Changeset View
Changeset View
Standalone View
Standalone View
head/usr.sbin/jail/jail.8
| Show All 19 Lines | |||||
| .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||||
| .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||||
| .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | ||||
| .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||||
| .\" SUCH DAMAGE. | .\" SUCH DAMAGE. | ||||
| .\" | .\" | ||||
| .\" $FreeBSD$ | .\" $FreeBSD$ | ||||
| .\" | .\" | ||||
| .Dd June 5, 2017 | .Dd May 4, 2018 | ||||
| .Dt JAIL 8 | .Dt JAIL 8 | ||||
| .Os | .Os | ||||
| .Sh NAME | .Sh NAME | ||||
| .Nm jail | .Nm jail | ||||
| .Nd "manage system jails" | .Nd "manage system jails" | ||||
| .Sh SYNOPSIS | .Sh SYNOPSIS | ||||
| .Nm | .Nm | ||||
| .Op Fl dhilqv | .Op Fl dhilqv | ||||
| ▲ Show 20 Lines • Show All 503 Lines • ▼ Show 20 Lines | |||||
| This permission is effective only together with | This permission is effective only together with | ||||
| .Va allow.mount | .Va allow.mount | ||||
| and only when | and only when | ||||
| .Va enforce_statfs | .Va enforce_statfs | ||||
| is set to a value lower than 2. | is set to a value lower than 2. | ||||
| The devfs ruleset should be restricted from the default by using the | The devfs ruleset should be restricted from the default by using the | ||||
| .Va devfs_ruleset | .Va devfs_ruleset | ||||
| option. | option. | ||||
| .It Va allow.quotas | |||||
| The jail root may administer quotas on the jail's filesystem(s). | |||||
| This includes filesystems that the jail may share with other jails or | |||||
| with non-jailed parts of the system. | |||||
| .It Va allow.socket_af | |||||
| Sockets within a jail are normally restricted to IPv4, IPv6, local | |||||
| (UNIX), and route. This allows access to other protocol stacks that | |||||
| have not had jail functionality added to them. | |||||
| .It Va allow.reserved_ports | |||||
| The jail root may bind to ports lower than 1024. | |||||
| .El | |||||
| .El | |||||
| .Pp | |||||
| Kernel modules may add their own parameters, which only exist when the | |||||
| module is loaded. | |||||
| These are typically headed under a parameter named after the module, | |||||
| with values of | |||||
| .Dq inherit | |||||
| to give the jail full use of the module, | |||||
| .Dq new | |||||
| to encapsulate the jail in some module-specific way, | |||||
| and | |||||
| .Dq disable | |||||
| to make the module unavailable to the jail. | |||||
| There also may be other parameters to define jail behavior within the module. | |||||
| Module-specific parameters include: | |||||
| .Bl -tag -width indent | |||||
| .It Va allow.mount.fdescfs | .It Va allow.mount.fdescfs | ||||
| privileged users inside the jail will be able to mount and unmount the | privileged users inside the jail will be able to mount and unmount the | ||||
| fdescfs file system. | fdescfs file system. | ||||
| This permission is effective only together with | This permission is effective only together with | ||||
| .Va allow.mount | .Va allow.mount | ||||
| and only when | and only when | ||||
| .Va enforce_statfs | .Va enforce_statfs | ||||
| is set to a value lower than 2. | is set to a value lower than 2. | ||||
| ▲ Show 20 Lines • Show All 44 Lines • ▼ Show 20 Lines | |||||
| .Va allow.mount | .Va allow.mount | ||||
| and only when | and only when | ||||
| .Va enforce_statfs | .Va enforce_statfs | ||||
| is set to a value lower than 2. | is set to a value lower than 2. | ||||
| See | See | ||||
| .Xr zfs 8 | .Xr zfs 8 | ||||
| for information on how to configure the ZFS filesystem to operate from | for information on how to configure the ZFS filesystem to operate from | ||||
| within a jail. | within a jail. | ||||
| .It Va allow.quotas | |||||
| The jail root may administer quotas on the jail's filesystem(s). | |||||
| This includes filesystems that the jail may share with other jails or | |||||
| with non-jailed parts of the system. | |||||
| .It Va allow.socket_af | |||||
| Sockets within a jail are normally restricted to IPv4, IPv6, local | |||||
| (UNIX), and route. This allows access to other protocol stacks that | |||||
| have not had jail functionality added to them. | |||||
| .It Va allow.reserved_ports | |||||
| The jail root may bind to ports lower than 1024. | |||||
| .El | |||||
| .El | |||||
| .Pp | |||||
| Kernel modules may add their own parameters, which only exist when the | |||||
| module is loaded. | |||||
| These are typically headed under a parameter named after the module, | |||||
| with values of | |||||
| .Dq inherit | |||||
| to give the jail full use of the module, | |||||
| .Dq new | |||||
| to encapsulate the jail in some module-specific way, | |||||
| and | |||||
| .Dq disable | |||||
| to make the module unavailable to the jail. | |||||
| There also may be other parameters to define jail behavior within the module. | |||||
| Module-specific parameters include: | |||||
| .Bl -tag -width indent | |||||
| .It Va linux | .It Va linux | ||||
| Determine how a jail's Linux emulation environment appears. | Determine how a jail's Linux emulation environment appears. | ||||
| A value of | A value of | ||||
| .Dq inherit | .Dq inherit | ||||
| will keep the same environment, and | will keep the same environment, and | ||||
| .Dq new | .Dq new | ||||
| will give the jail it's own environment (still originally inherited when | will give the jail it's own environment (still originally inherited when | ||||
| the jail is created). | the jail is created). | ||||
| ▲ Show 20 Lines • Show All 716 Lines • Show Last 20 Lines | |||||