Changeset View
Changeset View
Standalone View
Standalone View
usr.sbin/jail/jail.8
Show All 19 Lines | ||||||||||
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |||||||||
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |||||||||
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |||||||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |||||||||
.\" SUCH DAMAGE. | .\" SUCH DAMAGE. | |||||||||
.\" | .\" | |||||||||
.\" $FreeBSD$ | .\" $FreeBSD$ | |||||||||
.\" | .\" | |||||||||
.Dd December 11, 2022 | .Dd March 12, 2023 | |||||||||
.Dt JAIL 8 | .Dt JAIL 8 | |||||||||
.Os | .Os | |||||||||
.Sh NAME | .Sh NAME | |||||||||
.Nm jail | .Nm jail | |||||||||
.Nd "manage system jails" | .Nd "manage system jails" | |||||||||
.Sh SYNOPSIS | .Sh SYNOPSIS | |||||||||
.Nm | .Nm | |||||||||
.Op Fl dhilqv | .Op Fl dhilqv | |||||||||
▲ Show 20 Lines • Show All 544 Lines • ▼ Show 20 Lines | ||||||||||
.Xr mlock 2 | .Xr mlock 2 | |||||||||
or | or | |||||||||
.Xr munlock 2 | .Xr munlock 2 | |||||||||
memory subject to | memory subject to | |||||||||
.Va security.bsd.unprivileged_mlock | .Va security.bsd.unprivileged_mlock | |||||||||
and resource limits. | and resource limits. | |||||||||
.It Va allow.nfsd | .It Va allow.nfsd | |||||||||
The | The | |||||||||
.Xr mountd 8 , | ||||||||||
.Xr nfsd 8 , | ||||||||||
.Xr nfsuserd 8 , | ||||||||||
.Xr gssd 8 | ||||||||||
and | ||||||||||
.Xr rpc.tlsservd 8 | ||||||||||
daemons are permitted to run inside a properly configured vnet-enabled jail. | ||||||||||
The jail's root must be a file system mount point and | ||||||||||
.Va enforce_statfs | ||||||||||
must not be set to 0, so that | ||||||||||
.Xr mountd 8 | .Xr mountd 8 | |||||||||
can export file systems visible within the jail. | ||||||||||
.Va enforce_statfs | ||||||||||
must be set to 1 if file systems mounted under the | ||||||||||
jail's file system need to be exported by | ||||||||||
.Xr mount 8 . | ||||||||||
pauamma_gundo.comUnsubmitted Done Inline Actions
pauamma_gundo.com: | ||||||||||
For exporting only the jail's file system, a setting of 2 | ||||||||||
is sufficient. | ||||||||||
If the kernel configuration does not include the | ||||||||||
.Sy NFSD | ||||||||||
option, | ||||||||||
.Pa nfsd.ko | ||||||||||
must be loaded outside of the jails. | ||||||||||
This is normally done by adding | ||||||||||
.Dq nfsd | ||||||||||
to | ||||||||||
.Va kld_list | ||||||||||
in the | ||||||||||
.Xr rc.conf 5 | ||||||||||
file outside of the jails. | ||||||||||
Similarily, if the | ||||||||||
.Xr gssd 8 | ||||||||||
is to be run in a jail, either the kernel | ||||||||||
.Sy KGSSAPI | ||||||||||
option needs to be specified or | ||||||||||
.Dq kgssapi | ||||||||||
and | and | |||||||||
.Xr nfsd 8 | .Dq kgssapi_krb5 | |||||||||
daemons are permitted to run inside a vnet-enabled jail. | need to be in | |||||||||
Done Inline Actions
pauamma_gundo.com: | ||||||||||
The kernel must have been compiled with the | .Va kld_list | |||||||||
Done Inline ActionsIt might be helpful to be more precise and say that the root of the jail must be a mount point for a file system. markj: It might be helpful to be more precise and say that the root of the jail must be a mount point… | ||||||||||
.Sy VNET_NFSD option | in the | |||||||||
and | .Xr rc.conf 5 | |||||||||
.Sy NFSD option | file outside of the jails. | |||||||||
as well as the | ||||||||||
.Sy VIMAGE option | ||||||||||
for this to be available. | ||||||||||
.It Va allow.reserved_ports | .It Va allow.reserved_ports | |||||||||
The jail root may bind to ports lower than 1024. | The jail root may bind to ports lower than 1024. | |||||||||
Done Inline Actions
markj: | ||||||||||
.It Va allow.unprivileged_proc_debug | .It Va allow.unprivileged_proc_debug | |||||||||
Done Inline Actions
markj: | ||||||||||
Unprivileged processes in the jail may use debugging facilities. | Unprivileged processes in the jail may use debugging facilities. | |||||||||
.It Va allow.suser | .It Va allow.suser | |||||||||
Done Inline Actions
markj: | ||||||||||
The value of the jail's | The value of the jail's | |||||||||
.Va security.bsd.suser_enabled | .Va security.bsd.suser_enabled | |||||||||
sysctl. | sysctl. | |||||||||
The super-user will be disabled automatically if its parent system has it | The super-user will be disabled automatically if its parent system has it | |||||||||
Done Inline ActionsI think nfsd.ko should be .Va nfsd.ko on a line by itself. karels: I think nfsd.ko should be .Va nfsd.ko on a line by itself. | ||||||||||
Done Inline ActionsOr rather, .Pa nfsd.ko karels: Or rather, .Pa nfsd.ko | ||||||||||
disabled. | disabled. | |||||||||
The super-user is enabled by default. | The super-user is enabled by default. | |||||||||
.El | .El | |||||||||
Done Inline Actions.Va kld_list karels: .Va kld_list | ||||||||||
.El | .El | |||||||||
.Pp | .Pp | |||||||||
Kernel modules may add their own parameters, which only exist when the | Kernel modules may add their own parameters, which only exist when the | |||||||||
module is loaded. | module is loaded. | |||||||||
These are typically headed under a parameter named after the module, | These are typically headed under a parameter named after the module, | |||||||||
with values of | with values of | |||||||||
Done Inline ActionsI don't think "option" needs to be in bold; it should be on the next line. (Several occurrences, not all new) karels: I don't think "option" needs to be in bold; it should be on the next line. (Several… | ||||||||||
Done Inline ActionsYea, I was doing what the rest of jail.8 did, rmacklem: Yea, I was doing what the rest of jail.8 did,
but I've changed it here.
| ||||||||||
.Dq inherit | .Dq inherit | |||||||||
to give the jail full use of the module, | to give the jail full use of the module, | |||||||||
Done Inline ActionsThis looks odd; maybe .Dq kgssapi karels: This looks odd; maybe
.Dq kgssapi
and
.Dq kgssapi_krb5 | ||||||||||
.Dq new | .Dq new | |||||||||
Done Inline Actions.Va kld_list karels: .Va kld_list | ||||||||||
to encapsulate the jail in some module-specific way, | to encapsulate the jail in some module-specific way, | |||||||||
and | and | |||||||||
.Dq disable | .Dq disable | |||||||||
to make the module unavailable to the jail. | to make the module unavailable to the jail. | |||||||||
There also may be other parameters to define jail behavior within the module. | There also may be other parameters to define jail behavior within the module. | |||||||||
Module-specific parameters include: | Module-specific parameters include: | |||||||||
.Bl -tag -width indent | .Bl -tag -width indent | |||||||||
.It Va allow.mount.fdescfs | .It Va allow.mount.fdescfs | |||||||||
▲ Show 20 Lines • Show All 738 Lines • ▼ Show 20 Lines | ||||||||||
.Xr chroot 8 , | .Xr chroot 8 , | |||||||||
.Xr devfs 8 , | .Xr devfs 8 , | |||||||||
.Xr halt 8 , | .Xr halt 8 , | |||||||||
.Xr ifconfig 8 , | .Xr ifconfig 8 , | |||||||||
.Xr inetd 8 , | .Xr inetd 8 , | |||||||||
.Xr jexec 8 , | .Xr jexec 8 , | |||||||||
.Xr jls 8 , | .Xr jls 8 , | |||||||||
.Xr mount 8 , | .Xr mount 8 , | |||||||||
.Xr mountd 8 , | ||||||||||
.Xr nfsd 8 , | ||||||||||
.Xr reboot 8 , | .Xr reboot 8 , | |||||||||
.Xr rpcbind 8 , | .Xr rpcbind 8 , | |||||||||
.Xr sendmail 8 , | .Xr sendmail 8 , | |||||||||
.Xr shutdown 8 , | .Xr shutdown 8 , | |||||||||
.Xr sysctl 8 , | .Xr sysctl 8 , | |||||||||
.Xr syslogd 8 , | .Xr syslogd 8 , | |||||||||
.Xr umount 8 | .Xr umount 8 | |||||||||
.Sh HISTORY | .Sh HISTORY | |||||||||
▲ Show 20 Lines • Show All 55 Lines • Show Last 20 Lines |