gitweb.dragonflybsd.org Git - dragonfly.git/blame_incremental

... / ...

Commit	Line	Data
	1	.\"
	2	.\"----------------------------------------------------------------------------
	3	.\""THE BEER-WARE LICENSE" (Revision 42):
	4	.\"<phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you
	5	.\"can do whatever you want with this stuff. If we meet some day, and you think
	6	.\"this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
	7	.\"----------------------------------------------------------------------------
	8	.\"
	9	.\"$FreeBSD: src/lib/libc/sys/jail.2,v 1.10.2.10 2002/12/12 05:26:38 trhodes Exp $
	10	.\"$DragonFly: src/lib/libc/sys/jail.2,v 1.4 2005/03/08 20:29:55 swildner Exp $
	11	.\"
	12	.Dd April 28, 1999
	13	.Dt JAIL 2
	14	.Os
	15	.Sh NAME
	16	.Nm jail
	17	.Nd imprison current process and future decendants
	18	.Sh LIBRARY
	19	.Lb libc
	20	.Sh SYNOPSIS
	21	.In sys/types.h
	22	.In sys/jail.h
	23	.Ft int
	24	.Fn jail "struct jail *jail"
	25	.Sh DESCRIPTION
	26	The
	27	.Nm
	28	system call sets up a jail and locks the current process in it.
	29	.Pp
	30	The argument is a pointer to a structure describing the prison:
	31	.Bd -literal -offset indent
	32	struct jail {
	33	uint32_t version;
	34	char *path;
	35	char *hostname;
	36	uint32_t ip_number;
	37	};
	38	.Ed
	39	.Pp
	40	.Dq Li version
	41	defines the version of the API in use. It should be set to zero at this time.
	42	.Pp
	43	The
	44	.Dq Li path
	45	pointer should be set to the directory which is to be the root of the
	46	prison.
	47	.Pp
	48	The
	49	.Dq Li hostname
	50	pointer can be set to the hostname of the prison. This can be changed
	51	from the inside of the prison.
	52	.Pp
	53	The
	54	.Dq Li ip_number
	55	can be set to the IP number assigned to the prison.
	56	.Sh PRISON
	57	Once a process has been put in a prison, it and its decendants cannot escape
	58	the prison.
	59	A process can be attached to a prison by calling
	60	.Xr jail_attach 2 .
	61	.Pp
	62	Inside the prison, the concept of "superuser" is very diluted. In general,
	63	it can be assumed that nothing can be mangled from inside a prison which
	64	does not exist entirely inside that prison. For instance the directory
	65	tree below
	66	.Dq Li path
	67	can be manipulated all the ways a root can normally do it, including
	68	.Dq Li "rm -rf /*"
	69	but new device special nodes cannot be created because they reference
	70	shared resources (the device drivers in the kernel).
	71	.Pp
	72	All IP activity will be forced to happen to/from the IP number specified,
	73	which should be an alias on one of the network interfaces.
	74	.Pp
	75	It is possible to identify a process as jailed by examining
	76	.Dq Li /proc/<pid>/status :
	77	it will show a field near the end of the line, either as
	78	a single hyphen for a process at large, or the hostname currently
	79	set for the prison for jailed processes.
	80	.Pp
	81	The program
	82	.Xr jls 8
	83	ca be used to identify all active jails.
	84	.Sh ERRORS
	85	.Fn jail
	86	will fail if:
	87	.Bl -tag -width Er
	88	.It Bq Er EINVAL
	89	The version number of the argument is not correct.
	90	.El
	91	.Pp
	92	Further
	93	.Fn jail
	94	calls
	95	.Xr chroot 2
	96	internally, so it can fail for all the same reasons.
	97	Please consult the
	98	.Xr chroot 2
	99	manual page for details.
	100	.Sh SEE ALSO
	101	.Xr chdir 2 ,
	102	.Xr chroot 2 ,
	103	.Xr jail 8 ,
	104	.Xr jail_attach 2 ,
	105	.Xr jexec 8 ,
	106	.Xr jls 8
	107	.Sh HISTORY
	108	The
	109	.Fn jail
	110	function call appeared in
	111	.Fx 4.0 .
	112	.Sh AUTHORS
	113	The jail feature was written by
	114	.An Poul-Henning Kamp
	115	for R&D Associates
	116	.Dq Li http://www.rndassociates.com/
	117	who contributed it to
	118	.Fx .