xref: /freebsd/usr.sbin/jail/jail.8 (revision 52259a98adba7622f236db46a330e61df0c84fb1)
1.\" Copyright (c) 2000, 2003 Robert N. M. Watson
2.\" Copyright (c) 2008-2012 James Gritton
3.\" All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\" 1. Redistributions of source code must retain the above copyright
9.\"    notice, this list of conditions and the following disclaimer.
10.\" 2. Redistributions in binary form must reproduce the above copyright
11.\"    notice, this list of conditions and the following disclaimer in the
12.\"    documentation and/or other materials provided with the distribution.
13.\"
14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24.\" SUCH DAMAGE.
25.\"
26.\" $FreeBSD$
27.\"
28.Dd July 20, 2015
29.Dt JAIL 8
30.Os
31.Sh NAME
32.Nm jail
33.Nd "manage system jails"
34.Sh SYNOPSIS
35.Nm
36.Op Fl dhilqv
37.Op Fl J Ar jid_file
38.Op Fl u Ar username
39.Op Fl U Ar username
40.Op Fl cmr
41.Ar param Ns = Ns Ar value ...
42.Op Cm command Ns = Ns Ar command ...
43.Nm
44.Op Fl dqv
45.Op Fl f Ar conf_file
46.Op Fl p Ar limit
47.Op Fl cmr
48.Op Ar jail
49.Nm
50.Op Fl qv
51.Op Fl f Ar conf_file
52.Op Fl rR
53.Op Cm * | Ar jail ...
54.Nm
55.Op Fl dhilqv
56.Op Fl J Ar jid_file
57.Op Fl u Ar username
58.Op Fl U Ar username
59.Op Fl n Ar jailname
60.Op Fl s Ar securelevel
61.Op Ar path hostname [ Ar ip Ns [ Ns Ar ,... Ns ]] Ar command ...
62.Sh DESCRIPTION
63The
64.Nm
65utility creates new jails, or modifies or removes existing jails.
66A jail
67.Pq or Dq prison
68is specified via parameters on the command line, or in the
69.Xr jail.conf 5
70file.
71.Pp
72At least one of the options
73.Fl c ,
74.Fl m
75or
76.Fl r
77must be specified.
78These options are used alone or in combination to describe the operation to
79perform:
80.Bl -tag -width indent
81.It Fl c
82Create a new jail.
83The jail
84.Va jid
85and
86.Va name
87parameters (if specified on the command line)
88must not refer to an existing jail.
89.It Fl m
90Modify an existing jail.
91One of the
92.Va jid
93or
94.Va name
95parameters must exist and refer to an existing jail.
96Some parameters may not be changed on a running jail.
97.It Fl r
98Remove the
99.Ar jail
100specified by jid or name.
101All jailed processes are killed, and all jails that are
102children of this jail are also
103removed.
104.It Fl rc
105Restart an existing jail.
106The jail is first removed and then re-created, as if
107.Dq Nm Fl r
108and
109.Dq Nm Fl c
110were run in succession.
111.It Fl cm
112Create a jail if it does not exist, or modify the jail if it does exist.
113.It Fl mr
114Modify an existing jail.
115The jail may be restarted if necessary to modify parameters than could
116not otherwise be changed.
117.It Fl cmr
118Create a jail if it doesn't exist, or modify (and possibly restart) the
119jail if it does exist.
120.El
121.Pp
122Other available options are:
123.Bl -tag -width indent
124.It Fl d
125Allow making changes to a dying jail, equivalent to the
126.Va allow.dying
127parameter.
128.It Fl f Ar conf_file
129Use configuration file
130.Ar conf_file
131instead of the default
132.Pa /etc/jail.conf .
133.It Fl h
134Resolve the
135.Va host.hostname
136parameter (or
137.Va hostname )
138and add all IP addresses returned by the resolver
139to the list of addresses for this jail.
140This is equivalent to the
141.Va ip_hostname
142parameter.
143.It Fl i
144Output (only) the jail identifier of the newly created jail(s).
145This implies the
146.Fl q
147option.
148.It Fl J Ar jid_file
149Write a
150.Ar jid_file
151file, containing the parameters used to start the jail.
152.It Fl l
153Run commands in a clean environment.
154This is deprecated and is equivalent to the exec.clean parameter.
155.It Fl n Ar jailname
156Set the jail's name.
157This is deprecated and is equivalent to the
158.Va name
159parameter.
160.It Fl p Ar limit
161Limit the number of commands from
162.Va  exec.*
163that can run simultaneously.
164.It Fl q
165Suppress the message printed whenever a jail is created, modified or removed.
166Only error messages will be printed.
167.It Fl R
168A variation of the
169.Fl r
170option that removes an existing jail without using the configuration file.
171No removal-related parameters for this jail will be used \(em the jail will
172simply be removed.
173.It Fl s Ar securelevel
174Set the
175.Va kern.securelevel
176MIB entry to the specified value inside the newly created jail.
177This is deprecated and is equivalent to the
178.Va securelevel
179parameter.
180.It Fl u Ar username
181The user name from host environment as whom jailed commands should run.
182This is deprecated and is equivalent to the
183.Va exec.jail_user
184and
185.Va exec.system_jail_user
186parameters.
187.It Fl U Ar username
188The user name from the jailed environment as whom jailed commands should run.
189This is deprecated and is equivalent to the
190.Va exec.jail_user
191parameter.
192.It Fl v
193Print a message on every operation, such as running commands and
194mounting filesystems.
195.El
196.Pp
197If no arguments are given after the options, the operation (except
198remove) will be performed on all jails specified in the
199.Xr jail.conf 5
200file.
201A single argument of a jail name will operate only on the specified jail.
202The
203.Fl r
204and
205.Fl R
206options can also remove running jails that aren't in the
207.Xr jail.conf 5
208file, specified by name or jid.
209.Pp
210An argument of
211.Dq *
212is a wildcard that will operate on all jails, regardless of whether
213they appear in
214.Xr jail.conf 5 ;
215this is the surest way for
216.Fl r
217to remove all jails.
218If hierarchical jails exist, a partial-matching wildcard definition may
219be specified.
220For example, an argument of
221.Dq foo.*
222would apply to jails with names like
223.Dq foo.bar
224and
225.Dq foo.bar.baz .
226.Pp
227A jail may be specified with parameters directly on the command line.
228In this case, the
229.Xr jail.conf 5
230file will not be used.
231For backward compatibility, the command line may also have four fixed
232parameters, without names:
233.Ar path ,
234.Ar hostname ,
235.Ar ip ,
236and
237.Ar command .
238This mode will always create a new jail, and the
239.Fl c
240and
241.Fl m
242options do not apply (and must not be present).
243.Ss Jail Parameters
244Parameters in the
245.Xr jail.conf 5
246file, or on the command line, are generally of the form
247.Dq name=value .
248Some parameters are boolean, and do not have a value but are set by the
249name alone with or without a
250.Dq no
251prefix, e.g.
252.Va persist
253or
254.Va nopersist .
255They can also be given the values
256.Dq true
257and
258.Dq false .
259Other parameters may have more than one value, specified as a
260comma-separated list or with
261.Dq +=
262in the configuration file (see
263.Xr jail.conf 5
264for details).
265.Pp
266The
267.Nm
268utility recognizes two classes of parameters.
269There are the true jail
270parameters that are passed to the kernel when the jail is created,
271which can be seen with
272.Xr jls 8 ,
273and can (usually) be changed with
274.Dq Nm Fl m .
275Then there are pseudo-parameters that are only used by
276.Nm
277itself.
278.Pp
279Jails have a set of core parameters, and kernel modules can add their own
280jail parameters.
281The current set of available parameters can be retrieved via
282.Dq Nm sysctl Fl d Va security.jail.param .
283Any parameters not set will be given default values, often based on the
284current environment.
285The core parameters are:
286.Bl -tag -width indent
287.It Va jid
288The jail identifier.
289This will be assigned automatically to a new jail (or can be explicitly
290set), and can be used to identify the jail for later modification, or
291for such commands as
292.Xr jls 8
293or
294.Xr jexec 8 .
295.It Va name
296The jail name.
297This is an arbitrary string that identifies a jail (except it may not
298contain a
299.Sq \&. ) .
300Like the
301.Va jid ,
302it can be passed to later
303.Nm
304commands, or to
305.Xr jls 8
306or
307.Xr jexec 8 .
308If no
309.Va name
310is supplied, a default is assumed that is the same as the
311.Va jid .
312The
313.Va name
314parameter is implied by the
315.Xr jail.conf 5
316file format, and need not be explicitly set when using the configuration
317file.
318.It Va path
319The directory which is to be the root of the jail.
320Any commands run inside the jail, either by
321.Nm
322or from
323.Xr jexec 8 ,
324are run from this directory.
325.It Va ip4.addr
326A list of IPv4 addresses assigned to the jail.
327If this is set, the jail is restricted to using only these addresses.
328Any attempts to use other addresses fail, and attempts to use wildcard
329addresses silently use the jailed address instead.
330For IPv4 the first address given will be used as the source address
331when source address selection on unbound sockets cannot find a better
332match.
333It is only possible to start multiple jails with the same IP address
334if none of the jails has more than this single overlapping IP address
335assigned to itself.
336.It Va ip4.saddrsel
337A boolean option to change the formerly mentioned behaviour and disable
338IPv4 source address selection for the jail in favour of the primary
339IPv4 address of the jail.
340Source address selection is enabled by default for all jails and the
341.Va ip4.nosaddrsel
342setting of a parent jail is not inherited for any child jails.
343.It Va ip4
344Control the availability of IPv4 addresses.
345Possible values are
346.Dq inherit
347to allow unrestricted access to all system addresses,
348.Dq new
349to restrict addresses via
350.Va ip4.addr ,
351and
352.Dq disable
353to stop the jail from using IPv4 entirely.
354Setting the
355.Va ip4.addr
356parameter implies a value of
357.Dq new .
358.It Va ip6.addr , Va ip6.saddrsel , Va ip6
359A set of IPv6 options for the jail, the counterparts to
360.Va ip4.addr ,
361.Va ip4.saddrsel
362and
363.Va ip4
364above.
365.It Va vnet
366Create the jail with its own virtual network stack,
367with its own network interfaces, addresses, routing table, etc.
368The kernel must have been compiled with the
369.Sy VIMAGE option
370for this to be available.
371Possible values are
372.Dq inherit
373to use the system network stack, possibly with restricted IP addresses,
374and
375.Dq new
376to create a new network stack.
377.It Va host.hostname
378The hostname of the jail.
379Other similar parameters are
380.Va host.domainname ,
381.Va host.hostuuid
382and
383.Va host.hostid .
384.It Va host
385Set the origin of hostname and related information.
386Possible values are
387.Dq inherit
388to use the system information and
389.Dq new
390for the jail to use the information from the above fields.
391Setting any of the above fields implies a value of
392.Dq new .
393.It Va securelevel
394The value of the jail's
395.Va kern.securelevel
396sysctl.
397A jail never has a lower securelevel than its parent system, but by
398setting this parameter it may have a higher one.
399If the system securelevel is changed, any jail securelevels will be at
400least as secure.
401.It Va devfs_ruleset
402The number of the devfs ruleset that is enforced for mounting devfs in
403this jail.
404A value of zero (default) means no ruleset is enforced.
405Descendant jails inherit the parent jail's devfs ruleset enforcement.
406Mounting devfs inside a jail is possible only if the
407.Va allow.mount
408and
409.Va allow.mount.devfs
410permissions are effective and
411.Va enforce_statfs
412is set to a value lower than 2.
413Devfs rules and rulesets cannot be viewed or modified from inside a jail.
414.Pp
415NOTE: It is important that only appropriate device nodes in devfs be
416exposed to a jail; access to disk devices in the jail may permit processes
417in the jail to bypass the jail sandboxing by modifying files outside of
418the jail.
419See
420.Xr devfs 8
421for information on how to use devfs rules to limit access to entries
422in the per-jail devfs.
423A simple devfs ruleset for jails is available as ruleset #4 in
424.Pa /etc/defaults/devfs.rules .
425.It Va children.max
426The number of child jails allowed to be created by this jail (or by
427other jails under this jail).
428This limit is zero by default, indicating the jail is not allowed to
429create child jails.
430See the
431.Sx "Hierarchical Jails"
432section for more information.
433.It Va children.cur
434The number of descendants of this jail, including its own child jails
435and any jails created under them.
436.It Va enforce_statfs
437This determines what information processes in a jail are able to get
438about mount points.
439It affects the behaviour of the following syscalls:
440.Xr statfs 2 ,
441.Xr fstatfs 2 ,
442.Xr getfsstat 2 ,
443and
444.Xr fhstatfs 2
445(as well as similar compatibility syscalls).
446When set to 0, all mount points are available without any restrictions.
447When set to 1, only mount points below the jail's chroot directory are
448visible.
449In addition to that, the path to the jail's chroot directory is removed
450from the front of their pathnames.
451When set to 2 (default), above syscalls can operate only on a mount-point
452where the jail's chroot directory is located.
453.It Va persist
454Setting this boolean parameter allows a jail to exist without any
455processes.
456Normally, a command is run as part of jail creation, and then the jail
457is destroyed as its last process exits.
458A new jail must have either the
459.Va persist
460parameter or
461.Va exec.start
462or
463.Va command
464pseudo-parameter set.
465.It Va cpuset.id
466The ID of the cpuset associated with this jail (read-only).
467.It Va dying
468This is true if the jail is in the process of shutting down (read-only).
469.It Va parent
470The
471.Va jid
472of the parent of this jail, or zero if this is a top-level jail
473(read-only).
474.It Va osrelease
475The string for the jail's
476.Va kern.osrelease
477sysctl and uname -r.
478.It Va osreldate
479The number for the jail's
480.Va kern.osreldate
481and uname -K.
482.It Va allow.*
483Some restrictions of the jail environment may be set on a per-jail
484basis.
485With the exception of
486.Va allow.set_hostname ,
487these boolean parameters are off by default.
488.Bl -tag -width indent
489.It Va allow.set_hostname
490The jail's hostname may be changed via
491.Xr hostname 1
492or
493.Xr sethostname 3 .
494.It Va allow.sysvipc
495A process within the jail has access to System V IPC primitives.
496In the current jail implementation, System V primitives share a single
497namespace across the host and jail environments, meaning that processes
498within a jail would be able to communicate with (and potentially interfere
499with) processes outside of the jail, and in other jails.
500.It Va allow.raw_sockets
501The jail root is allowed to create raw sockets.
502Setting this parameter allows utilities like
503.Xr ping 8
504and
505.Xr traceroute 8
506to operate inside the jail.
507If this is set, the source IP addresses are enforced to comply
508with the IP address bound to the jail, regardless of whether or not
509the
510.Dv IP_HDRINCL
511flag has been set on the socket.
512Since raw sockets can be used to configure and interact with various
513network subsystems, extra caution should be used where privileged access
514to jails is given out to untrusted parties.
515.It Va allow.chflags
516Normally, privileged users inside a jail are treated as unprivileged by
517.Xr chflags 2 .
518When this parameter is set, such users are treated as privileged, and
519may manipulate system file flags subject to the usual constraints on
520.Va kern.securelevel .
521.It Va allow.mount
522privileged users inside the jail will be able to mount and unmount file
523system types marked as jail-friendly.
524The
525.Xr lsvfs 1
526command can be used to find file system types available for mount from
527within a jail.
528This permission is effective only if
529.Va enforce_statfs
530is set to a value lower than 2.
531.It Va allow.mount.devfs
532privileged users inside the jail will be able to mount and unmount the
533devfs file system.
534This permission is effective only together with
535.Va allow.mount
536and only when
537.Va enforce_statfs
538is set to a value lower than 2.
539The devfs ruleset should be restricted from the default by using the
540.Va devfs_ruleset
541option.
542.It Va allow.mount.fdescfs
543privileged users inside the jail will be able to mount and unmount the
544fdescfs file system.
545This permission is effective only together with
546.Va allow.mount
547and only when
548.Va enforce_statfs
549is set to a value lower than 2.
550.It Va allow.mount.nullfs
551privileged users inside the jail will be able to mount and unmount the
552nullfs file system.
553This permission is effective only together with
554.Va allow.mount
555and only when
556.Va enforce_statfs
557is set to a value lower than 2.
558.It Va allow.mount.procfs
559privileged users inside the jail will be able to mount and unmount the
560procfs file system.
561This permission is effective only together with
562.Va allow.mount
563and only when
564.Va enforce_statfs
565is set to a value lower than 2.
566.It Va allow.mount.linprocfs
567privileged users inside the jail will be able to mount and unmount the
568linprocfs file system.
569This permission is effective only together with
570.Va allow.mount
571and only when
572.Va enforce_statfs
573is set to a value lower than 2.
574.It Va allow.mount.linsysfs
575privileged users inside the jail will be able to mount and unmount the
576linsysfs file system.
577This permission is effective only together with
578.Va allow.mount
579and only when
580.Va enforce_statfs
581is set to a value lower than 2.
582.It Va allow.mount.tmpfs
583privileged users inside the jail will be able to mount and unmount the
584tmpfs file system.
585This permission is effective only together with
586.Va allow.mount
587and only when
588.Va enforce_statfs
589is set to a value lower than 2.
590.It Va allow.mount.zfs
591privileged users inside the jail will be able to mount and unmount the
592ZFS file system.
593This permission is effective only together with
594.Va allow.mount
595and only when
596.Va enforce_statfs
597is set to a value lower than 2.
598See
599.Xr zfs 8
600for information on how to configure the ZFS filesystem to operate from
601within a jail.
602.It Va allow.quotas
603The jail root may administer quotas on the jail's filesystem(s).
604This includes filesystems that the jail may share with other jails or
605with non-jailed parts of the system.
606.It Va allow.socket_af
607Sockets within a jail are normally restricted to IPv4, IPv6, local
608(UNIX), and route.  This allows access to other protocol stacks that
609have not had jail functionality added to them.
610.El
611.El
612.Pp
613There are pseudo-parameters that are not passed to the kernel, but are
614used by
615.Nm
616to set up the jail environment, often by running specified commands
617when jails are created or removed.
618The
619.Va exec.*
620command parameters are
621.Xr sh 1
622command lines that are run in either the system or jail environment.
623They may be given multiple values, which would run the specified
624commands in sequence.
625All commands must succeed (return a zero exit status), or the jail will
626not be created or removed, as appropriate.
627.Pp
628The pseudo-parameters are:
629.Bl -tag -width indent
630.It Va exec.prestart
631Command(s) to run in the system environment before a jail is created.
632.It Va exec.start
633Command(s) to run in the jail environment when a jail is created.
634A typical command to run is
635.Dq sh /etc/rc .
636.It Va command
637A synonym for
638.Va exec.start
639for use when specifying a jail directly on the command line.
640Unlike other parameters whose value is a single string,
641.Va command
642uses the remainder of the
643.Nm
644command line as its own arguments.
645.It Va exec.poststart
646Command(s) to run in the system environment after a jail is created,
647and after any
648.Va exec.start
649commands have completed.
650.It Va exec.prestop
651Command(s) to run in the system environment before a jail is removed.
652.It Va exec.stop
653Command(s) to run in the jail environment before a jail is removed,
654and after any
655.Va exec.prestop
656commands have completed.
657A typical command to run is
658.Dq sh /etc/rc.shutdown .
659.It Va exec.poststop
660Command(s) to run in the system environment after a jail is removed.
661.It Va exec.clean
662Run commands in a clean environment.
663The environment is discarded except for
664.Ev HOME , SHELL , TERM
665and
666.Ev USER .
667.Ev HOME
668and
669.Ev SHELL
670are set to the target login's default values.
671.Ev USER
672is set to the target login.
673.Ev TERM
674is imported from the current environment.
675The environment variables from the login class capability database for the
676target login are also set.
677.It Va exec.jail_user
678The user to run commands as, when running in the jail environment.
679The default is to run the commands as the current user.
680.It Va exec.system_jail_user
681This boolean option looks for the
682.Va exec.jail_user
683in the system
684.Xr passwd 5
685file, instead of in the jail's file.
686.It Va exec.system_user
687The user to run commands as, when running in the system environment.
688The default is to run the commands as the current user.
689.It Va exec.timeout
690The maximum amount of time to wait for a command to complete, in
691seconds.
692If a command is still running after this timeout has passed,
693the jail will not be created or removed, as appropriate.
694.It Va exec.consolelog
695A file to direct command output (stdout and stderr) to.
696.It Va exec.fib
697The FIB (routing table) to set when running commands inside the jail.
698.It Va stop.timeout
699The maximum amount of time to wait for a jail's processes to exit
700after sending them a
701.Dv SIGTERM
702signal (which happens after the
703.Va exec.stop
704commands have completed).
705After this many seconds have passed, the jail will be removed, which
706will kill any remaining processes.
707If this is set to zero, no
708.Dv SIGTERM
709is sent and the jail is immediately removed.
710The default is 10 seconds.
711.It Va interface
712A network interface to add the jail's IP addresses
713.Va ( ip4.addr
714and
715.Va ip6.addr )
716to.
717An alias for each address will be added to the interface before the
718jail is created, and will be removed from the interface after the
719jail is removed.
720.It Va ip4.addr
721In addition to the IP addresses that are passed to the kernel, an
722interface, netmask and additional parameters (as supported by
723.Xr ifconfig 8 Ns )
724may also be specified, in the form
725.Dq Ar interface Ns | Ns Ar ip-address Ns / Ns Ar netmask param ... .
726If an interface is given before the IP address, an alias for the address
727will be added to that interface, as it is with the
728.Va interface
729parameter.
730If a netmask in either dotted-quad or CIDR form is given
731after an IP address, it will be used when adding the IP alias.
732If additional parameters are specified then they will also be used when
733adding the IP alias.
734.It Va ip6.addr
735In addition to the IP addresses that are passed to the kernel,
736an interface, prefix and additional parameters (as supported by
737.Xr ifconfig 8 Ns )
738may also be specified, in the form
739.Dq Ar interface Ns | Ns Ar ip-address Ns / Ns Ar prefix param ... .
740.It Va vnet.interface
741A network interface to give to a vnet-enabled jail after is it created.
742The interface will automatically be released when the jail is removed.
743.It Va ip_hostname
744Resolve the
745.Va host.hostname
746parameter and add all IP addresses returned by the resolver
747to the list of addresses
748.Po Va ip4.addr
749or
750.Va ip6.addr Pc
751for this jail.
752This may affect default address selection for outgoing IPv4 connections
753from jails.
754The address first returned by the resolver for each address family
755will be used as the primary address.
756.It Va mount
757A filesystem to mount before creating the jail (and to unmount after
758removing it), given as a single
759.Xr fstab 5
760line.
761.It Va mount.fstab
762An
763.Xr fstab 5
764format file containing filesystems to mount before creating a jail.
765.It Va mount.devfs
766Mount a
767.Xr devfs 5
768filesystem on the chrooted
769.Pa /dev
770directory, and apply the ruleset in the
771.Va devfs_ruleset
772parameter (or a default of ruleset 4: devfsrules_jail)
773to restrict the devices visible inside the jail.
774.It Va mount.fdescfs
775Mount a
776.Xr fdescfs 5
777filesystem on the chrooted
778.Pa /dev/fd
779directory.
780.It Va mount.procfs
781Mount a
782.Xr procfs 5
783filesystem on the chrooted
784.Pa /proc
785directory.
786.It Va allow.dying
787Allow making changes to a
788.Va dying
789jail.
790.It Va depend
791Specify a jail (or jails) that this jail depends on.
792Any such jails must be fully created, up to the last
793.Va exec.poststart
794command, before any action will taken to create this jail.
795When jails are removed the opposite is true:
796this jail must be fully removed, up to the last
797.Va exec.poststop
798command, before the jail(s) it depends on are stopped.
799.El
800.Sh EXAMPLES
801Jails are typically set up using one of two philosophies: either to
802constrain a specific application (possibly running with privilege), or
803to create a
804.Dq "virtual system image"
805running a variety of daemons and services.
806In both cases, a fairly complete file system install of
807.Fx
808is
809required, so as to provide the necessary command line tools, daemons,
810libraries, application configuration files, etc.
811However, for a virtual server configuration, a fair amount of
812additional work is required so as to replace the
813.Dq boot
814process.
815This manual page documents the configuration steps necessary to support
816either of these steps, although the configuration steps may need to be
817refined based on local requirements.
818.Ss "Setting up a Jail Directory Tree"
819To set up a jail directory tree containing an entire
820.Fx
821distribution, the following
822.Xr sh 1
823command script can be used:
824.Bd -literal
825D=/here/is/the/jail
826cd /usr/src
827mkdir -p $D
828make world DESTDIR=$D
829make distribution DESTDIR=$D
830.Ed
831.Pp
832In many cases this example would put far more in the jail than needed.
833In the other extreme case a jail might contain only one file:
834the executable to be run in the jail.
835.Pp
836We recommend experimentation, and caution that it is a lot easier to
837start with a
838.Dq fat
839jail and remove things until it stops working,
840than it is to start with a
841.Dq thin
842jail and add things until it works.
843.Ss "Setting Up a Jail"
844Do what was described in
845.Sx "Setting Up a Jail Directory Tree"
846to build the jail directory tree.
847For the sake of this example, we will
848assume you built it in
849.Pa /data/jail/testjail ,
850for a jail named
851.Dq testjail .
852Substitute below as needed with your
853own directory, IP address, and hostname.
854.Ss "Setting up the Host Environment"
855First, set up the real system's environment to be
856.Dq jail-friendly .
857For consistency, we will refer to the parent box as the
858.Dq "host environment" ,
859and to the jailed virtual machine as the
860.Dq "jail environment" .
861Since jails are implemented using IP aliases, one of the first things to do
862is to disable IP services on the host system that listen on all local
863IP addresses for a service.
864If a network service is present in the host environment that binds all
865available IP addresses rather than specific IP addresses, it may service
866requests sent to jail IP addresses if the jail did not bind the port.
867This means changing
868.Xr inetd 8
869to only listen on the
870appropriate IP address, and so forth.
871Add the following to
872.Pa /etc/rc.conf
873in the host environment:
874.Bd -literal -offset indent
875sendmail_enable="NO"
876inetd_flags="-wW -a 192.0.2.23"
877rpcbind_enable="NO"
878.Ed
879.Pp
880.Li 192.0.2.23
881is the native IP address for the host system, in this example.
882Daemons that run out of
883.Xr inetd 8
884can be easily configured to use only the specified host IP address.
885Other daemons
886will need to be manually configured \(em for some this is possible through
887.Xr rc.conf 5
888flags entries; for others it is necessary to modify per-application
889configuration files, or to recompile the application.
890The following frequently deployed services must have their individual
891configuration files modified to limit the application to listening
892to a specific IP address:
893.Pp
894To configure
895.Xr sshd 8 ,
896it is necessary to modify
897.Pa /etc/ssh/sshd_config .
898.Pp
899To configure
900.Xr sendmail 8 ,
901it is necessary to modify
902.Pa /etc/mail/sendmail.cf .
903.Pp
904For
905.Xr named 8 ,
906it is necessary to modify
907.Pa /etc/namedb/named.conf .
908.Pp
909In addition, a number of services must be recompiled in order to run
910them in the host environment.
911This includes most applications providing services using
912.Xr rpc 3 ,
913such as
914.Xr rpcbind 8 ,
915.Xr nfsd 8 ,
916and
917.Xr mountd 8 .
918In general, applications for which it is not possible to specify which
919IP address to bind should not be run in the host environment unless they
920should also service requests sent to jail IP addresses.
921Attempting to serve
922NFS from the host environment may also cause confusion, and cannot be
923easily reconfigured to use only specific IPs, as some NFS services are
924hosted directly from the kernel.
925Any third-party network software running
926in the host environment should also be checked and configured so that it
927does not bind all IP addresses, which would result in those services also
928appearing to be offered by the jail environments.
929.Pp
930Once
931these daemons have been disabled or fixed in the host environment, it is
932best to reboot so that all daemons are in a known state, to reduce the
933potential for confusion later (such as finding that when you send mail
934to a jail, and its sendmail is down, the mail is delivered to the host,
935etc.).
936.Ss "Configuring the Jail"
937Start any jail for the first time without configuring the network
938interface so that you can clean it up a little and set up accounts.
939As
940with any machine (virtual or not), you will need to set a root password, time
941zone, etc.
942Some of these steps apply only if you intend to run a full virtual server
943inside the jail; others apply both for constraining a particular application
944or for running a virtual server.
945.Pp
946Start a shell in the jail:
947.Bd -literal -offset indent
948jail -c path=/data/jail/testjail mount.devfs \\
949	host.hostname=testhostname ip4.addr=192.0.2.100 \\
950	command=/bin/sh
951.Ed
952.Pp
953Assuming no errors, you will end up with a shell prompt within the jail.
954You can now run
955.Pa /usr/sbin/sysinstall
956and do the post-install configuration to set various configuration options,
957or perform these actions manually by editing
958.Pa /etc/rc.conf ,
959etc.
960.Pp
961.Bl -bullet -offset indent -compact
962.It
963Configure
964.Pa /etc/resolv.conf
965so that name resolution within the jail will work correctly.
966.It
967Run
968.Xr newaliases 1
969to quell
970.Xr sendmail 8
971warnings.
972.It
973Set a root password, probably different from the real host system.
974.It
975Set the timezone.
976.It
977Add accounts for users in the jail environment.
978.It
979Install any packages the environment requires.
980.El
981.Pp
982You may also want to perform any package-specific configuration (web servers,
983SSH servers, etc), patch up
984.Pa /etc/syslog.conf
985so it logs as you would like, etc.
986If you are not using a virtual server, you may wish to modify
987.Xr syslogd 8
988in the host environment to listen on the syslog socket in the jail
989environment; in this example, the syslog socket would be stored in
990.Pa /data/jail/testjail/var/run/log .
991.Pp
992Exit from the shell, and the jail will be shut down.
993.Ss "Starting the Jail"
994You are now ready to restart the jail and bring up the environment with
995all of its daemons and other programs.
996Create an entry for the jail in
997.Pa /etc/jail.conf :
998.Bd -literal -offset indent
999testjail {
1000	path = /tmp/jail/testjail;
1001	mount.devfs;
1002	host.hostname = testhostname;
1003	ip4.addr = 192.0.2.100;
1004	interface = ed0;
1005	exec.start = "/bin/sh /etc/rc";
1006	exec.stop = "/bin/sh /etc/rc.shutdown";
1007}
1008.Ed
1009.Pp
1010To start a virtual server environment,
1011.Pa /etc/rc
1012is run to launch various daemons and services, and
1013.Pa /etc/rc.shutdown
1014is run to shut them down when the jail is removed.
1015If you are running a single application in the jail,
1016substitute the command used to start the application for
1017.Dq /bin/sh /etc/rc ;
1018there may be some script available to cleanly shut down the application,
1019or it may be sufficient to go without a stop command, and have
1020.Nm
1021send
1022.Dv SIGTERM
1023to the application.
1024.Pp
1025Start the jail by running:
1026.Bd -literal -offset indent
1027jail -c testjail
1028.Ed
1029.Pp
1030A few warnings may be produced; however, it should all work properly.
1031You should be able to see
1032.Xr inetd 8 ,
1033.Xr syslogd 8 ,
1034and other processes running within the jail using
1035.Xr ps 1 ,
1036with the
1037.Ql J
1038flag appearing beside jailed processes.
1039To see an active list of jails, use
1040.Xr jls 8 .
1041If
1042.Xr sshd 8
1043is enabled in the jail environment, you should be able to
1044.Xr ssh 1
1045to the hostname or IP address of the jailed environment, and log
1046in using the accounts you created previously.
1047.Pp
1048It is possible to have jails started at boot time.
1049Please refer to the
1050.Dq jail_*
1051variables in
1052.Xr rc.conf 5
1053for more information.
1054.Ss "Managing the Jail"
1055Normal machine shutdown commands, such as
1056.Xr halt 8 ,
1057.Xr reboot 8 ,
1058and
1059.Xr shutdown 8 ,
1060cannot be used successfully within the jail.
1061To kill all processes from within a jail, you may use one of the
1062following commands, depending on what you want to accomplish:
1063.Bd -literal -offset indent
1064kill -TERM -1
1065kill -KILL -1
1066.Ed
1067.Pp
1068This will send the
1069.Dv SIGTERM
1070or
1071.Dv SIGKILL
1072signals to all processes in the jail \(em be careful not to run this from
1073the host environment!
1074Once all of the jail's processes have died, unless the jail was created
1075with the
1076.Va persist
1077parameter, the jail will be removed.
1078Depending on
1079the intended use of the jail, you may also want to run
1080.Pa /etc/rc.shutdown
1081from within the jail.
1082.Pp
1083To shut down the jail from the outside, simply remove it with
1084.Nm
1085.Ar -r ,
1086which will run any commands specified by
1087.Va exec.stop ,
1088and then send
1089.Dv SIGTERM
1090and eventually
1091.Dv SIGKILL
1092to any remaining jailed processes.
1093.Pp
1094The
1095.Pa /proc/ Ns Ar pid Ns Pa /status
1096file contains, as its last field, the name of the jail in which the
1097process runs, or
1098.Dq Li -
1099to indicate that the process is not running within a jail.
1100The
1101.Xr ps 1
1102command also shows a
1103.Ql J
1104flag for processes in a jail.
1105.Pp
1106You can also list/kill processes based on their jail ID.
1107To show processes and their jail ID, use the following command:
1108.Pp
1109.Dl "ps ax -o pid,jid,args"
1110.Pp
1111To show and then kill processes in jail number 3 use the following commands:
1112.Bd -literal -offset indent
1113pgrep -lfj 3
1114pkill -j 3
1115.Ed
1116or:
1117.Pp
1118.Dl "killall -j 3"
1119.Ss "Jails and File Systems"
1120It is not possible to
1121.Xr mount 8
1122or
1123.Xr umount 8
1124any file system inside a jail unless the file system is marked
1125jail-friendly, the jail's
1126.Va allow.mount
1127parameter is set, and the jail's
1128.Va enforce_statfs
1129parameter is lower than 2.
1130.Pp
1131Multiple jails sharing the same file system can influence each other.
1132For example, a user in one jail can fill the file system,
1133leaving no space for processes in the other jail.
1134Trying to use
1135.Xr quota 1
1136to prevent this will not work either, as the file system quotas
1137are not aware of jails but only look at the user and group IDs.
1138This means the same user ID in two jails share a single file
1139system quota.
1140One would need to use one file system per jail to make this work.
1141.Ss "Sysctl MIB Entries"
1142The read-only entry
1143.Va security.jail.jailed
1144can be used to determine if a process is running inside a jail (value
1145is one) or not (value is zero).
1146.Pp
1147The variable
1148.Va security.jail.max_af_ips
1149determines how may address per address family a jail may have.
1150The default is 255.
1151.Pp
1152Some MIB variables have per-jail settings.
1153Changes to these variables by a jailed process do not affect the host
1154environment, only the jail environment.
1155These variables are
1156.Va kern.securelevel ,
1157.Va kern.hostname ,
1158.Va kern.domainname ,
1159.Va kern.hostid ,
1160and
1161.Va kern.hostuuid .
1162.Ss "Hierarchical Jails"
1163By setting a jail's
1164.Va children.max
1165parameter, processes within a jail may be able to create jails of their own.
1166These child jails are kept in a hierarchy, with jails only able to see and/or
1167modify the jails they created (or those jails' children).
1168Each jail has a read-only
1169.Va parent
1170parameter, containing the
1171.Va jid
1172of the jail that created it; a
1173.Va jid
1174of 0 indicates the jail is a child of the current jail (or is a top-level
1175jail if the current process isn't jailed).
1176.Pp
1177Jailed processes are not allowed to confer greater permissions than they
1178themselves are given, e.g., if a jail is created with
1179.Va allow.nomount ,
1180it is not able to create a jail with
1181.Va allow.mount
1182set.
1183Similarly, such restrictions as
1184.Va ip4.addr
1185and
1186.Va securelevel
1187may not be bypassed in child jails.
1188.Pp
1189A child jail may in turn create its own child jails if its own
1190.Va children.max
1191parameter is set (remember it is zero by default).
1192These jails are visible to and can be modified by their parent and all
1193ancestors.
1194.Pp
1195Jail names reflect this hierarchy, with a full name being an MIB-type string
1196separated by dots.
1197For example, if a base system process creates a jail
1198.Dq foo ,
1199and a process under that jail creates another jail
1200.Dq bar ,
1201then the second jail will be seen as
1202.Dq foo.bar
1203in the base system (though it is only seen as
1204.Dq bar
1205to any processes inside jail
1206.Dq foo ) .
1207Jids on the other hand exist in a single space, and each jail must have a
1208unique jid.
1209.Pp
1210Like the names, a child jail's
1211.Va path
1212appears relative to its creator's own
1213.Va path .
1214This is by virtue of the child jail being created in the chrooted
1215environment of the first jail.
1216.Sh SEE ALSO
1217.Xr killall 1 ,
1218.Xr lsvfs 1 ,
1219.Xr newaliases 1 ,
1220.Xr pgrep 1 ,
1221.Xr pkill 1 ,
1222.Xr ps 1 ,
1223.Xr quota 1 ,
1224.Xr jail_set 2 ,
1225.Xr devfs 5 ,
1226.Xr fdescfs 5 ,
1227.Xr jail.conf 5 ,
1228.Xr linprocfs 5 ,
1229.Xr linsysfs 5 ,
1230.Xr procfs 5 ,
1231.Xr rc.conf 5 ,
1232.Xr sysctl.conf 5 ,
1233.Xr chroot 8 ,
1234.Xr devfs 8 ,
1235.Xr halt 8 ,
1236.Xr ifconfig 8 ,
1237.Xr inetd 8 ,
1238.Xr jexec 8 ,
1239.Xr jls 8 ,
1240.Xr mount 8 ,
1241.Xr named 8 ,
1242.Xr reboot 8 ,
1243.Xr rpcbind 8 ,
1244.Xr sendmail 8 ,
1245.Xr shutdown 8 ,
1246.Xr sysctl 8 ,
1247.Xr syslogd 8 ,
1248.Xr umount 8
1249.Sh HISTORY
1250The
1251.Nm
1252utility appeared in
1253.Fx 4.0 .
1254Hierarchical/extensible jails were introduced in
1255.Fx 8.0 .
1256The configuration file was introduced in
1257.Fx 9.1 .
1258.Sh AUTHORS
1259.An -nosplit
1260The jail feature was written by
1261.An Poul-Henning Kamp
1262for R&D Associates
1263who contributed it to
1264.Fx .
1265.Pp
1266.An Robert Watson
1267wrote the extended documentation, found a few bugs, added
1268a few new features, and cleaned up the userland jail environment.
1269.Pp
1270.An Bjoern A. Zeeb
1271added multi-IP jail support for IPv4 and IPv6 based on a patch
1272originally done by
1273.An Pawel Jakub Dawidek
1274for IPv4.
1275.Pp
1276.An James Gritton
1277added the extensible jail parameters, hierarchical jails,
1278and the configuration file.
1279.Sh BUGS
1280It might be a good idea to add an
1281address alias flag such that daemons listening on all IPs
1282.Pq Dv INADDR_ANY
1283will not bind on that address, which would facilitate building a safe
1284host environment such that host daemons do not impose on services offered
1285from within jails.
1286Currently, the simplest answer is to minimize services
1287offered on the host, possibly limiting it to services offered from
1288.Xr inetd 8
1289which is easily configurable.
1290.Sh NOTES
1291Great care should be taken when managing directories visible within the jail.
1292For example, if a jailed process has its current working directory set to a
1293directory that is moved out of the jail's chroot, then the process may gain
1294access to the file space outside of the jail.
1295It is recommended that directories always be copied, rather than moved, out
1296of a jail.
1297.Pp
1298In addition, there are several ways in which an unprivileged user
1299outside the jail can cooperate with a privileged user inside the jail
1300and thereby obtain elevated privileges in the host environment.
1301Most of these attacks can be mitigated by ensuring that the jail root
1302is not accessible to unprivileged users in the host environment.
1303Regardless, as a general rule, untrusted users with privileged access
1304to a jail should not be given access to the host environment.
1305