv4) raw sockets (e.g. for ping)
  • -a = auto-adjust INET any address 0.0.0.0 to jail address, if set
  • -o = additionally allow to/from remote INET (IPv4) address 127.0.0.1
  • -d = allow read access on devices, -D allow write access
  • -e = allow GET_STATUS_DATA on devices, -E allow MODIFY_SYSTEM_DATA
  • -t = allow *_OPEN on tty devices
  • -G scd … = allow GET_STATUS_DATA on these scd targets
  • -M scd … = allow MODIFY_SYSTEM_DATA on these scd targets

Deprecated old options, please use -G and -M:

  • -l = allow to modify rlimits (-M rlimit)
  • -c = allow to modify system clock (-M SCD clock time_strucs)
  • -m = allow to lock memory (-M mlock)
  • -p = allow to modify priority (-M priority)
  • -k = allow to get kernel symbols (-G ksyms)

Example to start the Mozilla browser in a jail:

rsbac_jail -d -D -P -G priority -M priority mozilla



Table of Contents: RSBAC Handbook
Previous: RC
Next: CAP
Alternative: Setting up Modules

//
documentation/rsbac_handbook/configuration_basics/setting_up_modules/jail.txt · Last modified: 2009/01/13 11:03 by 127.0.0.1

documentation/rsbac_handbook/configuration_basics/setting_up_modules/jail.txt · Last modified: 2009/01/13 11:03 by 127.0.0.1
This website is kindly hosted by m-privacy