Lines Matching +full:inside +full:- +full:secure

2 .\" Copyright (c) 2008-2012 James Gritton
94 .Bl -tag -width indent
104 Exhibit a list of all configured non-wildcard jails and their parameters.
129 The jail is first removed and then re-created, as if
146 .Bl -tag -width indent
148 Clean up after an already-removed jail, running commands and operations
193 No removal-related parameters for this jail will be used \(em the jail will
198 MIB entry to the specified value inside the newly created jail.
251 If hierarchical jails exist, a partial-matching wildcard definition may
288 comma-separated list, or with
293 List-based parameters may also be specified multiple times on the command
309 Then there are pseudo-parameters that are only used by
320 .Bl -tag -width indent
354 Any commands run inside the jail, either by
434 least as secure.
440 Mounting devfs inside a jail is possible only if the
447 Devfs rules and rulesets cannot be viewed or modified from inside a jail.
456 in the per-jail devfs.
485 When set to 2 (default), above syscalls can operate only on a mount-point
498 pseudo-parameter set.
500 The ID of the cpuset associated with this jail (read-only).
502 This is true if the jail is in the process of shutting down (read-only).
506 of the parent of this jail, or zero if this is a top-level jail
507 (read-only).
511 sysctl and uname -r.
515 and uname -K.
520 sysctl, which can only be adjusted by the non-jailed root user.
553 Some restrictions of the jail environment may be set on a per-jail
560 .Bl -tag -width indent
568 This is deprecated in favor of the per-module parameters (see below).
582 to operate inside the jail.
592 Normally, privileged users inside a jail are treated as unprivileged by
598 privileged users inside the jail will be able to mount and unmount file
599 system types marked as jail-friendly.
608 privileged users inside the jail will be able to mount and unmount the
621 with non-jailed parts of the system.
650 daemons are permitted to run inside a properly configured vnet-enabled jail.
695 The super-user will be disabled automatically if its parent system has it
697 The super-user is enabled by default.
714 Allow privileged process in the non-VNET jail to modify the system routing
726 to encapsulate the jail in some module-specific way,
731 Module-specific parameters include:
732 .Bl -tag -width indent
734 privileged users inside the jail will be able to mount and unmount the
742 privileged users inside the jail will be able to mount and unmount
743 fuse-based file systems.
750 privileged users inside the jail will be able to mount and unmount the
758 privileged users inside the jail will be able to mount and unmount the
766 privileged users inside the jail will be able to mount and unmount the
774 privileged users inside the jail will be able to mount and unmount the
782 privileged users inside the jail will be able to mount and unmount the
790 privileged users inside the jail will be able to mount and unmount the
798 .Xr zfs-jail 8
831 the jail cannot perform any sysvmsg-related system calls.
846 There are pseudo-parameters that are not passed to the kernel, but are
862 .Bl -tag -width indent -offset indent
877 The pseudo-parameters are:
878 .Bl -tag -width indent
969 The FIB (routing table) to set when running commands inside the jail.
997 .Dq Ar interface Ns | Ns Ar ip-address Ns / Ns Ar netmask param ... .
1002 If a netmask in either dotted-quad or CIDR form is given
1011 .Dq Ar interface Ns | Ns Ar ip-address Ns / Ns Ar prefix param ... .
1013 A list of network interfaces to give to a vnet-enabled jail after is it created.
1021 .Xr zfs-jail 8
1054 to restrict the devices visible inside the jail.
1111 .Bd -literal -offset indent
1114 mkdir -p $D
1143 .Dq jail-friendly .
1161 .Bd -literal -offset indent
1163 inetd_flags="-wW -a 192.0.2.23"
1175 flags entries; for others it is necessary to modify per-application
1207 Any third-party network software running
1225 inside the jail; others apply both for constraining a particular application
1229 .Bd -literal -offset indent
1230 jail -c path=/data/jail/testjail mount.devfs \\
1238 and do the post-install configuration to set various configuration options,
1243 .Bl -bullet -offset indent -compact
1264 You may also want to perform any package-specific configuration (web servers,
1280 .Bd -literal -offset indent
1308 .Bd -literal -offset indent
1309 jail -c testjail
1345 .Bd -literal -offset indent
1346 kill -TERM -1
1347 kill -KILL -1
1366 .Bd -literal -offset indent
1367 jail -r
1382 .Dq Li -
1393 .Dl "ps ax -o pid,jid,args"
1396 .Bd -literal -offset indent
1397 pgrep -lfj 3
1398 pkill -j 3
1402 .Dl "killall -j 3"
1408 any file system inside a jail unless the file system is marked
1409 jail-friendly, the jail's
1426 The read-only entry
1428 can be used to determine if a process is running inside a jail (value
1436 Some MIB variables have per-jail settings.
1453 Each jail has a read-only
1459 of 0 indicates the jail is a child of the current jail (or is a top-level
1480 Jail names reflect this hierarchy, with a full name being an MIB-type string
1490 to any processes inside jail
1542 .Xr zfs-jail 8 ,
1554 .An -nosplit
1556 .An Poul-Henning Kamp
1566 added multi-IP jail support for IPv4 and IPv6 based on a patch
1594 outside the jail can cooperate with a privileged user inside the jail