Changeset View
Changeset View
Standalone View
Standalone View
head/usr.sbin/jail/jail.8
Show All 19 Lines | |||||
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||||
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||||
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | ||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||||
.\" SUCH DAMAGE. | .\" SUCH DAMAGE. | ||||
.\" | .\" | ||||
.\" $FreeBSD$ | .\" $FreeBSD$ | ||||
.\" | .\" | ||||
.Dd June 5, 2017 | .Dd May 4, 2018 | ||||
.Dt JAIL 8 | .Dt JAIL 8 | ||||
.Os | .Os | ||||
.Sh NAME | .Sh NAME | ||||
.Nm jail | .Nm jail | ||||
.Nd "manage system jails" | .Nd "manage system jails" | ||||
.Sh SYNOPSIS | .Sh SYNOPSIS | ||||
.Nm | .Nm | ||||
.Op Fl dhilqv | .Op Fl dhilqv | ||||
▲ Show 20 Lines • Show All 503 Lines • ▼ Show 20 Lines | |||||
This permission is effective only together with | This permission is effective only together with | ||||
.Va allow.mount | .Va allow.mount | ||||
and only when | and only when | ||||
.Va enforce_statfs | .Va enforce_statfs | ||||
is set to a value lower than 2. | is set to a value lower than 2. | ||||
The devfs ruleset should be restricted from the default by using the | The devfs ruleset should be restricted from the default by using the | ||||
.Va devfs_ruleset | .Va devfs_ruleset | ||||
option. | option. | ||||
.It Va allow.quotas | |||||
The jail root may administer quotas on the jail's filesystem(s). | |||||
This includes filesystems that the jail may share with other jails or | |||||
with non-jailed parts of the system. | |||||
.It Va allow.socket_af | |||||
Sockets within a jail are normally restricted to IPv4, IPv6, local | |||||
(UNIX), and route. This allows access to other protocol stacks that | |||||
have not had jail functionality added to them. | |||||
.It Va allow.reserved_ports | |||||
The jail root may bind to ports lower than 1024. | |||||
.El | |||||
.El | |||||
.Pp | |||||
Kernel modules may add their own parameters, which only exist when the | |||||
module is loaded. | |||||
These are typically headed under a parameter named after the module, | |||||
with values of | |||||
.Dq inherit | |||||
to give the jail full use of the module, | |||||
.Dq new | |||||
to encapsulate the jail in some module-specific way, | |||||
and | |||||
.Dq disable | |||||
to make the module unavailable to the jail. | |||||
There also may be other parameters to define jail behavior within the module. | |||||
Module-specific parameters include: | |||||
.Bl -tag -width indent | |||||
.It Va allow.mount.fdescfs | .It Va allow.mount.fdescfs | ||||
privileged users inside the jail will be able to mount and unmount the | privileged users inside the jail will be able to mount and unmount the | ||||
fdescfs file system. | fdescfs file system. | ||||
This permission is effective only together with | This permission is effective only together with | ||||
.Va allow.mount | .Va allow.mount | ||||
and only when | and only when | ||||
.Va enforce_statfs | .Va enforce_statfs | ||||
is set to a value lower than 2. | is set to a value lower than 2. | ||||
▲ Show 20 Lines • Show All 44 Lines • ▼ Show 20 Lines | |||||
.Va allow.mount | .Va allow.mount | ||||
and only when | and only when | ||||
.Va enforce_statfs | .Va enforce_statfs | ||||
is set to a value lower than 2. | is set to a value lower than 2. | ||||
See | See | ||||
.Xr zfs 8 | .Xr zfs 8 | ||||
for information on how to configure the ZFS filesystem to operate from | for information on how to configure the ZFS filesystem to operate from | ||||
within a jail. | within a jail. | ||||
.It Va allow.quotas | |||||
The jail root may administer quotas on the jail's filesystem(s). | |||||
This includes filesystems that the jail may share with other jails or | |||||
with non-jailed parts of the system. | |||||
.It Va allow.socket_af | |||||
Sockets within a jail are normally restricted to IPv4, IPv6, local | |||||
(UNIX), and route. This allows access to other protocol stacks that | |||||
have not had jail functionality added to them. | |||||
.It Va allow.reserved_ports | |||||
The jail root may bind to ports lower than 1024. | |||||
.El | |||||
.El | |||||
.Pp | |||||
Kernel modules may add their own parameters, which only exist when the | |||||
module is loaded. | |||||
These are typically headed under a parameter named after the module, | |||||
with values of | |||||
.Dq inherit | |||||
to give the jail full use of the module, | |||||
.Dq new | |||||
to encapsulate the jail in some module-specific way, | |||||
and | |||||
.Dq disable | |||||
to make the module unavailable to the jail. | |||||
There also may be other parameters to define jail behavior within the module. | |||||
Module-specific parameters include: | |||||
.Bl -tag -width indent | |||||
.It Va linux | .It Va linux | ||||
Determine how a jail's Linux emulation environment appears. | Determine how a jail's Linux emulation environment appears. | ||||
A value of | A value of | ||||
.Dq inherit | .Dq inherit | ||||
will keep the same environment, and | will keep the same environment, and | ||||
.Dq new | .Dq new | ||||
will give the jail it's own environment (still originally inherited when | will give the jail it's own environment (still originally inherited when | ||||
the jail is created). | the jail is created). | ||||
▲ Show 20 Lines • Show All 716 Lines • Show Last 20 Lines |