1.\" 2.\" Copyright (c) 2000, 2003 Robert N. M. Watson 3.\" Copyright (c) 2008 James Gritton 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25.\" SUCH DAMAGE. 26.\" 27.\" 28.\" ---------------------------------------------------------------------------- 29.\" "THE BEER-WARE LICENSE" (Revision 42): 30.\" <phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you 31.\" can do whatever you want with this stuff. If we meet some day, and you think 32.\" this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp 33.\" ---------------------------------------------------------------------------- 34.\" 35.\" $FreeBSD$ 36.\" 37.Dd May 29, 2009 38.Dt JAIL 8 39.Os 40.Sh NAME 41.Nm jail 42.Nd "create or modify a system jail" 43.Sh SYNOPSIS 44.Nm 45.Op Fl dhi 46.Op Fl J Ar jid_file 47.Op Fl l u Ar username | Fl U Ar username 48.Op Fl c | m 49.Op Ar parameter=value ... 50.Br 51.Nm 52.Op Fl hi 53.Op Fl n Ar jailname 54.Op Fl J Ar jid_file 55.Op Fl s Ar securelevel 56.Op Fl l u Ar username | Fl U Ar username 57.Op Ar path hostname [ip[,..]] command ... 58.Br 59.Nm 60.Op Fl r Ar jail 61.Sh DESCRIPTION 62The 63.Nm 64utility creates a new jail or modifies an existing jail, optionally 65imprisoning the current process (and future descendants) inside it. 66.Pp 67The options are as follows: 68.Bl -tag -width indent 69.It Fl d 70Allow making changes to a 71.Va 72dying jail. 73.It Fl h 74Resolve the 75.Va host.hostname 76parameter (or 77.Va hostname ) 78and add all IP addresses returned by the resolver 79to the list of 80.Va ip 81addresses for this prison. 82This may affect default address selection for outgoing IPv4 connections 83of prisons. 84The address first returned by the resolver for each address family 85will be used as primary address. 86See the 87.Va ip4.addr 88and 89.Va ip6.addr 90parameters further down for details. 91.It Fl i 92Output the jail identifier of the newly created jail. 93.It Fl n Ar jailname 94Set the jail's name. 95This is deprecated and is equivalent to setting the 96.Va name 97parameter. 98.It Fl J Ar jid_file 99Write a 100.Ar jid_file 101file, containing jail identifier, path, hostname, IP and 102command used to start the jail. 103.It Fl l 104Run program in the clean environment. 105The environment is discarded except for 106.Ev HOME , SHELL , TERM 107and 108.Ev USER . 109.Ev HOME 110and 111.Ev SHELL 112are set to the target login's default values. 113.Ev USER 114is set to the target login. 115.Ev TERM 116is imported from the current environment. 117The environment variables from the login class capability database for the 118target login are also set. 119.It Fl s Ar securelevel 120Set the 121.Va kern.securelevel 122MIB entry to the specified value inside the newly created jail. 123This is deprecated and is equivalent to setting the 124.Va securelevel 125parameter. 126.It Fl u Ar username 127The user name from host environment as whom the 128.Ar command 129should run. 130.It Fl U Ar username 131The user name from jailed environment as whom the 132.Ar command 133should run. 134.It Fl c 135Create a new jail. 136The 137.Va jid 138and 139.Va name 140parameters (if specified) must not refer to an existing jail. 141.It Fl m 142Modify an existing jail. 143One of the 144.Va jid 145or 146.Va name 147parameters must exist and refer to an existing jail. 148.It Fl cm 149Create a jail if it does not exist, or modify a jail if it does exist. 150.It Fl r 151Remove the 152.Ar jail 153specified by jid or name. 154All jailed processes are killed, and all children of this jail are also 155removed. 156.El 157.Pp 158At least one of the 159.Fl c , 160.Fl m 161or 162.Fl r 163options must be specified. 164.Pp 165.Ar Parameters 166are listed in 167.Dq name=value 168form, following the options. 169Some parameters are boolean, and do not have a value but are set by the 170name alone with or without a 171.Dq no 172prefix, e.g. 173.Va persist 174or 175.Va nopersist . 176Any parameters not set will be given default values, often based on the 177current environment. 178.Pp 179The pseudo-parameter 180.Va command 181specifies that the current process should enter the new (or modified) jail, 182and run the specified command. 183It must be the last parameter specified, because it includes not only 184the value following the 185.Sq = 186sign, but also passes the rest of the arguments to the command. 187.Pp 188Instead of supplying named 189.Ar parameters , 190four fixed parameters may be supplied in order on the command line: 191.Ar path , 192.Ar hostname , 193.Ar ip , 194and 195.Ar command . 196As the 197.Va jid 198and 199.Va name 200parameters aren't in this list, this mode will always create a new jail, and 201the 202.Fl c 203and 204.Fl m 205options don't apply (and must not exist). 206.Pp 207Jails have a set a core parameters, and modules can add their own jail 208parameters. 209The current set of available parameters can be retrieved via 210.Dq Nm sysctl Fl d Va security.jail.param . 211The core parameters are: 212.Bl -tag -width indent 213.It Va jid 214The jail identifier. 215This will be assigned automatically to a new jail (or can be explicitly 216set), and can be used to identify the jail for later modification, or 217for such commands as 218.Xr jls 8 219or 220.Xr jexec 8 . 221.It Va name 222The jail name. 223This is an arbitrary string that identifies a jail (except it may not 224contain a 225.Sq \&. ) . 226Like the 227.Va jid , 228it can be passed to later 229.Nm 230commands, or to 231.Xr jls 8 232or 233.Xr jexec 8 . 234If no 235.Va name 236is supplied, a default is assumed that is the same as the 237.Va jid . 238.It Va path 239Directory which is to be the root of the prison. 240The 241.Va command 242(if any) is run from this directory, as are commands from 243.Xr jexec 8 . 244.It Va ip4.addr 245A comma-separated list of IPv4 addresses assigned to the prison. 246If this is set, the jail is restricted to using only these address. 247Any attempts to use other addresses fail, and attempts to use wildcard 248addresses silently use the jailed address instead. 249For IPv4 the first address given will be kept used as the source address 250in case source address selection on unbound sockets cannot find a better 251match. 252It is only possible to start multiple jails with the same IP address, 253if none of the jails has more than this single overlapping IP address 254assigned to itself. 255.Pp 256A list of zero elements (an empty string) will stop the jail from using IPv4 257entirely; setting the boolean parameter 258.Ar noip4 259will not restrict the jail at all. 260.It Va ip6.addr 261A list of IPv6 addresses assigned to the prison, the counterpart to 262.Ar ip4.addr 263above. 264.It Va host.hostname 265Hostname of the prison. 266Other similar parameters are 267.Va host.domainname , 268.Va host.hostuuid 269and 270.Va host.hostid . 271Setting the boolean parameter 272.Va nohost 273will retain the system values of these settings. 274.It Va securelevel 275The value of the jail's 276.Va kern.securelevel 277sysctl. 278A jail never has a lower securelevel than the default system, but by 279setting this parameter it may have a higher one. 280If the system securelevel is changed, any jail securelevels will be at 281least as secure. 282.It Va enforce_statfs 283This determines which information processes in a jail are able to get 284about mount points. 285It affects the behaviour of the following syscalls: 286.Xr statfs 2 , 287.Xr fstatfs 2 , 288.Xr getfsstat 2 289and 290.Xr fhstatfs 2 291(as well as similar compatibility syscalls). 292When set to 0, all mount points are available without any restrictions. 293When set to 1, only mount points below the jail's chroot directory are 294visible. 295In addition to that, the path to the jail's chroot directory is removed 296from the front of their pathnames. 297When set to 2 (default), above syscalls can operate only on a mount-point 298where the jail's chroot directory is located. 299.It Va persist 300Setting this boolean parameter allows a jail to exist without any 301processes. 302Normally, a jail is destroyed as its last process exits. 303A new jail must have either the 304.Va persist 305parameter or 306.Va command 307pseudo-parameter set. 308.It Va cpuset.id 309The ID of the cpuset associated with this jail (read-only). 310.It Va dying 311This is true if the jail is in the process of shutting down (read-only). 312.It Va parent 313The 314.Va jid 315of the parent of this jail, or zero if this is a top-level jail 316(read-only). 317.It Va allow.* 318Some restrictions of the jail environment may be set on a per-jail 319basis. 320With the exception of 321.Va allow.set_hostname , 322these boolean parameters are off by default. 323.Bl -tag -width indent 324.It Va allow.set_hostname 325The jail's hostname may be changed via 326.Xr hostname 1 327or 328.Xr sethostname 3 . 329.It Va allow.sysvipc 330A process within the jail has access to System V IPC primitives. 331In the current jail implementation, System V primitives share a single 332namespace across the host and jail environments, meaning that processes 333within a jail would be able to communicate with (and potentially interfere 334with) processes outside of the jail, and in other jails. 335.It Va allow.raw_sockets 336The prison root is allowed to create raw sockets. 337Setting this parameter allows utilities like 338.Xr ping 8 339and 340.Xr traceroute 8 341to operate inside the prison. 342If this is set, the source IP addresses are enforced to comply 343with the IP address bound to the jail, regardless of whether or not 344the 345.Dv IP_HDRINCL 346flag has been set on the socket. 347Since raw sockets can be used to configure and interact with various 348network subsystems, extra caution should be used where privileged access 349to jails is given out to untrusted parties. 350.It Va allow.chflags 351Normally, priveleged users inside a jail are treated as unprivileged by 352.Xr chflags 2 . 353When this parameter is set, such users are treated as privileged, and 354may manipulate system file flags subject to the usual constraints on 355.Va kern.securelevel . 356.It Va allow.mount 357privileged users inside the jail will be able to mount and unmount file 358system types marked as jail-friendly. 359The 360.Xr lsvfs 1 361command can be used to find file system types available for mount from 362within a jail. 363.It Va allow.quotas 364The prison root may administer quotas on the jail's filesystem(s). 365This includes filesystems that the jail may share with other jails or 366with non-jailed parts of the system. 367.It Va allow.socket_af 368Sockets within a jail are normally restricted to IPv4, IPv6, local 369(UNIX), and route. This allows access to other protocol stacks that 370have not had jail functionality added to them. 371.It Va allow.jails 372The prison root may create child jails under this jail. See the 373.Va "Hierarchical Jails" 374section for more information. 375.El 376.El 377.Pp 378Jails are typically set up using one of two philosophies: either to 379constrain a specific application (possibly running with privilege), or 380to create a 381.Dq "virtual system image" 382running a variety of daemons and services. 383In both cases, a fairly complete file system install of 384.Fx 385is 386required, so as to provide the necessary command line tools, daemons, 387libraries, application configuration files, etc. 388However, for a virtual server configuration, a fair amount of 389additional work is required so as to configure the 390.Dq boot 391process. 392This manual page documents the configuration steps necessary to support 393either of these steps, although the configuration steps may be 394refined based on local requirements. 395.Sh EXAMPLES 396.Ss "Setting up a Jail Directory Tree" 397To set up a jail directory tree containing an entire 398.Fx 399distribution, the following 400.Xr sh 1 401command script can be used: 402.Bd -literal 403D=/here/is/the/jail 404cd /usr/src 405mkdir -p $D 406make world DESTDIR=$D 407make distribution DESTDIR=$D 408mount -t devfs devfs $D/dev 409.Ed 410.Pp 411NOTE: It is important that only appropriate device nodes in devfs be 412exposed to a jail; access to disk devices in the jail may permit processes 413in the jail to bypass the jail sandboxing by modifying files outside of 414the jail. 415See 416.Xr devfs 8 417for information on how to use devfs rules to limit access to entries 418in the per-jail devfs. 419A simple devfs ruleset for jails is available as ruleset #4 in 420.Pa /etc/defaults/devfs.rules . 421.Pp 422In many cases this example would put far more in the jail than needed. 423In the other extreme case a jail might contain only one file: 424the executable to be run in the jail. 425.Pp 426We recommend experimentation and caution that it is a lot easier to 427start with a 428.Dq fat 429jail and remove things until it stops working, 430than it is to start with a 431.Dq thin 432jail and add things until it works. 433.Ss "Setting Up a Jail" 434Do what was described in 435.Sx "Setting Up a Jail Directory Tree" 436to build the jail directory tree. 437For the sake of this example, we will 438assume you built it in 439.Pa /data/jail/192.0.2.100 , 440named for the jailed IP address. 441Substitute below as needed with your 442own directory, IP address, and hostname. 443.Ss "Setting up the Host Environment" 444First, you will want to set up your real system's environment to be 445.Dq jail-friendly . 446For consistency, we will refer to the parent box as the 447.Dq "host environment" , 448and to the jailed virtual machine as the 449.Dq "jail environment" . 450Since jail is implemented using IP aliases, one of the first things to do 451is to disable IP services on the host system that listen on all local 452IP addresses for a service. 453If a network service is present in the host environment that binds all 454available IP addresses rather than specific IP addresses, it may service 455requests sent to jail IP addresses if the jail did not bind the port. 456This means changing 457.Xr inetd 8 458to only listen on the 459appropriate IP address, and so forth. 460Add the following to 461.Pa /etc/rc.conf 462in the host environment: 463.Bd -literal -offset indent 464sendmail_enable="NO" 465inetd_flags="-wW -a 192.0.2.23" 466rpcbind_enable="NO" 467.Ed 468.Pp 469.Li 192.0.2.23 470is the native IP address for the host system, in this example. 471Daemons that run out of 472.Xr inetd 8 473can be easily set to use only the specified host IP address. 474Other daemons 475will need to be manually configured\(emfor some this is possible through 476the 477.Xr rc.conf 5 478flags entries; for others it is necessary to modify per-application 479configuration files, or to recompile the applications. 480The following frequently deployed services must have their individual 481configuration files modified to limit the application to listening 482to a specific IP address: 483.Pp 484To configure 485.Xr sshd 8 , 486it is necessary to modify 487.Pa /etc/ssh/sshd_config . 488.Pp 489To configure 490.Xr sendmail 8 , 491it is necessary to modify 492.Pa /etc/mail/sendmail.cf . 493.Pp 494For 495.Xr named 8 , 496it is necessary to modify 497.Pa /etc/namedb/named.conf . 498.Pp 499In addition, a number of services must be recompiled in order to run 500them in the host environment. 501This includes most applications providing services using 502.Xr rpc 3 , 503such as 504.Xr rpcbind 8 , 505.Xr nfsd 8 , 506and 507.Xr mountd 8 . 508In general, applications for which it is not possible to specify which 509IP address to bind should not be run in the host environment unless they 510should also service requests sent to jail IP addresses. 511Attempting to serve 512NFS from the host environment may also cause confusion, and cannot be 513easily reconfigured to use only specific IPs, as some NFS services are 514hosted directly from the kernel. 515Any third-party network software running 516in the host environment should also be checked and configured so that it 517does not bind all IP addresses, which would result in those services' also 518appearing to be offered by the jail environments. 519.Pp 520Once 521these daemons have been disabled or fixed in the host environment, it is 522best to reboot so that all daemons are in a known state, to reduce the 523potential for confusion later (such as finding that when you send mail 524to a jail, and its sendmail is down, the mail is delivered to the host, 525etc.). 526.Ss "Configuring the Jail" 527Start any jail for the first time without configuring the network 528interface so that you can clean it up a little and set up accounts. 529As 530with any machine (virtual or not) you will need to set a root password, time 531zone, etc. 532Some of these steps apply only if you intend to run a full virtual server 533inside the jail; others apply both for constraining a particular application 534or for running a virtual server. 535.Pp 536Start a shell in the jail: 537.Pp 538.Bd -literal -offset indent 539jail path=/data/jail/192.0.2.100 host.hostname=testhostname \\ 540 ip4.addr=192.0.2.100 command=/bin/sh 541.Ed 542.Pp 543Assuming no errors, you will end up with a shell prompt within the jail. 544You can now run 545.Pa /usr/sbin/sysinstall 546and do the post-install configuration to set various configuration options, 547or perform these actions manually by editing 548.Pa /etc/rc.conf , 549etc. 550.Pp 551.Bl -bullet -offset indent -compact 552.It 553Create an empty 554.Pa /etc/fstab 555to quell startup warnings about missing fstab (virtual server only) 556.It 557Disable the port mapper 558.Pa ( /etc/rc.conf : 559.Li rpcbind_enable="NO" ) 560(virtual server only) 561.It 562Configure 563.Pa /etc/resolv.conf 564so that name resolution within the jail will work correctly 565.It 566Run 567.Xr newaliases 1 568to quell 569.Xr sendmail 8 570warnings. 571.It 572Disable interface configuration to quell startup warnings about 573.Xr ifconfig 8 574.Pq Li network_interfaces="" 575(virtual server only) 576.It 577Set a root password, probably different from the real host system 578.It 579Set the timezone 580.It 581Add accounts for users in the jail environment 582.It 583Install any packages the environment requires 584.El 585.Pp 586You may also want to perform any package-specific configuration (web servers, 587SSH servers, etc), patch up 588.Pa /etc/syslog.conf 589so it logs as you would like, etc. 590If you are not using a virtual server, you may wish to modify 591.Xr syslogd 8 592in the host environment to listen on the syslog socket in the jail 593environment; in this example, the syslog socket would be stored in 594.Pa /data/jail/192.0.2.100/var/run/log . 595.Pp 596Exit from the shell, and the jail will be shut down. 597.Ss "Starting the Jail" 598You are now ready to restart the jail and bring up the environment with 599all of its daemons and other programs. 600If you are running a single application in the jail, substitute the 601command used to start the application for 602.Pa /etc/rc 603in the examples below. 604To start a virtual server environment, 605.Pa /etc/rc 606is run to launch various daemons and services. 607To do this, first bring up the 608virtual host interface, and then start the jail's 609.Pa /etc/rc 610script from within the jail. 611.Bd -literal -offset indent 612ifconfig ed0 inet alias 192.0.2.100/32 613mount -t procfs proc /data/jail/192.0.2.100/proc 614jail path=/data/jail/192.0.2.100 host.hostname=testhostname \\ 615 ip4=addr.192.0.2.100 command=/bin/sh /etc/rc 616.Ed 617.Pp 618A few warnings will be produced, because most 619.Xr sysctl 8 620configuration variables cannot be set from within the jail, as they are 621global across all jails and the host environment. 622However, it should all 623work properly. 624You should be able to see 625.Xr inetd 8 , 626.Xr syslogd 8 , 627and other processes running within the jail using 628.Xr ps 1 , 629with the 630.Ql J 631flag appearing beside jailed processes. 632To see an active list of jails, use the 633.Xr jls 8 634utility. 635You should also be able to 636.Xr telnet 1 637to the hostname or IP address of the jailed environment, and log 638in using the accounts you created previously. 639.Pp 640It is possible to have jails started at boot time. 641Please refer to the 642.Dq jail_* 643variables in 644.Xr rc.conf 5 645for more information. 646The 647.Xr rc 8 648jail script provides a flexible system to start/stop jails: 649.Bd -literal 650/etc/rc.d/jail start 651/etc/rc.d/jail stop 652/etc/rc.d/jail start myjail 653/etc/rc.d/jail stop myjail 654.Ed 655.Ss "Managing the Jail" 656Normal machine shutdown commands, such as 657.Xr halt 8 , 658.Xr reboot 8 , 659and 660.Xr shutdown 8 , 661cannot be used successfully within the jail. 662To kill all processes in a 663jail, you may log into the jail and, as root, use one of the following 664commands, depending on what you want to accomplish: 665.Pp 666.Bd -literal -offset indent 667kill -TERM -1 668kill -KILL -1 669.Ed 670.Pp 671This will send the 672.Dv SIGTERM 673or 674.Dv SIGKILL 675signals to all processes in the jail from within the jail. 676Depending on 677the intended use of the jail, you may also want to run 678.Pa /etc/rc.shutdown 679from within the jail. 680To kill processes from outside the jail, use the 681.Xr jexec 8 682utility in conjunction with the one of the 683.Xr kill 1 684commands above. 685You may also remove the jail with 686.Nm 687.Ar -r , 688which will killall the jail's processes with 689.Dv SIGKILL . 690.Pp 691The 692.Pa /proc/ Ns Ar pid Ns Pa /status 693file contains, as its last field, the name of the jail in which the 694process runs, or 695.Dq Li - 696to indicate that the process is not running within a jail. 697The 698.Xr ps 1 699command also shows a 700.Ql J 701flag for processes in a jail. 702.Pp 703You can also list/kill processes based on their jail ID. 704To show processes and their jail ID, use the following command: 705.Pp 706.Dl "ps ax -o pid,jid,args" 707.Pp 708To show and then kill processes in jail number 3 use the following commands: 709.Bd -literal -offset indent 710pgrep -lfj 3 711pkill -j 3 712.Ed 713or: 714.Pp 715.Dl "killall -j 3" 716.Ss "Jails and File Systems" 717It is not possible to 718.Xr mount 8 719or 720.Xr umount 8 721any file system inside a jail unless the file system is marked 722jail-friendly and the jail's 723.Va allow.mount 724parameter is set. 725.Pp 726Multiple jails sharing the same file system can influence each other. 727For example a user in one jail can fill the file system also 728leaving no space for processes in the other jail. 729Trying to use 730.Xr quota 1 731to prevent this will not work either as the file system quotas 732are not aware of jails but only look at the user and group IDs. 733This means the same user ID in two jails share the same file 734system quota. 735One would need to use one file system per jail to make this working. 736.Ss "Sysctl MIB Entries" 737The read-only entry 738.Va security.jail.jailed 739can be used to determine if a process is running inside a jail (value 740is one) or not (value is zero). 741.Pp 742The variable 743.Va security.jail.max_af_ips 744determines how may address per address family a prison may have. 745The default is 255. 746.Pp 747Some MIB variables have per-jail settings. 748Changes to these variables by a jailed process do not effect the host 749environment, only the jail environment. 750These variables are 751.Va kern.securelevel , 752.Va kern.hostname , 753.Va kern.domainname , 754.Va kern.hostid , 755and 756.Va kern.hostuuid . 757.Ss "Hierarchical Jails" 758By setting a jail's 759.Va allow.jails 760parameter, processes within a jail may be able to create jails of their own. 761These child jails are kept in a hierarchy, with jails only able to see and/or 762modify the jails they created (or those jails' children). 763Each jail has a read-only 764.Va parent 765parameter, containing the 766.Va jid 767of the jail that created it; a 768.Va jid 769of 0 indicates the jail is a child of the current jail (or is a top-level 770jail if the current process isn't jailed). 771.Pp 772Jailed processes are not allowed to confer greater permissions than they 773themselves are given, e.g. if a jail is created with 774.Va allow.nomount , 775it is not able to create a jail with 776.Va allow.mount 777set. 778Similarly, such restrictions as 779.Va ip4.addr 780and 781.Va securelevel 782may not be bypassed in child jails. 783.Pp 784A child jail may in turn create its own child jails if its own 785.Va allow.jails 786parameter is set (remember it is off by default). 787These jails are visible to and can be modified by their parent and all 788ancestors. 789.Pp 790Jail names reflect this hierarchy, with a full name being an MIB-type string 791separated by dots. 792For example, if a base system process creates a jail 793.Dq foo , 794and a process under that jail creates another jail 795.Dq bar , 796then the second jail will be seen as 797.Dq foo.bar 798in the base system (though it is only seen as 799.Dq bar 800to any processes inside jail 801.Dq foo ) . 802Jids on the other hand exist in a single space, and each jail must have a 803unique jid. 804.Pp 805Like the names, a child jail's 806.Va path 807is relative to its creator's own 808.Va path . 809This is by virtue of the child jail being created in the chrooted 810environment of the first jail. 811.Sh SEE ALSO 812.Xr killall 1 , 813.Xr lsvfs 1 , 814.Xr newaliases 1 , 815.Xr pgrep 1 , 816.Xr pkill 1 , 817.Xr ps 1 , 818.Xr quota 1 , 819.Xr chroot 2 , 820.Xr jail_set 2 , 821.Xr jail_attach 2 , 822.Xr procfs 5 , 823.Xr rc.conf 5 , 824.Xr sysctl.conf 5 , 825.Xr devfs 8 , 826.Xr halt 8 , 827.Xr inetd 8 , 828.Xr jexec 8 , 829.Xr jls 8 , 830.Xr mount 8 , 831.Xr named 8 , 832.Xr reboot 8 , 833.Xr rpcbind 8 , 834.Xr sendmail 8 , 835.Xr shutdown 8 , 836.Xr sysctl 8 , 837.Xr syslogd 8 , 838.Xr umount 8 839.Sh HISTORY 840The 841.Nm 842utility appeared in 843.Fx 4.0 . 844Hierarchical/extensible jails were introduced in 845.Fx 8.0 . 846.Sh AUTHORS 847.An -nosplit 848The jail feature was written by 849.An Poul-Henning Kamp 850for R&D Associates 851.Pa http://www.rndassociates.com/ 852who contributed it to 853.Fx . 854.Pp 855.An Robert Watson 856wrote the extended documentation, found a few bugs, added 857a few new features, and cleaned up the userland jail environment. 858.Pp 859.An Bjoern A. Zeeb 860added multi-IP jail support for IPv4 and IPv6 based on a patch 861originally done by 862.An Pawel Jakub Dawidek 863for IPv4. 864.Pp 865.An James Gritton 866added the extensible jail parameters and hierchical jails. 867.Sh BUGS 868Jail currently lacks the ability to allow access to 869specific jail information via 870.Xr ps 1 871as opposed to 872.Xr procfs 5 . 873Similarly, it might be a good idea to add an 874address alias flag such that daemons listening on all IPs 875.Pq Dv INADDR_ANY 876will not bind on that address, which would facilitate building a safe 877host environment such that host daemons do not impose on services offered 878from within jails. 879Currently, the simplest answer is to minimize services 880offered on the host, possibly limiting it to services offered from 881.Xr inetd 8 882which is easily configurable. 883