xref: /freebsd/usr.sbin/jail/jail.8 (revision 195ebc7e9e4b129de810833791a19dfb4349d6a9)
1.\"
2.\" Copyright (c) 2000, 2003 Robert N. M. Watson
3.\" Copyright (c) 2008 James Gritton
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice, this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\"
15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25.\" SUCH DAMAGE.
26.\"
27.\"
28.\" ----------------------------------------------------------------------------
29.\" "THE BEER-WARE LICENSE" (Revision 42):
30.\" <phk@FreeBSD.ORG> wrote this file.  As long as you retain this notice you
31.\" can do whatever you want with this stuff. If we meet some day, and you think
32.\" this stuff is worth it, you can buy me a beer in return.   Poul-Henning Kamp
33.\" ----------------------------------------------------------------------------
34.\"
35.\" $FreeBSD$
36.\"
37.Dd May 29, 2009
38.Dt JAIL 8
39.Os
40.Sh NAME
41.Nm jail
42.Nd "create or modify a system jail"
43.Sh SYNOPSIS
44.Nm
45.Op Fl dhi
46.Op Fl J Ar jid_file
47.Op Fl l u Ar username | Fl U Ar username
48.Op Fl c | m
49.Op Ar parameter=value ...
50.Br
51.Nm
52.Op Fl hi
53.Op Fl n Ar jailname
54.Op Fl J Ar jid_file
55.Op Fl s Ar securelevel
56.Op Fl l u Ar username | Fl U Ar username
57.Op Ar path hostname [ip[,..]] command ...
58.Br
59.Nm
60.Op Fl r Ar jail
61.Sh DESCRIPTION
62The
63.Nm
64utility creates a new jail or modifies an existing jail, optionally
65imprisoning the current process (and future descendants) inside it.
66.Pp
67The options are as follows:
68.Bl -tag -width indent
69.It Fl d
70Allow making changes to a
71.Va
72dying jail.
73.It Fl h
74Resolve the
75.Va host.hostname
76parameter (or
77.Va hostname )
78and add all IP addresses returned by the resolver
79to the list of
80.Va ip
81addresses for this prison.
82This may affect default address selection for outgoing IPv4 connections
83of prisons.
84The address first returned by the resolver for each address family
85will be used as primary address.
86See the
87.Va ip4.addr
88and
89.Va ip6.addr
90parameters further down for details.
91.It Fl i
92Output the jail identifier of the newly created jail.
93.It Fl n Ar jailname
94Set the jail's name.
95This is deprecated and is equivalent to setting the
96.Va name
97parameter.
98.It Fl J Ar jid_file
99Write a
100.Ar jid_file
101file, containing jail identifier, path, hostname, IP and
102command used to start the jail.
103.It Fl l
104Run program in the clean environment.
105The environment is discarded except for
106.Ev HOME , SHELL , TERM
107and
108.Ev USER .
109.Ev HOME
110and
111.Ev SHELL
112are set to the target login's default values.
113.Ev USER
114is set to the target login.
115.Ev TERM
116is imported from the current environment.
117The environment variables from the login class capability database for the
118target login are also set.
119.It Fl s Ar securelevel
120Set the
121.Va kern.securelevel
122MIB entry to the specified value inside the newly created jail.
123This is deprecated and is equivalent to setting the
124.Va securelevel
125parameter.
126.It Fl u Ar username
127The user name from host environment as whom the
128.Ar command
129should run.
130.It Fl U Ar username
131The user name from jailed environment as whom the
132.Ar command
133should run.
134.It Fl c
135Create a new jail.
136The
137.Va jid
138and
139.Va name
140parameters (if specified) must not refer to an existing jail.
141.It Fl m
142Modify an existing jail.
143One of the
144.Va jid
145or
146.Va name
147parameters must exist and refer to an existing jail.
148.It Fl cm
149Create a jail if it does not exist, or modify a jail if it does exist.
150.It Fl r
151Remove the
152.Ar jail
153specified by jid or name.
154All jailed processes are killed, and all children of this jail are also
155removed.
156.El
157.Pp
158At least one of the
159.Fl c ,
160.Fl m
161or
162.Fl r
163options must be specified.
164.Pp
165.Ar Parameters
166are listed in
167.Dq name=value
168form, following the options.
169Some parameters are boolean, and do not have a value but are set by the
170name alone with or without a
171.Dq no
172prefix, e.g.
173.Va persist
174or
175.Va nopersist .
176Any parameters not set will be given default values, often based on the
177current environment.
178.Pp
179The pseudo-parameter
180.Va command
181specifies that the current process should enter the new (or modified) jail,
182and run the specified command.
183It must be the last parameter specified, because it includes not only
184the value following the
185.Sq =
186sign, but also passes the rest of the arguments to the command.
187.Pp
188Instead of supplying named
189.Ar parameters ,
190four fixed parameters may be supplied in order on the command line:
191.Ar path ,
192.Ar hostname ,
193.Ar ip ,
194and
195.Ar command .
196As the
197.Va jid
198and
199.Va name
200parameters aren't in this list, this mode will always create a new jail, and
201the
202.Fl c
203and
204.Fl m
205options don't apply (and must not exist).
206.Pp
207Jails have a set a core parameters, and modules can add their own jail
208parameters.
209The current set of available parameters can be retrieved via
210.Dq Nm sysctl Fl d Va security.jail.param .
211The core parameters are:
212.Bl -tag -width indent
213.It Va jid
214The jail identifier.
215This will be assigned automatically to a new jail (or can be explicitly
216set), and can be used to identify the jail for later modification, or
217for such commands as
218.Xr jls 8
219or
220.Xr jexec 8 .
221.It Va name
222The jail name.
223This is an arbitrary string that identifies a jail (except it may not
224contain a
225.Sq \&. ) .
226Like the
227.Va jid ,
228it can be passed to later
229.Nm
230commands, or to
231.Xr jls 8
232or
233.Xr jexec 8 .
234If no
235.Va name
236is supplied, a default is assumed that is the same as the
237.Va jid .
238.It Va path
239Directory which is to be the root of the prison.
240The
241.Va command
242(if any) is run from this directory, as are commands from
243.Xr jexec 8 .
244.It Va ip4.addr
245A comma-separated list of IPv4 addresses assigned to the prison.
246If this is set, the jail is restricted to using only these address.
247Any attempts to use other addresses fail, and attempts to use wildcard
248addresses silently use the jailed address instead.
249For IPv4 the first address given will be kept used as the source address
250in case source address selection on unbound sockets cannot find a better
251match.
252It is only possible to start multiple jails with the same IP address,
253if none of the jails has more than this single overlapping IP address
254assigned to itself.
255.Pp
256A list of zero elements (an empty string) will stop the jail from using IPv4
257entirely; setting the boolean parameter
258.Ar noip4
259will not restrict the jail at all.
260.It Va ip6.addr
261A list of IPv6 addresses assigned to the prison, the counterpart to
262.Ar ip4.addr
263above.
264.It Va host.hostname
265Hostname of the prison.
266Other similar parameters are
267.Va host.domainname ,
268.Va host.hostuuid
269and
270.Va host.hostid .
271Setting the boolean parameter
272.Va nohost
273will retain the system values of these settings.
274.It Va securelevel
275The value of the jail's
276.Va kern.securelevel
277sysctl.
278A jail never has a lower securelevel than the default system, but by
279setting this parameter it may have a higher one.
280If the system securelevel is changed, any jail securelevels will be at
281least as secure.
282.It Va enforce_statfs
283This determines which information processes in a jail are able to get
284about mount points.
285It affects the behaviour of the following syscalls:
286.Xr statfs 2 ,
287.Xr fstatfs 2 ,
288.Xr getfsstat 2
289and
290.Xr fhstatfs 2
291(as well as similar compatibility syscalls).
292When set to 0, all mount points are available without any restrictions.
293When set to 1, only mount points below the jail's chroot directory are
294visible.
295In addition to that, the path to the jail's chroot directory is removed
296from the front of their pathnames.
297When set to 2 (default), above syscalls can operate only on a mount-point
298where the jail's chroot directory is located.
299.It Va persist
300Setting this boolean parameter allows a jail to exist without any
301processes.
302Normally, a jail is destroyed as its last process exits.
303A new jail must have either the
304.Va persist
305parameter or
306.Va command
307pseudo-parameter set.
308.It Va cpuset.id
309The ID of the cpuset associated with this jail (read-only).
310.It Va dying
311This is true if the jail is in the process of shutting down (read-only).
312.It Va parent
313The
314.Va jid
315of the parent of this jail, or zero if this is a top-level jail
316(read-only).
317.It Va allow.*
318Some restrictions of the jail environment may be set on a per-jail
319basis.
320With the exception of
321.Va allow.set_hostname ,
322these boolean parameters are off by default.
323.Bl -tag -width indent
324.It Va allow.set_hostname
325The jail's hostname may be changed via
326.Xr hostname 1
327or
328.Xr sethostname 3 .
329.It Va allow.sysvipc
330A process within the jail has access to System V IPC primitives.
331In the current jail implementation, System V primitives share a single
332namespace across the host and jail environments, meaning that processes
333within a jail would be able to communicate with (and potentially interfere
334with) processes outside of the jail, and in other jails.
335.It Va allow.raw_sockets
336The prison root is allowed to create raw sockets.
337Setting this parameter allows utilities like
338.Xr ping 8
339and
340.Xr traceroute 8
341to operate inside the prison.
342If this is set, the source IP addresses are enforced to comply
343with the IP address bound to the jail, regardless of whether or not
344the
345.Dv IP_HDRINCL
346flag has been set on the socket.
347Since raw sockets can be used to configure and interact with various
348network subsystems, extra caution should be used where privileged access
349to jails is given out to untrusted parties.
350.It Va allow.chflags
351Normally, priveleged users inside a jail are treated as unprivileged by
352.Xr chflags 2 .
353When this parameter is set, such users are treated as privileged, and
354may manipulate system file flags subject to the usual constraints on
355.Va kern.securelevel .
356.It Va allow.mount
357privileged users inside the jail will be able to mount and unmount file
358system types marked as jail-friendly.
359The
360.Xr lsvfs 1
361command can be used to find file system types available for mount from
362within a jail.
363.It Va allow.quotas
364The prison root may administer quotas on the jail's filesystem(s).
365This includes filesystems that the jail may share with other jails or
366with non-jailed parts of the system.
367.It Va allow.socket_af
368Sockets within a jail are normally restricted to IPv4, IPv6, local
369(UNIX), and route.  This allows access to other protocol stacks that
370have not had jail functionality added to them.
371.It Va allow.jails
372The prison root may create child jails under this jail.  See the
373.Va "Hierarchical Jails"
374section for more information.
375.El
376.El
377.Pp
378Jails are typically set up using one of two philosophies: either to
379constrain a specific application (possibly running with privilege), or
380to create a
381.Dq "virtual system image"
382running a variety of daemons and services.
383In both cases, a fairly complete file system install of
384.Fx
385is
386required, so as to provide the necessary command line tools, daemons,
387libraries, application configuration files, etc.
388However, for a virtual server configuration, a fair amount of
389additional work is required so as to configure the
390.Dq boot
391process.
392This manual page documents the configuration steps necessary to support
393either of these steps, although the configuration steps may be
394refined based on local requirements.
395.Sh EXAMPLES
396.Ss "Setting up a Jail Directory Tree"
397To set up a jail directory tree containing an entire
398.Fx
399distribution, the following
400.Xr sh 1
401command script can be used:
402.Bd -literal
403D=/here/is/the/jail
404cd /usr/src
405mkdir -p $D
406make world DESTDIR=$D
407make distribution DESTDIR=$D
408mount -t devfs devfs $D/dev
409.Ed
410.Pp
411NOTE: It is important that only appropriate device nodes in devfs be
412exposed to a jail; access to disk devices in the jail may permit processes
413in the jail to bypass the jail sandboxing by modifying files outside of
414the jail.
415See
416.Xr devfs 8
417for information on how to use devfs rules to limit access to entries
418in the per-jail devfs.
419A simple devfs ruleset for jails is available as ruleset #4 in
420.Pa /etc/defaults/devfs.rules .
421.Pp
422In many cases this example would put far more in the jail than needed.
423In the other extreme case a jail might contain only one file:
424the executable to be run in the jail.
425.Pp
426We recommend experimentation and caution that it is a lot easier to
427start with a
428.Dq fat
429jail and remove things until it stops working,
430than it is to start with a
431.Dq thin
432jail and add things until it works.
433.Ss "Setting Up a Jail"
434Do what was described in
435.Sx "Setting Up a Jail Directory Tree"
436to build the jail directory tree.
437For the sake of this example, we will
438assume you built it in
439.Pa /data/jail/192.0.2.100 ,
440named for the jailed IP address.
441Substitute below as needed with your
442own directory, IP address, and hostname.
443.Ss "Setting up the Host Environment"
444First, you will want to set up your real system's environment to be
445.Dq jail-friendly .
446For consistency, we will refer to the parent box as the
447.Dq "host environment" ,
448and to the jailed virtual machine as the
449.Dq "jail environment" .
450Since jail is implemented using IP aliases, one of the first things to do
451is to disable IP services on the host system that listen on all local
452IP addresses for a service.
453If a network service is present in the host environment that binds all
454available IP addresses rather than specific IP addresses, it may service
455requests sent to jail IP addresses if the jail did not bind the port.
456This means changing
457.Xr inetd 8
458to only listen on the
459appropriate IP address, and so forth.
460Add the following to
461.Pa /etc/rc.conf
462in the host environment:
463.Bd -literal -offset indent
464sendmail_enable="NO"
465inetd_flags="-wW -a 192.0.2.23"
466rpcbind_enable="NO"
467.Ed
468.Pp
469.Li 192.0.2.23
470is the native IP address for the host system, in this example.
471Daemons that run out of
472.Xr inetd 8
473can be easily set to use only the specified host IP address.
474Other daemons
475will need to be manually configured\(emfor some this is possible through
476the
477.Xr rc.conf 5
478flags entries; for others it is necessary to modify per-application
479configuration files, or to recompile the applications.
480The following frequently deployed services must have their individual
481configuration files modified to limit the application to listening
482to a specific IP address:
483.Pp
484To configure
485.Xr sshd 8 ,
486it is necessary to modify
487.Pa /etc/ssh/sshd_config .
488.Pp
489To configure
490.Xr sendmail 8 ,
491it is necessary to modify
492.Pa /etc/mail/sendmail.cf .
493.Pp
494For
495.Xr named 8 ,
496it is necessary to modify
497.Pa /etc/namedb/named.conf .
498.Pp
499In addition, a number of services must be recompiled in order to run
500them in the host environment.
501This includes most applications providing services using
502.Xr rpc 3 ,
503such as
504.Xr rpcbind 8 ,
505.Xr nfsd 8 ,
506and
507.Xr mountd 8 .
508In general, applications for which it is not possible to specify which
509IP address to bind should not be run in the host environment unless they
510should also service requests sent to jail IP addresses.
511Attempting to serve
512NFS from the host environment may also cause confusion, and cannot be
513easily reconfigured to use only specific IPs, as some NFS services are
514hosted directly from the kernel.
515Any third-party network software running
516in the host environment should also be checked and configured so that it
517does not bind all IP addresses, which would result in those services' also
518appearing to be offered by the jail environments.
519.Pp
520Once
521these daemons have been disabled or fixed in the host environment, it is
522best to reboot so that all daemons are in a known state, to reduce the
523potential for confusion later (such as finding that when you send mail
524to a jail, and its sendmail is down, the mail is delivered to the host,
525etc.).
526.Ss "Configuring the Jail"
527Start any jail for the first time without configuring the network
528interface so that you can clean it up a little and set up accounts.
529As
530with any machine (virtual or not) you will need to set a root password, time
531zone, etc.
532Some of these steps apply only if you intend to run a full virtual server
533inside the jail; others apply both for constraining a particular application
534or for running a virtual server.
535.Pp
536Start a shell in the jail:
537.Pp
538.Bd -literal -offset indent
539jail path=/data/jail/192.0.2.100 host.hostname=testhostname \\
540	ip4.addr=192.0.2.100 command=/bin/sh
541.Ed
542.Pp
543Assuming no errors, you will end up with a shell prompt within the jail.
544You can now run
545.Pa /usr/sbin/sysinstall
546and do the post-install configuration to set various configuration options,
547or perform these actions manually by editing
548.Pa /etc/rc.conf ,
549etc.
550.Pp
551.Bl -bullet -offset indent -compact
552.It
553Create an empty
554.Pa /etc/fstab
555to quell startup warnings about missing fstab (virtual server only)
556.It
557Disable the port mapper
558.Pa ( /etc/rc.conf :
559.Li rpcbind_enable="NO" )
560(virtual server only)
561.It
562Configure
563.Pa /etc/resolv.conf
564so that name resolution within the jail will work correctly
565.It
566Run
567.Xr newaliases 1
568to quell
569.Xr sendmail 8
570warnings.
571.It
572Disable interface configuration to quell startup warnings about
573.Xr ifconfig 8
574.Pq Li network_interfaces=""
575(virtual server only)
576.It
577Set a root password, probably different from the real host system
578.It
579Set the timezone
580.It
581Add accounts for users in the jail environment
582.It
583Install any packages the environment requires
584.El
585.Pp
586You may also want to perform any package-specific configuration (web servers,
587SSH servers, etc), patch up
588.Pa /etc/syslog.conf
589so it logs as you would like, etc.
590If you are not using a virtual server, you may wish to modify
591.Xr syslogd 8
592in the host environment to listen on the syslog socket in the jail
593environment; in this example, the syslog socket would be stored in
594.Pa /data/jail/192.0.2.100/var/run/log .
595.Pp
596Exit from the shell, and the jail will be shut down.
597.Ss "Starting the Jail"
598You are now ready to restart the jail and bring up the environment with
599all of its daemons and other programs.
600If you are running a single application in the jail, substitute the
601command used to start the application for
602.Pa /etc/rc
603in the examples below.
604To start a virtual server environment,
605.Pa /etc/rc
606is run to launch various daemons and services.
607To do this, first bring up the
608virtual host interface, and then start the jail's
609.Pa /etc/rc
610script from within the jail.
611.Bd -literal -offset indent
612ifconfig ed0 inet alias 192.0.2.100/32
613mount -t procfs proc /data/jail/192.0.2.100/proc
614jail path=/data/jail/192.0.2.100 host.hostname=testhostname \\
615	ip4=addr.192.0.2.100 command=/bin/sh /etc/rc
616.Ed
617.Pp
618A few warnings will be produced, because most
619.Xr sysctl 8
620configuration variables cannot be set from within the jail, as they are
621global across all jails and the host environment.
622However, it should all
623work properly.
624You should be able to see
625.Xr inetd 8 ,
626.Xr syslogd 8 ,
627and other processes running within the jail using
628.Xr ps 1 ,
629with the
630.Ql J
631flag appearing beside jailed processes.
632To see an active list of jails, use the
633.Xr jls 8
634utility.
635You should also be able to
636.Xr telnet 1
637to the hostname or IP address of the jailed environment, and log
638in using the accounts you created previously.
639.Pp
640It is possible to have jails started at boot time.
641Please refer to the
642.Dq jail_*
643variables in
644.Xr rc.conf 5
645for more information.
646The
647.Xr rc 8
648jail script provides a flexible system to start/stop jails:
649.Bd -literal
650/etc/rc.d/jail start
651/etc/rc.d/jail stop
652/etc/rc.d/jail start myjail
653/etc/rc.d/jail stop myjail
654.Ed
655.Ss "Managing the Jail"
656Normal machine shutdown commands, such as
657.Xr halt 8 ,
658.Xr reboot 8 ,
659and
660.Xr shutdown 8 ,
661cannot be used successfully within the jail.
662To kill all processes in a
663jail, you may log into the jail and, as root, use one of the following
664commands, depending on what you want to accomplish:
665.Pp
666.Bd -literal -offset indent
667kill -TERM -1
668kill -KILL -1
669.Ed
670.Pp
671This will send the
672.Dv SIGTERM
673or
674.Dv SIGKILL
675signals to all processes in the jail from within the jail.
676Depending on
677the intended use of the jail, you may also want to run
678.Pa /etc/rc.shutdown
679from within the jail.
680To kill processes from outside the jail, use the
681.Xr jexec 8
682utility in conjunction with the one of the
683.Xr kill 1
684commands above.
685You may also remove the jail with
686.Nm
687.Ar -r ,
688which will killall the jail's processes with
689.Dv SIGKILL .
690.Pp
691The
692.Pa /proc/ Ns Ar pid Ns Pa /status
693file contains, as its last field, the name of the jail in which the
694process runs, or
695.Dq Li -
696to indicate that the process is not running within a jail.
697The
698.Xr ps 1
699command also shows a
700.Ql J
701flag for processes in a jail.
702.Pp
703You can also list/kill processes based on their jail ID.
704To show processes and their jail ID, use the following command:
705.Pp
706.Dl "ps ax -o pid,jid,args"
707.Pp
708To show and then kill processes in jail number 3 use the following commands:
709.Bd -literal -offset indent
710pgrep -lfj 3
711pkill -j 3
712.Ed
713or:
714.Pp
715.Dl "killall -j 3"
716.Ss "Jails and File Systems"
717It is not possible to
718.Xr mount 8
719or
720.Xr umount 8
721any file system inside a jail unless the file system is marked
722jail-friendly and the jail's
723.Va allow.mount
724parameter is set.
725.Pp
726Multiple jails sharing the same file system can influence each other.
727For example a user in one jail can fill the file system also
728leaving no space for processes in the other jail.
729Trying to use
730.Xr quota 1
731to prevent this will not work either as the file system quotas
732are not aware of jails but only look at the user and group IDs.
733This means the same user ID in two jails share the same file
734system quota.
735One would need to use one file system per jail to make this working.
736.Ss "Sysctl MIB Entries"
737The read-only entry
738.Va security.jail.jailed
739can be used to determine if a process is running inside a jail (value
740is one) or not (value is zero).
741.Pp
742The variable
743.Va security.jail.max_af_ips
744determines how may address per address family a prison may have.
745The default is 255.
746.Pp
747Some MIB variables have per-jail settings.
748Changes to these variables by a jailed process do not effect the host
749environment, only the jail environment.
750These variables are
751.Va kern.securelevel ,
752.Va kern.hostname ,
753.Va kern.domainname ,
754.Va kern.hostid ,
755and
756.Va kern.hostuuid .
757.Ss "Hierarchical Jails"
758By setting a jail's
759.Va allow.jails
760parameter, processes within a jail may be able to create jails of their own.
761These child jails are kept in a hierarchy, with jails only able to see and/or
762modify the jails they created (or those jails' children).
763Each jail has a read-only
764.Va parent
765parameter, containing the
766.Va jid
767of the jail that created it; a
768.Va jid
769of 0 indicates the jail is a child of the current jail (or is a top-level
770jail if the current process isn't jailed).
771.Pp
772Jailed processes are not allowed to confer greater permissions than they
773themselves are given, e.g. if a jail is created with
774.Va allow.nomount ,
775it is not able to create a jail with
776.Va allow.mount
777set.
778Similarly, such restrictions as
779.Va ip4.addr
780and
781.Va securelevel
782may not be bypassed in child jails.
783.Pp
784A child jail may in turn create its own child jails if its own
785.Va allow.jails
786parameter is set (remember it is off by default).
787These jails are visible to and can be modified by their parent and all
788ancestors.
789.Pp
790Jail names reflect this hierarchy, with a full name being an MIB-type string
791separated by dots.
792For example, if a base system process creates a jail
793.Dq foo ,
794and a process under that jail creates another jail
795.Dq bar ,
796then the second jail will be seen as
797.Dq foo.bar
798in the base system (though it is only seen as
799.Dq bar
800to any processes inside jail
801.Dq foo ) .
802Jids on the other hand exist in a single space, and each jail must have a
803unique jid.
804.Pp
805Like the names, a child jail's
806.Va path
807is relative to its creator's own
808.Va path .
809This is by virtue of the child jail being created in the chrooted
810environment of the first jail.
811.Sh SEE ALSO
812.Xr killall 1 ,
813.Xr lsvfs 1 ,
814.Xr newaliases 1 ,
815.Xr pgrep 1 ,
816.Xr pkill 1 ,
817.Xr ps 1 ,
818.Xr quota 1 ,
819.Xr chroot 2 ,
820.Xr jail_set 2 ,
821.Xr jail_attach 2 ,
822.Xr procfs 5 ,
823.Xr rc.conf 5 ,
824.Xr sysctl.conf 5 ,
825.Xr devfs 8 ,
826.Xr halt 8 ,
827.Xr inetd 8 ,
828.Xr jexec 8 ,
829.Xr jls 8 ,
830.Xr mount 8 ,
831.Xr named 8 ,
832.Xr reboot 8 ,
833.Xr rpcbind 8 ,
834.Xr sendmail 8 ,
835.Xr shutdown 8 ,
836.Xr sysctl 8 ,
837.Xr syslogd 8 ,
838.Xr umount 8
839.Sh HISTORY
840The
841.Nm
842utility appeared in
843.Fx 4.0 .
844Hierarchical/extensible jails were introduced in
845.Fx 8.0 .
846.Sh AUTHORS
847.An -nosplit
848The jail feature was written by
849.An Poul-Henning Kamp
850for R&D Associates
851.Pa http://www.rndassociates.com/
852who contributed it to
853.Fx .
854.Pp
855.An Robert Watson
856wrote the extended documentation, found a few bugs, added
857a few new features, and cleaned up the userland jail environment.
858.Pp
859.An Bjoern A. Zeeb
860added multi-IP jail support for IPv4 and IPv6 based on a patch
861originally done by
862.An Pawel Jakub Dawidek
863for IPv4.
864.Pp
865.An James Gritton
866added the extensible jail parameters and hierchical jails.
867.Sh BUGS
868Jail currently lacks the ability to allow access to
869specific jail information via
870.Xr ps 1
871as opposed to
872.Xr procfs 5 .
873Similarly, it might be a good idea to add an
874address alias flag such that daemons listening on all IPs
875.Pq Dv INADDR_ANY
876will not bind on that address, which would facilitate building a safe
877host environment such that host daemons do not impose on services offered
878from within jails.
879Currently, the simplest answer is to minimize services
880offered on the host, possibly limiting it to services offered from
881.Xr inetd 8
882which is easily configurable.
883