1.\" Copyright (c) 2000, 2003 Robert N. M. Watson 2.\" Copyright (c) 2008-2012 James Gritton 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24.\" SUCH DAMAGE. 25.\" 26.\" $FreeBSD$ 27.\" 28.Dd November 18, 2020 29.Dt JAIL 8 30.Os 31.Sh NAME 32.Nm jail 33.Nd "manage system jails" 34.Sh SYNOPSIS 35.Nm 36.Op Fl dhilqv 37.Op Fl J Ar jid_file 38.Op Fl u Ar username 39.Op Fl U Ar username 40.Op Fl cmr 41.Ar param Ns = Ns Ar value ... 42.Op Cm command Ns = Ns Ar command ... 43.Nm 44.Op Fl dqv 45.Op Fl f Ar conf_file 46.Op Fl p Ar limit 47.Op Fl cmr 48.Op Ar jail 49.Nm 50.Op Fl qv 51.Op Fl f Ar conf_file 52.Op Fl rR 53.Op Cm * | Ar jail ... 54.Nm 55.Op Fl dhilqv 56.Op Fl J Ar jid_file 57.Op Fl u Ar username 58.Op Fl U Ar username 59.Op Fl n Ar jailname 60.Op Fl s Ar securelevel 61.Op Ar path hostname [ Ar ip Ns [ Ns Ar ,... Ns ]] Ar command ... 62.Nm 63.Op Fl f Ar conf_file 64.Fl e 65.Ar separator 66.Sh DESCRIPTION 67The 68.Nm 69utility creates new jails, or modifies or removes existing jails. 70It can also print a list of configured jails and their parameters. 71A jail 72.Pq or Dq prison 73is specified via parameters on the command line, or in the 74.Xr jail.conf 5 75file. 76.Pp 77At least one of the options 78.Fl c , 79.Fl e , 80.Fl m 81or 82.Fl r 83must be specified. 84These options are used alone or in combination to describe the operation to 85perform: 86.Bl -tag -width indent 87.It Fl c 88Create a new jail. 89The jail 90.Va jid 91and 92.Va name 93parameters (if specified on the command line) 94must not refer to an existing jail. 95.It Fl e Ar separator 96Exhibit a list of all configured non-wildcard jails and their parameters. 97No jail creation, modification or removal performed if this option is used. 98The 99.Ar separator 100string is used to separate parameters. 101Use 102.Xr jls 8 103utility to list running jails. 104.It Fl m 105Modify an existing jail. 106One of the 107.Va jid 108or 109.Va name 110parameters must exist and refer to an existing jail. 111Some parameters may not be changed on a running jail. 112.It Fl r 113Remove the 114.Ar jail 115specified by jid or name. 116All jailed processes are killed, and all jails that are 117children of this jail are also 118removed. 119.It Fl rc 120Restart an existing jail. 121The jail is first removed and then re-created, as if 122.Dq Nm Fl r 123and 124.Dq Nm Fl c 125were run in succession. 126.It Fl cm 127Create a jail if it does not exist, or modify the jail if it does exist. 128.It Fl mr 129Modify an existing jail. 130The jail may be restarted if necessary to modify parameters than could 131not otherwise be changed. 132.It Fl cmr 133Create a jail if it doesn't exist, or modify (and possibly restart) the 134jail if it does exist. 135.El 136.Pp 137Other available options are: 138.Bl -tag -width indent 139.It Fl d 140Allow making changes to a dying jail, equivalent to the 141.Va allow.dying 142parameter. 143.It Fl f Ar conf_file 144Use configuration file 145.Ar conf_file 146instead of the default 147.Pa /etc/jail.conf . 148.It Fl h 149Resolve the 150.Va host.hostname 151parameter (or 152.Va hostname ) 153and add all IP addresses returned by the resolver 154to the list of addresses for this jail. 155This is equivalent to the 156.Va ip_hostname 157parameter. 158.It Fl i 159Output (only) the jail identifier of the newly created jail(s). 160This implies the 161.Fl q 162option. 163.It Fl J Ar jid_file 164Write a 165.Ar jid_file 166file, containing the parameters used to start the jail. 167.It Fl l 168Run commands in a clean environment. 169This is deprecated and is equivalent to the exec.clean parameter. 170.It Fl n Ar jailname 171Set the jail's name. 172This is deprecated and is equivalent to the 173.Va name 174parameter. 175.It Fl p Ar limit 176Limit the number of commands from 177.Va exec.* 178that can run simultaneously. 179.It Fl q 180Suppress the message printed whenever a jail is created, modified or removed. 181Only error messages will be printed. 182.It Fl R 183A variation of the 184.Fl r 185option that removes an existing jail without using the configuration file. 186No removal-related parameters for this jail will be used \(em the jail will 187simply be removed. 188.It Fl s Ar securelevel 189Set the 190.Va kern.securelevel 191MIB entry to the specified value inside the newly created jail. 192This is deprecated and is equivalent to the 193.Va securelevel 194parameter. 195.It Fl u Ar username 196The user name from host environment as whom jailed commands should run. 197This is deprecated and is equivalent to the 198.Va exec.jail_user 199and 200.Va exec.system_jail_user 201parameters. 202.It Fl U Ar username 203The user name from the jailed environment as whom jailed commands should run. 204This is deprecated and is equivalent to the 205.Va exec.jail_user 206parameter. 207.It Fl v 208Print a message on every operation, such as running commands and 209mounting filesystems. 210.El 211.Pp 212If no arguments are given after the options, the operation (except 213remove) will be performed on all jails specified in the 214.Xr jail.conf 5 215file. 216A single argument of a jail name will operate only on the specified jail. 217The 218.Fl r 219and 220.Fl R 221options can also remove running jails that aren't in the 222.Xr jail.conf 5 223file, specified by name or jid. 224.Pp 225An argument of 226.Dq * 227is a wildcard that will operate on all jails, regardless of whether 228they appear in 229.Xr jail.conf 5 ; 230this is the surest way for 231.Fl r 232to remove all jails. 233If hierarchical jails exist, a partial-matching wildcard definition may 234be specified. 235For example, an argument of 236.Dq foo.* 237would apply to jails with names like 238.Dq foo.bar 239and 240.Dq foo.bar.baz . 241.Pp 242A jail may be specified with parameters directly on the command line. 243In this case, the 244.Xr jail.conf 5 245file will not be used. 246For backward compatibility, the command line may also have four fixed 247parameters, without names: 248.Ar path , 249.Ar hostname , 250.Ar ip , 251and 252.Ar command . 253This mode will always create a new jail, and the 254.Fl c 255and 256.Fl m 257options do not apply (and must not be present). 258.Ss Jail Parameters 259Parameters in the 260.Xr jail.conf 5 261file, or on the command line, are generally of the form 262.Dq name=value . 263Some parameters are boolean, and do not have a value but are set by the 264name alone with or without a 265.Dq no 266prefix, e.g. 267.Va persist 268or 269.Va nopersist . 270They can also be given the values 271.Dq true 272and 273.Dq false . 274Other parameters may have more than one value, specified as a 275comma-separated list or with 276.Dq += 277in the configuration file (see 278.Xr jail.conf 5 279for details). 280.Pp 281The 282.Nm 283utility recognizes two classes of parameters. 284There are the true jail 285parameters that are passed to the kernel when the jail is created, 286which can be seen with 287.Xr jls 8 , 288and can (usually) be changed with 289.Dq Nm Fl m . 290Then there are pseudo-parameters that are only used by 291.Nm 292itself. 293.Pp 294Jails have a set of core parameters, and kernel modules can add their own 295jail parameters. 296The current set of available parameters can be retrieved via 297.Dq Nm sysctl Fl d Va security.jail.param . 298Any parameters not set will be given default values, often based on the 299current environment. 300The core parameters are: 301.Bl -tag -width indent 302.It Va jid 303The jail identifier. 304This will be assigned automatically to a new jail (or can be explicitly 305set), and can be used to identify the jail for later modification, or 306for such commands as 307.Xr jls 8 308or 309.Xr jexec 8 . 310.It Va name 311The jail name. 312This is an arbitrary string that identifies a jail (except it may not 313contain a 314.Sq \&. ) . 315Like the 316.Va jid , 317it can be passed to later 318.Nm 319commands, or to 320.Xr jls 8 321or 322.Xr jexec 8 . 323If no 324.Va name 325is supplied, a default is assumed that is the same as the 326.Va jid . 327The 328.Va name 329parameter is implied by the 330.Xr jail.conf 5 331file format, and need not be explicitly set when using the configuration 332file. 333.It Va path 334The directory which is to be the root of the jail. 335Any commands run inside the jail, either by 336.Nm 337or from 338.Xr jexec 8 , 339are run from this directory. 340.It Va ip4.addr 341A list of IPv4 addresses assigned to the jail. 342If this is set, the jail is restricted to using only these addresses. 343Any attempts to use other addresses fail, and attempts to use wildcard 344addresses silently use the jailed address instead. 345For IPv4 the first address given will be used as the source address 346when source address selection on unbound sockets cannot find a better 347match. 348It is only possible to start multiple jails with the same IP address 349if none of the jails has more than this single overlapping IP address 350assigned to itself. 351.It Va ip4.saddrsel 352A boolean option to change the formerly mentioned behaviour and disable 353IPv4 source address selection for the jail in favour of the primary 354IPv4 address of the jail. 355Source address selection is enabled by default for all jails and the 356.Va ip4.nosaddrsel 357setting of a parent jail is not inherited for any child jails. 358.It Va ip4 359Control the availability of IPv4 addresses. 360Possible values are 361.Dq inherit 362to allow unrestricted access to all system addresses, 363.Dq new 364to restrict addresses via 365.Va ip4.addr , 366and 367.Dq disable 368to stop the jail from using IPv4 entirely. 369Setting the 370.Va ip4.addr 371parameter implies a value of 372.Dq new . 373.It Va ip6.addr , Va ip6.saddrsel , Va ip6 374A set of IPv6 options for the jail, the counterparts to 375.Va ip4.addr , 376.Va ip4.saddrsel 377and 378.Va ip4 379above. 380.It Va vnet 381Create the jail with its own virtual network stack, 382with its own network interfaces, addresses, routing table, etc. 383The kernel must have been compiled with the 384.Sy VIMAGE option 385for this to be available. 386Possible values are 387.Dq inherit 388to use the system network stack, possibly with restricted IP addresses, 389and 390.Dq new 391to create a new network stack. 392.It Va host.hostname 393The hostname of the jail. 394Other similar parameters are 395.Va host.domainname , 396.Va host.hostuuid 397and 398.Va host.hostid . 399.It Va host 400Set the origin of hostname and related information. 401Possible values are 402.Dq inherit 403to use the system information and 404.Dq new 405for the jail to use the information from the above fields. 406Setting any of the above fields implies a value of 407.Dq new . 408.It Va securelevel 409The value of the jail's 410.Va kern.securelevel 411sysctl. 412A jail never has a lower securelevel than its parent system, but by 413setting this parameter it may have a higher one. 414If the system securelevel is changed, any jail securelevels will be at 415least as secure. 416.It Va devfs_ruleset 417The number of the devfs ruleset that is enforced for mounting devfs in 418this jail. 419A value of zero (default) means no ruleset is enforced. 420Descendant jails inherit the parent jail's devfs ruleset enforcement. 421Mounting devfs inside a jail is possible only if the 422.Va allow.mount 423and 424.Va allow.mount.devfs 425permissions are effective and 426.Va enforce_statfs 427is set to a value lower than 2. 428Devfs rules and rulesets cannot be viewed or modified from inside a jail. 429.Pp 430NOTE: It is important that only appropriate device nodes in devfs be 431exposed to a jail; access to disk devices in the jail may permit processes 432in the jail to bypass the jail sandboxing by modifying files outside of 433the jail. 434See 435.Xr devfs 8 436for information on how to use devfs rules to limit access to entries 437in the per-jail devfs. 438A simple devfs ruleset for jails is available as ruleset #4 in 439.Pa /etc/defaults/devfs.rules . 440.It Va children.max 441The number of child jails allowed to be created by this jail (or by 442other jails under this jail). 443This limit is zero by default, indicating the jail is not allowed to 444create child jails. 445See the 446.Sx "Hierarchical Jails" 447section for more information. 448.It Va children.cur 449The number of descendants of this jail, including its own child jails 450and any jails created under them. 451.It Va enforce_statfs 452This determines what information processes in a jail are able to get 453about mount points. 454It affects the behaviour of the following syscalls: 455.Xr statfs 2 , 456.Xr fstatfs 2 , 457.Xr getfsstat 2 , 458and 459.Xr fhstatfs 2 460(as well as similar compatibility syscalls). 461When set to 0, all mount points are available without any restrictions. 462When set to 1, only mount points below the jail's chroot directory are 463visible. 464In addition to that, the path to the jail's chroot directory is removed 465from the front of their pathnames. 466When set to 2 (default), above syscalls can operate only on a mount-point 467where the jail's chroot directory is located. 468.It Va persist 469Setting this boolean parameter allows a jail to exist without any 470processes. 471Normally, a command is run as part of jail creation, and then the jail 472is destroyed as its last process exits. 473A new jail must have either the 474.Va persist 475parameter or 476.Va exec.start 477or 478.Va command 479pseudo-parameter set. 480.It Va cpuset.id 481The ID of the cpuset associated with this jail (read-only). 482.It Va dying 483This is true if the jail is in the process of shutting down (read-only). 484.It Va parent 485The 486.Va jid 487of the parent of this jail, or zero if this is a top-level jail 488(read-only). 489.It Va osrelease 490The string for the jail's 491.Va kern.osrelease 492sysctl and uname -r. 493.It Va osreldate 494The number for the jail's 495.Va kern.osreldate 496and uname -K. 497.It Va allow.* 498Some restrictions of the jail environment may be set on a per-jail 499basis. 500With the exception of 501.Va allow.set_hostname 502and 503.Va allow.reserved_ports , 504these boolean parameters are off by default. 505.Bl -tag -width indent 506.It Va allow.set_hostname 507The jail's hostname may be changed via 508.Xr hostname 1 509or 510.Xr sethostname 3 . 511.It Va allow.sysvipc 512A process within the jail has access to System V IPC primitives. 513This is deprecated in favor of the per-module parameters (see below). 514When this parameter is set, it is equivalent to setting 515.Va sysvmsg , 516.Va sysvsem , 517and 518.Va sysvshm 519all to 520.Dq inherit . 521.It Va allow.raw_sockets 522The jail root is allowed to create raw sockets. 523Setting this parameter allows utilities like 524.Xr ping 8 525and 526.Xr traceroute 8 527to operate inside the jail. 528If this is set, the source IP addresses are enforced to comply 529with the IP address bound to the jail, regardless of whether or not 530the 531.Dv IP_HDRINCL 532flag has been set on the socket. 533Since raw sockets can be used to configure and interact with various 534network subsystems, extra caution should be used where privileged access 535to jails is given out to untrusted parties. 536.It Va allow.chflags 537Normally, privileged users inside a jail are treated as unprivileged by 538.Xr chflags 2 . 539When this parameter is set, such users are treated as privileged, and 540may manipulate system file flags subject to the usual constraints on 541.Va kern.securelevel . 542.It Va allow.mount 543privileged users inside the jail will be able to mount and unmount file 544system types marked as jail-friendly. 545The 546.Xr lsvfs 1 547command can be used to find file system types available for mount from 548within a jail. 549This permission is effective only if 550.Va enforce_statfs 551is set to a value lower than 2. 552.It Va allow.mount.devfs 553privileged users inside the jail will be able to mount and unmount the 554devfs file system. 555This permission is effective only together with 556.Va allow.mount 557and only when 558.Va enforce_statfs 559is set to a value lower than 2. 560The devfs ruleset should be restricted from the default by using the 561.Va devfs_ruleset 562option. 563.It Va allow.quotas 564The jail root may administer quotas on the jail's filesystem(s). 565This includes filesystems that the jail may share with other jails or 566with non-jailed parts of the system. 567.It Va allow.read_msgbuf 568Jailed users may read the kernel message buffer. 569If the 570.Va security.bsd.unprivileged_read_msgbuf 571MIB entry is zero, this will be restricted to the root user. 572.It Va allow.socket_af 573Sockets within a jail are normally restricted to IPv4, IPv6, local 574(UNIX), and route. This allows access to other protocol stacks that 575have not had jail functionality added to them. 576.It Va allow.mlock 577Locking or unlocking physical pages in memory are normally not available 578within a jail. 579When this parameter is set, users may 580.Xr mlock 2 581or 582.Xr munlock 2 583memory subject to 584.Va security.bsd.unprivileged_mlock 585and resource limits. 586.It Va allow.reserved_ports 587The jail root may bind to ports lower than 1024. 588.It Va allow.unprivileged_proc_debug 589Unprivileged processes in the jail may use debugging facilities. 590.It Va allow.suser 591The value of the jail's 592.Va security.bsd.suser_enabled 593sysctl. 594The super-user will be disabled automatically if its parent system has it 595disabled. 596The super-user is enabled by default. 597.El 598.El 599.Pp 600Kernel modules may add their own parameters, which only exist when the 601module is loaded. 602These are typically headed under a parameter named after the module, 603with values of 604.Dq inherit 605to give the jail full use of the module, 606.Dq new 607to encapsulate the jail in some module-specific way, 608and 609.Dq disable 610to make the module unavailable to the jail. 611There also may be other parameters to define jail behavior within the module. 612Module-specific parameters include: 613.Bl -tag -width indent 614.It Va allow.mount.fdescfs 615privileged users inside the jail will be able to mount and unmount the 616fdescfs file system. 617This permission is effective only together with 618.Va allow.mount 619and only when 620.Va enforce_statfs 621is set to a value lower than 2. 622.It Va allow.mount.fusefs 623privileged users inside the jail will be able to mount and unmount 624fuse-based file systems. 625This permission is effective only together with 626.Va allow.mount 627and only when 628.Va enforce_statfs 629is set to a value lower than 2. 630.It Va allow.mount.nullfs 631privileged users inside the jail will be able to mount and unmount the 632nullfs file system. 633This permission is effective only together with 634.Va allow.mount 635and only when 636.Va enforce_statfs 637is set to a value lower than 2. 638.It Va allow.mount.procfs 639privileged users inside the jail will be able to mount and unmount the 640procfs file system. 641This permission is effective only together with 642.Va allow.mount 643and only when 644.Va enforce_statfs 645is set to a value lower than 2. 646.It Va allow.mount.linprocfs 647privileged users inside the jail will be able to mount and unmount the 648linprocfs file system. 649This permission is effective only together with 650.Va allow.mount 651and only when 652.Va enforce_statfs 653is set to a value lower than 2. 654.It Va allow.mount.linsysfs 655privileged users inside the jail will be able to mount and unmount the 656linsysfs file system. 657This permission is effective only together with 658.Va allow.mount 659and only when 660.Va enforce_statfs 661is set to a value lower than 2. 662.It Va allow.mount.tmpfs 663privileged users inside the jail will be able to mount and unmount the 664tmpfs file system. 665This permission is effective only together with 666.Va allow.mount 667and only when 668.Va enforce_statfs 669is set to a value lower than 2. 670.It Va allow.mount.zfs 671privileged users inside the jail will be able to mount and unmount the 672ZFS file system. 673This permission is effective only together with 674.Va allow.mount 675and only when 676.Va enforce_statfs 677is set to a value lower than 2. 678See 679.Xr zfs 8 680for information on how to configure the ZFS filesystem to operate from 681within a jail. 682.It Va allow.vmm 683The jail may access 684.Xr vmm 4 . 685This flag is only available when the 686.Xr vmm 4 687kernel module is loaded. 688.It Va linux 689Determine how a jail's Linux emulation environment appears. 690A value of 691.Dq inherit 692will keep the same environment, and 693.Dq new 694will give the jail its own environment (still originally inherited when 695the jail is created). 696.It Va linux.osname , linux.osrelease , linux.oss_version 697The Linux OS name, OS release, and OSS version associated with this jail. 698.It Va sysvmsg 699Allow access to SYSV IPC message primitives. 700If set to 701.Dq inherit , 702all IPC objects on the system are visible to this jail, whether they 703were created by the jail itself, the base system, or other jails. 704If set to 705.Dq new , 706the jail will have its own key namespace, and can only see the objects 707that it has created; 708the system (or parent jail) has access to the jail's objects, but not to 709its keys. 710If set to 711.Dq disable , 712the jail cannot perform any sysvmsg-related system calls. 713.It Va sysvsem, sysvshm 714Allow access to SYSV IPC semaphore and shared memory primitives, in the 715same manner as 716.Va sysvmsg. 717.El 718.Pp 719There are pseudo-parameters that are not passed to the kernel, but are 720used by 721.Nm 722to set up the jail environment, often by running specified commands 723when jails are created or removed. 724The 725.Va exec.* 726command parameters are 727.Xr sh 1 728command lines that are run in either the system or jail environment. 729They may be given multiple values, which would run the specified 730commands in sequence. 731All commands must succeed (return a zero exit status), or the jail will 732not be created or removed, as appropriate. 733.Pp 734The pseudo-parameters are: 735.Bl -tag -width indent 736.It Va exec.prepare 737Command(s) to run in the system environment to prepare a jail for creation. 738These commands are executed before assigning IP addresses and mounting 739filesystems, so they may be used to create a new jail filesystem if it does 740not already exist. 741.It Va exec.prestart 742Command(s) to run in the system environment before a jail is created. 743.It Va exec.created 744Command(s) to run in the system environment right after a jail has been 745created, but before commands (or services) get executed in the jail. 746.It Va exec.start 747Command(s) to run in the jail environment when a jail is created. 748A typical command to run is 749.Dq sh /etc/rc . 750.It Va command 751A synonym for 752.Va exec.start 753for use when specifying a jail directly on the command line. 754Unlike other parameters whose value is a single string, 755.Va command 756uses the remainder of the 757.Nm 758command line as its own arguments. 759.It Va exec.poststart 760Command(s) to run in the system environment after a jail is created, 761and after any 762.Va exec.start 763commands have completed. 764.It Va exec.prestop 765Command(s) to run in the system environment before a jail is removed. 766.It Va exec.stop 767Command(s) to run in the jail environment before a jail is removed, 768and after any 769.Va exec.prestop 770commands have completed. 771A typical command to run is 772.Dq sh /etc/rc.shutdown jail . 773.It Va exec.poststop 774Command(s) to run in the system environment after a jail is removed. 775.It Va exec.release 776Command(s) to run in the system environment after all other actions are done. 777These commands are executed after unmounting filesystems and removing IP 778addresses, so they may be used to remove a jail filesystem if it is no longer 779needed. 780.It Va exec.clean 781Run commands in a clean environment. 782The environment is discarded except for 783.Ev HOME , SHELL , TERM 784and 785.Ev USER . 786.Ev HOME 787and 788.Ev SHELL 789are set to the target login's default values. 790.Ev USER 791is set to the target login. 792.Ev TERM 793is imported from the current environment. 794The environment variables from the login class capability database for the 795target login are also set. 796.It Va exec.jail_user 797The user to run commands as, when running in the jail environment. 798The default is to run the commands as the current user. 799.It Va exec.system_jail_user 800This boolean option looks for the 801.Va exec.jail_user 802in the system 803.Xr passwd 5 804file, instead of in the jail's file. 805.It Va exec.system_user 806The user to run commands as, when running in the system environment. 807The default is to run the commands as the current user. 808.It Va exec.timeout 809The maximum amount of time to wait for a command to complete, in 810seconds. 811If a command is still running after this timeout has passed, 812the jail will not be created or removed, as appropriate. 813.It Va exec.consolelog 814A file to direct command output (stdout and stderr) to. 815.It Va exec.fib 816The FIB (routing table) to set when running commands inside the jail. 817.It Va stop.timeout 818The maximum amount of time to wait for a jail's processes to exit 819after sending them a 820.Dv SIGTERM 821signal (which happens after the 822.Va exec.stop 823commands have completed). 824After this many seconds have passed, the jail will be removed, which 825will kill any remaining processes. 826If this is set to zero, no 827.Dv SIGTERM 828is sent and the jail is immediately removed. 829The default is 10 seconds. 830.It Va interface 831A network interface to add the jail's IP addresses 832.Va ( ip4.addr 833and 834.Va ip6.addr ) 835to. 836An alias for each address will be added to the interface before the 837jail is created, and will be removed from the interface after the 838jail is removed. 839.It Va ip4.addr 840In addition to the IP addresses that are passed to the kernel, an 841interface, netmask and additional parameters (as supported by 842.Xr ifconfig 8 Ns ) 843may also be specified, in the form 844.Dq Ar interface Ns | Ns Ar ip-address Ns / Ns Ar netmask param ... . 845If an interface is given before the IP address, an alias for the address 846will be added to that interface, as it is with the 847.Va interface 848parameter. 849If a netmask in either dotted-quad or CIDR form is given 850after an IP address, it will be used when adding the IP alias. 851If additional parameters are specified then they will also be used when 852adding the IP alias. 853.It Va ip6.addr 854In addition to the IP addresses that are passed to the kernel, 855an interface, prefix and additional parameters (as supported by 856.Xr ifconfig 8 Ns ) 857may also be specified, in the form 858.Dq Ar interface Ns | Ns Ar ip-address Ns / Ns Ar prefix param ... . 859.It Va vnet.interface 860A network interface to give to a vnet-enabled jail after is it created. 861The interface will automatically be released when the jail is removed. 862.It Va ip_hostname 863Resolve the 864.Va host.hostname 865parameter and add all IP addresses returned by the resolver 866to the list of addresses 867.Po Va ip4.addr 868or 869.Va ip6.addr Pc 870for this jail. 871This may affect default address selection for outgoing IPv4 connections 872from jails. 873The address first returned by the resolver for each address family 874will be used as the primary address. 875.It Va mount 876A filesystem to mount before creating the jail (and to unmount after 877removing it), given as a single 878.Xr fstab 5 879line. 880.It Va mount.fstab 881An 882.Xr fstab 5 883format file containing filesystems to mount before creating a jail. 884.It Va mount.devfs 885Mount a 886.Xr devfs 5 887filesystem on the chrooted 888.Pa /dev 889directory, and apply the ruleset in the 890.Va devfs_ruleset 891parameter (or a default of ruleset 4: devfsrules_jail) 892to restrict the devices visible inside the jail. 893.It Va mount.fdescfs 894Mount a 895.Xr fdescfs 5 896filesystem on the chrooted 897.Pa /dev/fd 898directory. 899.It Va mount.procfs 900Mount a 901.Xr procfs 5 902filesystem on the chrooted 903.Pa /proc 904directory. 905.It Va allow.dying 906Allow making changes to a 907.Va dying 908jail. 909.It Va depend 910Specify a jail (or jails) that this jail depends on. 911When this jail is to be created, any jail(s) it depends on must already exist. 912If not, they will be created automatically, up to the completion of the last 913.Va exec.poststart 914command, before any action will taken to create this jail. 915When jails are removed the opposite is true: 916this jail will be removed, up to the last 917.Va exec.poststop 918command, before any jail(s) it depends on are stopped. 919.El 920.Sh EXAMPLES 921Jails are typically set up using one of two philosophies: either to 922constrain a specific application (possibly running with privilege), or 923to create a 924.Dq "virtual system image" 925running a variety of daemons and services. 926In both cases, a fairly complete file system install of 927.Fx 928is 929required, so as to provide the necessary command line tools, daemons, 930libraries, application configuration files, etc. 931However, for a virtual server configuration, a fair amount of 932additional work is required so as to replace the 933.Dq boot 934process. 935This manual page documents the configuration steps necessary to support 936either of these steps, although the configuration steps may need to be 937refined based on local requirements. 938.Ss "Setting up a Jail Directory Tree" 939To set up a jail directory tree containing an entire 940.Fx 941distribution, the following 942.Xr sh 1 943command script can be used: 944.Bd -literal 945D=/here/is/the/jail 946cd /usr/src 947mkdir -p $D 948make world DESTDIR=$D 949make distribution DESTDIR=$D 950.Ed 951.Pp 952In many cases this example would put far more in the jail than needed. 953In the other extreme case a jail might contain only one file: 954the executable to be run in the jail. 955.Pp 956We recommend experimentation, and caution that it is a lot easier to 957start with a 958.Dq fat 959jail and remove things until it stops working, 960than it is to start with a 961.Dq thin 962jail and add things until it works. 963.Ss "Setting Up a Jail" 964Do what was described in 965.Sx "Setting Up a Jail Directory Tree" 966to build the jail directory tree. 967For the sake of this example, we will 968assume you built it in 969.Pa /data/jail/testjail , 970for a jail named 971.Dq testjail . 972Substitute below as needed with your 973own directory, IP address, and hostname. 974.Ss "Setting up the Host Environment" 975First, set up the real system's environment to be 976.Dq jail-friendly . 977For consistency, we will refer to the parent box as the 978.Dq "host environment" , 979and to the jailed virtual machine as the 980.Dq "jail environment" . 981Since jails are implemented using IP aliases, one of the first things to do 982is to disable IP services on the host system that listen on all local 983IP addresses for a service. 984If a network service is present in the host environment that binds all 985available IP addresses rather than specific IP addresses, it may service 986requests sent to jail IP addresses if the jail did not bind the port. 987This means changing 988.Xr inetd 8 989to only listen on the 990appropriate IP address, and so forth. 991Add the following to 992.Pa /etc/rc.conf 993in the host environment: 994.Bd -literal -offset indent 995sendmail_enable="NO" 996inetd_flags="-wW -a 192.0.2.23" 997rpcbind_enable="NO" 998.Ed 999.Pp 1000.Li 192.0.2.23 1001is the native IP address for the host system, in this example. 1002Daemons that run out of 1003.Xr inetd 8 1004can be easily configured to use only the specified host IP address. 1005Other daemons 1006will need to be manually configured \(em for some this is possible through 1007.Xr rc.conf 5 1008flags entries; for others it is necessary to modify per-application 1009configuration files, or to recompile the application. 1010The following frequently deployed services must have their individual 1011configuration files modified to limit the application to listening 1012to a specific IP address: 1013.Pp 1014To configure 1015.Xr sshd 8 , 1016it is necessary to modify 1017.Pa /etc/ssh/sshd_config . 1018.Pp 1019To configure 1020.Xr sendmail 8 , 1021it is necessary to modify 1022.Pa /etc/mail/sendmail.cf . 1023.Pp 1024For 1025.Xr named 8 , 1026it is necessary to modify 1027.Pa /etc/namedb/named.conf . 1028.Pp 1029In addition, a number of services must be recompiled in order to run 1030them in the host environment. 1031This includes most applications providing services using 1032.Xr rpc 3 , 1033such as 1034.Xr rpcbind 8 , 1035.Xr nfsd 8 , 1036and 1037.Xr mountd 8 . 1038In general, applications for which it is not possible to specify which 1039IP address to bind should not be run in the host environment unless they 1040should also service requests sent to jail IP addresses. 1041Attempting to serve 1042NFS from the host environment may also cause confusion, and cannot be 1043easily reconfigured to use only specific IPs, as some NFS services are 1044hosted directly from the kernel. 1045Any third-party network software running 1046in the host environment should also be checked and configured so that it 1047does not bind all IP addresses, which would result in those services also 1048appearing to be offered by the jail environments. 1049.Pp 1050Once 1051these daemons have been disabled or fixed in the host environment, it is 1052best to reboot so that all daemons are in a known state, to reduce the 1053potential for confusion later (such as finding that when you send mail 1054to a jail, and its sendmail is down, the mail is delivered to the host, 1055etc.). 1056.Ss "Configuring the Jail" 1057Start any jail for the first time without configuring the network 1058interface so that you can clean it up a little and set up accounts. 1059As 1060with any machine (virtual or not), you will need to set a root password, time 1061zone, etc. 1062Some of these steps apply only if you intend to run a full virtual server 1063inside the jail; others apply both for constraining a particular application 1064or for running a virtual server. 1065.Pp 1066Start a shell in the jail: 1067.Bd -literal -offset indent 1068jail -c path=/data/jail/testjail mount.devfs \\ 1069 host.hostname=testhostname ip4.addr=192.0.2.100 \\ 1070 command=/bin/sh 1071.Ed 1072.Pp 1073Assuming no errors, you will end up with a shell prompt within the jail. 1074You can now run 1075.Xr bsdconfig 8 1076and do the post-install configuration to set various configuration options, 1077or perform these actions manually by editing 1078.Pa /etc/rc.conf , 1079etc. 1080.Pp 1081.Bl -bullet -offset indent -compact 1082.It 1083Configure 1084.Pa /etc/resolv.conf 1085so that name resolution within the jail will work correctly. 1086.It 1087Run 1088.Xr newaliases 1 1089to quell 1090.Xr sendmail 8 1091warnings. 1092.It 1093Set a root password, probably different from the real host system. 1094.It 1095Set the timezone. 1096.It 1097Add accounts for users in the jail environment. 1098.It 1099Install any packages the environment requires. 1100.El 1101.Pp 1102You may also want to perform any package-specific configuration (web servers, 1103SSH servers, etc), patch up 1104.Pa /etc/syslog.conf 1105so it logs as you would like, etc. 1106If you are not using a virtual server, you may wish to modify 1107.Xr syslogd 8 1108in the host environment to listen on the syslog socket in the jail 1109environment; in this example, the syslog socket would be stored in 1110.Pa /data/jail/testjail/var/run/log . 1111.Pp 1112Exit from the shell, and the jail will be shut down. 1113.Ss "Starting the Jail" 1114You are now ready to restart the jail and bring up the environment with 1115all of its daemons and other programs. 1116Create an entry for the jail in 1117.Pa /etc/jail.conf : 1118.Bd -literal -offset indent 1119testjail { 1120 path = /tmp/jail/testjail; 1121 mount.devfs; 1122 host.hostname = testhostname; 1123 ip4.addr = 192.0.2.100; 1124 interface = em0; 1125 exec.start = "/bin/sh /etc/rc"; 1126 exec.stop = "/bin/sh /etc/rc.shutdown jail"; 1127} 1128.Ed 1129.Pp 1130To start a virtual server environment, 1131.Pa /etc/rc 1132is run to launch various daemons and services, and 1133.Pa /etc/rc.shutdown 1134is run to shut them down when the jail is removed. 1135If you are running a single application in the jail, 1136substitute the command used to start the application for 1137.Dq /bin/sh /etc/rc ; 1138there may be some script available to cleanly shut down the application, 1139or it may be sufficient to go without a stop command, and have 1140.Nm 1141send 1142.Dv SIGTERM 1143to the application. 1144.Pp 1145Start the jail by running: 1146.Bd -literal -offset indent 1147jail -c testjail 1148.Ed 1149.Pp 1150A few warnings may be produced; however, it should all work properly. 1151You should be able to see 1152.Xr inetd 8 , 1153.Xr syslogd 8 , 1154and other processes running within the jail using 1155.Xr ps 1 , 1156with the 1157.Ql J 1158flag appearing beside jailed processes. 1159To see an active list of jails, use 1160.Xr jls 8 . 1161If 1162.Xr sshd 8 1163is enabled in the jail environment, you should be able to 1164.Xr ssh 1 1165to the hostname or IP address of the jailed environment, and log 1166in using the accounts you created previously. 1167.Pp 1168It is possible to have jails started at boot time. 1169Please refer to the 1170.Dq jail_* 1171variables in 1172.Xr rc.conf 5 1173for more information. 1174.Ss "Managing the Jail" 1175Normal machine shutdown commands, such as 1176.Xr halt 8 , 1177.Xr reboot 8 , 1178and 1179.Xr shutdown 8 , 1180cannot be used successfully within the jail. 1181To kill all processes from within a jail, you may use one of the 1182following commands, depending on what you want to accomplish: 1183.Bd -literal -offset indent 1184kill -TERM -1 1185kill -KILL -1 1186.Ed 1187.Pp 1188This will send the 1189.Dv SIGTERM 1190or 1191.Dv SIGKILL 1192signals to all processes in the jail \(em be careful not to run this from 1193the host environment! 1194Once all of the jail's processes have died, unless the jail was created 1195with the 1196.Va persist 1197parameter, the jail will be removed. 1198Depending on 1199the intended use of the jail, you may also want to run 1200.Pa /etc/rc.shutdown 1201from within the jail. 1202.Pp 1203To shut down the jail from the outside, simply remove it with 1204.Nm 1205.Ar -r , 1206which will run any commands specified by 1207.Va exec.stop , 1208and then send 1209.Dv SIGTERM 1210and eventually 1211.Dv SIGKILL 1212to any remaining jailed processes. 1213.Pp 1214The 1215.Pa /proc/ Ns Ar pid Ns Pa /status 1216file contains, as its last field, the name of the jail in which the 1217process runs, or 1218.Dq Li - 1219to indicate that the process is not running within a jail. 1220The 1221.Xr ps 1 1222command also shows a 1223.Ql J 1224flag for processes in a jail. 1225.Pp 1226You can also list/kill processes based on their jail ID. 1227To show processes and their jail ID, use the following command: 1228.Pp 1229.Dl "ps ax -o pid,jid,args" 1230.Pp 1231To show and then kill processes in jail number 3 use the following commands: 1232.Bd -literal -offset indent 1233pgrep -lfj 3 1234pkill -j 3 1235.Ed 1236or: 1237.Pp 1238.Dl "killall -j 3" 1239.Ss "Jails and File Systems" 1240It is not possible to 1241.Xr mount 8 1242or 1243.Xr umount 8 1244any file system inside a jail unless the file system is marked 1245jail-friendly, the jail's 1246.Va allow.mount 1247parameter is set, and the jail's 1248.Va enforce_statfs 1249parameter is lower than 2. 1250.Pp 1251Multiple jails sharing the same file system can influence each other. 1252For example, a user in one jail can fill the file system, 1253leaving no space for processes in the other jail. 1254Trying to use 1255.Xr quota 1 1256to prevent this will not work either, as the file system quotas 1257are not aware of jails but only look at the user and group IDs. 1258This means the same user ID in two jails share a single file 1259system quota. 1260One would need to use one file system per jail to make this work. 1261.Ss "Sysctl MIB Entries" 1262The read-only entry 1263.Va security.jail.jailed 1264can be used to determine if a process is running inside a jail (value 1265is one) or not (value is zero). 1266.Pp 1267The variable 1268.Va security.jail.max_af_ips 1269determines how may address per address family a jail may have. 1270The default is 255. 1271.Pp 1272Some MIB variables have per-jail settings. 1273Changes to these variables by a jailed process do not affect the host 1274environment, only the jail environment. 1275These variables are 1276.Va kern.securelevel , 1277.Va security.bsd.suser_enabled , 1278.Va kern.hostname , 1279.Va kern.domainname , 1280.Va kern.hostid , 1281and 1282.Va kern.hostuuid . 1283.Ss "Hierarchical Jails" 1284By setting a jail's 1285.Va children.max 1286parameter, processes within a jail may be able to create jails of their own. 1287These child jails are kept in a hierarchy, with jails only able to see and/or 1288modify the jails they created (or those jails' children). 1289Each jail has a read-only 1290.Va parent 1291parameter, containing the 1292.Va jid 1293of the jail that created it; a 1294.Va jid 1295of 0 indicates the jail is a child of the current jail (or is a top-level 1296jail if the current process isn't jailed). 1297.Pp 1298Jailed processes are not allowed to confer greater permissions than they 1299themselves are given, e.g., if a jail is created with 1300.Va allow.nomount , 1301it is not able to create a jail with 1302.Va allow.mount 1303set. 1304Similarly, such restrictions as 1305.Va ip4.addr 1306and 1307.Va securelevel 1308may not be bypassed in child jails. 1309.Pp 1310A child jail may in turn create its own child jails if its own 1311.Va children.max 1312parameter is set (remember it is zero by default). 1313These jails are visible to and can be modified by their parent and all 1314ancestors. 1315.Pp 1316Jail names reflect this hierarchy, with a full name being an MIB-type string 1317separated by dots. 1318For example, if a base system process creates a jail 1319.Dq foo , 1320and a process under that jail creates another jail 1321.Dq bar , 1322then the second jail will be seen as 1323.Dq foo.bar 1324in the base system (though it is only seen as 1325.Dq bar 1326to any processes inside jail 1327.Dq foo ) . 1328Jids on the other hand exist in a single space, and each jail must have a 1329unique jid. 1330.Pp 1331Like the names, a child jail's 1332.Va path 1333appears relative to its creator's own 1334.Va path . 1335This is by virtue of the child jail being created in the chrooted 1336environment of the first jail. 1337.Sh SEE ALSO 1338.Xr killall 1 , 1339.Xr lsvfs 1 , 1340.Xr newaliases 1 , 1341.Xr pgrep 1 , 1342.Xr pkill 1 , 1343.Xr ps 1 , 1344.Xr quota 1 , 1345.Xr jail_set 2 , 1346.Xr vmm 4 , 1347.Xr devfs 5 , 1348.Xr fdescfs 5 , 1349.Xr jail.conf 5 , 1350.Xr linprocfs 5 , 1351.Xr linsysfs 5 , 1352.Xr procfs 5 , 1353.Xr rc.conf 5 , 1354.Xr sysctl.conf 5 , 1355.Xr bsdconfig 8 , 1356.Xr chroot 8 , 1357.Xr devfs 8 , 1358.Xr halt 8 , 1359.Xr ifconfig 8 , 1360.Xr inetd 8 , 1361.Xr jexec 8 , 1362.Xr jls 8 , 1363.Xr mount 8 , 1364.Xr named 8 , 1365.Xr reboot 8 , 1366.Xr rpcbind 8 , 1367.Xr sendmail 8 , 1368.Xr shutdown 8 , 1369.Xr sysctl 8 , 1370.Xr syslogd 8 , 1371.Xr umount 8 1372.Sh HISTORY 1373The 1374.Nm 1375utility appeared in 1376.Fx 4.0 . 1377Hierarchical/extensible jails were introduced in 1378.Fx 8.0 . 1379The configuration file was introduced in 1380.Fx 9.1 . 1381.Sh AUTHORS 1382.An -nosplit 1383The jail feature was written by 1384.An Poul-Henning Kamp 1385for R&D Associates 1386who contributed it to 1387.Fx . 1388.Pp 1389.An Robert Watson 1390wrote the extended documentation, found a few bugs, added 1391a few new features, and cleaned up the userland jail environment. 1392.Pp 1393.An Bjoern A. Zeeb 1394added multi-IP jail support for IPv4 and IPv6 based on a patch 1395originally done by 1396.An Pawel Jakub Dawidek 1397for IPv4. 1398.Pp 1399.An James Gritton 1400added the extensible jail parameters, hierarchical jails, 1401and the configuration file. 1402.Sh BUGS 1403It might be a good idea to add an 1404address alias flag such that daemons listening on all IPs 1405.Pq Dv INADDR_ANY 1406will not bind on that address, which would facilitate building a safe 1407host environment such that host daemons do not impose on services offered 1408from within jails. 1409Currently, the simplest answer is to minimize services 1410offered on the host, possibly limiting it to services offered from 1411.Xr inetd 8 1412which is easily configurable. 1413.Sh NOTES 1414Great care should be taken when managing directories visible within the jail. 1415For example, if a jailed process has its current working directory set to a 1416directory that is moved out of the jail's chroot, then the process may gain 1417access to the file space outside of the jail. 1418It is recommended that directories always be copied, rather than moved, out 1419of a jail. 1420.Pp 1421In addition, there are several ways in which an unprivileged user 1422outside the jail can cooperate with a privileged user inside the jail 1423and thereby obtain elevated privileges in the host environment. 1424Most of these attacks can be mitigated by ensuring that the jail root 1425is not accessible to unprivileged users in the host environment. 1426Regardless, as a general rule, untrusted users with privileged access 1427to a jail should not be given access to the host environment. 1428