=>  Releases

Current version
Git/Latestdiff: 1.5.6

Latest Snapshots
Produced after each commit or rebase to new upstream version

RSBAC source code, can be unstable sometimes

=>  Events

No events planned

The JAIL module

The JAIL module provides a new call rsbac_jail, which makes a chroot call (with chdir(“/”)) and adds further restrictions on the calling process and all subprocesses. Some of these restrictions can be turned off by flags to the syscall or the rsbac_jail command line wrapper, these are marked with an * in the following list. The rsbac_jail system call also takes the allowed IP-Address for binding (may be for any) as parameter.

Both chroot and IP address limits are optional.

Processes in a jail may not:

  • Add or remove kernel modules.
  • Shutdown or reboot the system.
  • Mount or umount filesystems.
  • Create sockets of other types than UNIX and INET (IPv4).
  • Use other INET (IPv4) addresses than given (optionally, the ANY address can be silently changed to the given address).
  • Create INET raw sockets.
  • Access IPC objects outside this jail.
  • Create device special files (to prevent unwanted device accesses).
  • Signal, trace or get status from processes outside this jail.
  • Change Linux file modes to include suid or sgid flags.
  • Set rlimits.
  • Modify settings of any non-rlimit SCD or NETDEV target.
  • Access RSBAC attributes.
  • Access RSBAC Network Templates.
  • Switch off Linux DAC.
  • Switch RSBAC modules, softmode or log settings.
  • Access any other namespaces than its own (if enabled)

All processes in jails are listed in /proc/rsbac-info/jails, if RSBAC proc support has been enabled.

More details are given on the configuration page

Table of Contents: RSBAC Handbook
Back: Security Models

documentation/rsbac_handbook/security_models/jail.txt · Last modified: 2009/01/13 11:49 by

documentation/rsbac_handbook/security_models/jail.txt · Last modified: 2009/01/13 11:49 by
This website is kindly hosted by m-privacy