1.\" 2.\" Copyright (c) 2000, 2003 Robert N. M. Watson 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24.\" SUCH DAMAGE. 25.\" 26.\" 27.\" ---------------------------------------------------------------------------- 28.\" "THE BEER-WARE LICENSE" (Revision 42): 29.\" <phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you 30.\" can do whatever you want with this stuff. If we meet some day, and you think 31.\" this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp 32.\" ---------------------------------------------------------------------------- 33.\" 34.\" $FreeBSD$ 35.\" 36.Dd January 24, 2009 37.Dt JAIL 8 38.Os 39.Sh NAME 40.Nm jail 41.Nd "imprison process and its descendants" 42.Sh SYNOPSIS 43.Nm 44.Op Fl hi 45.Op Fl n Ar jailname 46.Op Fl J Ar jid_file 47.Op Fl s Ar securelevel 48.Op Fl l u Ar username | Fl U Ar username 49.Ar path hostname [ip[,..]] command ... 50.Sh DESCRIPTION 51The 52.Nm 53utility imprisons a process and all future descendants. 54.Pp 55The options are as follows: 56.Bl -tag -width ".Fl u Ar username" 57.It Fl h 58Resolve 59.Va hostname 60and add all IP addresses returned by the resolver 61to the list of 62.Va ip-addresses 63for this prison. 64This may affect default address selection for outgoing IPv4 connections 65of prisons. 66The address first returned by the resolver for each address family 67will be used as primary address. 68See 69.Va ip-addresses 70further down for details. 71.It Fl i 72Output the jail identifier of the newly created jail. 73.It Fl n Ar jailname 74Assign and administrative name to the jail that can be used for management 75or auditing purposes. 76The system will 77.Sy not enforce 78the name to be unique. 79.It Fl J Ar jid_file 80Write a 81.Ar jid_file 82file, containing jail identifier, path, hostname, IP and 83command used to start the jail. 84.It Fl l 85Run program in the clean environment. 86The environment is discarded except for 87.Ev HOME , SHELL , TERM 88and 89.Ev USER . 90.Ev HOME 91and 92.Ev SHELL 93are set to the target login's default values. 94.Ev USER 95is set to the target login. 96.Ev TERM 97is imported from the current environment. 98The environment variables from the login class capability database for the 99target login are also set. 100.It Fl s Ar securelevel 101Sets the 102.Va kern.securelevel 103sysctl variable to the specified value inside the newly created jail. 104.It Fl u Ar username 105The user name from host environment as whom the 106.Ar command 107should run. 108.It Fl U Ar username 109The user name from jailed environment as whom the 110.Ar command 111should run. 112.It Ar path 113Directory which is to be the root of the prison. 114.It Ar hostname 115Hostname of the prison. 116.It Ar ip-addresses 117None, one or more IPv4 and IPv6 addresses assigned to the prison. 118The first address of each address family that was assigned to the jail will 119be used as the source address in case source address selection on unbound 120sockets cannot find a better match. 121It is only possible to start multiple jails with the same IP address, 122if none of the jails has more than this single overlapping IP address 123assigned to itself for the address family in question. 124.It Ar command 125Pathname of the program which is to be executed. 126.El 127.Pp 128Jails are typically set up using one of two philosophies: either to 129constrain a specific application (possibly running with privilege), or 130to create a 131.Dq "virtual system image" 132running a variety of daemons and services. 133In both cases, a fairly complete file system install of 134.Fx 135is 136required, so as to provide the necessary command line tools, daemons, 137libraries, application configuration files, etc. 138However, for a virtual server configuration, a fair amount of 139additional work is required so as to configure the 140.Dq boot 141process. 142This manual page documents the configuration steps necessary to support 143either of these steps, although the configuration steps may be 144refined based on local requirements. 145.Pp 146Please see the 147.Xr jail 2 148man page for further details. 149.Sh EXAMPLES 150.Ss "Setting up a Jail Directory Tree" 151To set up a jail directory tree containing an entire 152.Fx 153distribution, the following 154.Xr sh 1 155command script can be used: 156.Bd -literal 157D=/here/is/the/jail 158cd /usr/src 159mkdir -p $D 160make world DESTDIR=$D 161make distribution DESTDIR=$D 162mount -t devfs devfs $D/dev 163.Ed 164.Pp 165NOTE: It is important that only appropriate device nodes in devfs be 166exposed to a jail; access to disk devices in the jail may permit processes 167in the jail to bypass the jail sandboxing by modifying files outside of 168the jail. 169See 170.Xr devfs 8 171for information on how to use devfs rules to limit access to entries 172in the per-jail devfs. 173A simple devfs ruleset for jails is available as ruleset #4 in 174.Pa /etc/defaults/devfs.rules . 175.Pp 176In many cases this example would put far more in the jail than needed. 177In the other extreme case a jail might contain only one file: 178the executable to be run in the jail. 179.Pp 180We recommend experimentation and caution that it is a lot easier to 181start with a 182.Dq fat 183jail and remove things until it stops working, 184than it is to start with a 185.Dq thin 186jail and add things until it works. 187.Ss "Setting Up a Jail" 188Do what was described in 189.Sx "Setting Up a Jail Directory Tree" 190to build the jail directory tree. 191For the sake of this example, we will 192assume you built it in 193.Pa /data/jail/192.0.2.100 , 194named for the jailed IP address. 195Substitute below as needed with your 196own directory, IP address, and hostname. 197.Ss "Setting up the Host Environment" 198First, you will want to set up your real system's environment to be 199.Dq jail-friendly . 200For consistency, we will refer to the parent box as the 201.Dq "host environment" , 202and to the jailed virtual machine as the 203.Dq "jail environment" . 204Since jail is implemented using IP aliases, one of the first things to do 205is to disable IP services on the host system that listen on all local 206IP addresses for a service. 207If a network service is present in the host environment that binds all 208available IP addresses rather than specific IP addresses, it may service 209requests sent to jail IP addresses if the jail did not bind the port. 210This means changing 211.Xr inetd 8 212to only listen on the 213appropriate IP address, and so forth. 214Add the following to 215.Pa /etc/rc.conf 216in the host environment: 217.Bd -literal -offset indent 218sendmail_enable="NO" 219inetd_flags="-wW -a 192.0.2.23" 220rpcbind_enable="NO" 221.Ed 222.Pp 223.Li 192.0.2.23 224is the native IP address for the host system, in this example. 225Daemons that run out of 226.Xr inetd 8 227can be easily set to use only the specified host IP address. 228Other daemons 229will need to be manually configured\(emfor some this is possible through 230the 231.Xr rc.conf 5 232flags entries; for others it is necessary to modify per-application 233configuration files, or to recompile the applications. 234The following frequently deployed services must have their individual 235configuration files modified to limit the application to listening 236to a specific IP address: 237.Pp 238To configure 239.Xr sshd 8 , 240it is necessary to modify 241.Pa /etc/ssh/sshd_config . 242.Pp 243To configure 244.Xr sendmail 8 , 245it is necessary to modify 246.Pa /etc/mail/sendmail.cf . 247.Pp 248For 249.Xr named 8 , 250it is necessary to modify 251.Pa /etc/namedb/named.conf . 252.Pp 253In addition, a number of services must be recompiled in order to run 254them in the host environment. 255This includes most applications providing services using 256.Xr rpc 3 , 257such as 258.Xr rpcbind 8 , 259.Xr nfsd 8 , 260and 261.Xr mountd 8 . 262In general, applications for which it is not possible to specify which 263IP address to bind should not be run in the host environment unless they 264should also service requests sent to jail IP addresses. 265Attempting to serve 266NFS from the host environment may also cause confusion, and cannot be 267easily reconfigured to use only specific IPs, as some NFS services are 268hosted directly from the kernel. 269Any third-party network software running 270in the host environment should also be checked and configured so that it 271does not bind all IP addresses, which would result in those services' also 272appearing to be offered by the jail environments. 273.Pp 274Once 275these daemons have been disabled or fixed in the host environment, it is 276best to reboot so that all daemons are in a known state, to reduce the 277potential for confusion later (such as finding that when you send mail 278to a jail, and its sendmail is down, the mail is delivered to the host, 279etc.). 280.Ss "Configuring the Jail" 281Start any jail for the first time without configuring the network 282interface so that you can clean it up a little and set up accounts. 283As 284with any machine (virtual or not) you will need to set a root password, time 285zone, etc. 286Some of these steps apply only if you intend to run a full virtual server 287inside the jail; others apply both for constraining a particular application 288or for running a virtual server. 289.Pp 290Start a shell in the jail: 291.Pp 292.Dl "jail /data/jail/192.0.2.100 testhostname 192.0.2.100 /bin/sh" 293.Pp 294Assuming no errors, you will end up with a shell prompt within the jail. 295You can now run 296.Pa /usr/sbin/sysinstall 297and do the post-install configuration to set various configuration options, 298or perform these actions manually by editing 299.Pa /etc/rc.conf , 300etc. 301.Pp 302.Bl -bullet -offset indent -compact 303.It 304Create an empty 305.Pa /etc/fstab 306to quell startup warnings about missing fstab (virtual server only) 307.It 308Disable the port mapper 309.Pa ( /etc/rc.conf : 310.Li rpcbind_enable="NO" ) 311(virtual server only) 312.It 313Configure 314.Pa /etc/resolv.conf 315so that name resolution within the jail will work correctly 316.It 317Run 318.Xr newaliases 1 319to quell 320.Xr sendmail 8 321warnings. 322.It 323Disable interface configuration to quell startup warnings about 324.Xr ifconfig 8 325.Pq Li network_interfaces="" 326(virtual server only) 327.It 328Set a root password, probably different from the real host system 329.It 330Set the timezone 331.It 332Add accounts for users in the jail environment 333.It 334Install any packages the environment requires 335.El 336.Pp 337You may also want to perform any package-specific configuration (web servers, 338SSH servers, etc), patch up 339.Pa /etc/syslog.conf 340so it logs as you would like, etc. 341If you are not using a virtual server, you may wish to modify 342.Xr syslogd 8 343in the host environment to listen on the syslog socket in the jail 344environment; in this example, the syslog socket would be stored in 345.Pa /data/jail/192.0.2.100/var/run/log . 346.Pp 347Exit from the shell, and the jail will be shut down. 348.Ss "Starting the Jail" 349You are now ready to restart the jail and bring up the environment with 350all of its daemons and other programs. 351If you are running a single application in the jail, substitute the 352command used to start the application for 353.Pa /etc/rc 354in the examples below. 355To start a virtual server environment, 356.Pa /etc/rc 357is run to launch various daemons and services. 358To do this, first bring up the 359virtual host interface, and then start the jail's 360.Pa /etc/rc 361script from within the jail. 362.Pp 363NOTE: If you plan to allow untrusted users to have root access inside the 364jail, you may wish to consider setting the 365.Va security.jail.set_hostname_allowed 366sysctl variable to 0. 367Please see the management discussion later in this document as to why this 368may be a good idea. 369If you do decide to set this variable, 370it must be set before starting any jails, and once each boot. 371.Bd -literal -offset indent 372ifconfig ed0 inet alias 192.0.2.100/32 373mount -t procfs proc /data/jail/192.0.2.100/proc 374jail /data/jail/192.0.2.100 testhostname 192.0.2.100 \\ 375 /bin/sh /etc/rc 376.Ed 377.Pp 378A few warnings will be produced, because most 379.Xr sysctl 8 380configuration variables cannot be set from within the jail, as they are 381global across all jails and the host environment. 382However, it should all 383work properly. 384You should be able to see 385.Xr inetd 8 , 386.Xr syslogd 8 , 387and other processes running within the jail using 388.Xr ps 1 , 389with the 390.Ql J 391flag appearing beside jailed processes. 392To see an active list of jails, use the 393.Xr jls 8 394utility. 395You should also be able to 396.Xr telnet 1 397to the hostname or IP address of the jailed environment, and log 398in using the accounts you created previously. 399.Pp 400It is possible to have jails started at boot time. 401Please refer to the 402.Dq jail_* 403variables in 404.Xr rc.conf 5 405for more information. 406The 407.Xr rc 8 408jail script provides a flexible system to start/stop jails: 409.Bd -literal 410/etc/rc.d/jail start 411/etc/rc.d/jail stop 412/etc/rc.d/jail start myjail 413/etc/rc.d/jail stop myjail 414.Ed 415.Ss "Managing the Jail" 416Normal machine shutdown commands, such as 417.Xr halt 8 , 418.Xr reboot 8 , 419and 420.Xr shutdown 8 , 421cannot be used successfully within the jail. 422To kill all processes in a 423jail, you may log into the jail and, as root, use one of the following 424commands, depending on what you want to accomplish: 425.Pp 426.Bd -literal -offset indent 427kill -TERM -1 428kill -KILL -1 429.Ed 430.Pp 431This will send the 432.Dv SIGTERM 433or 434.Dv SIGKILL 435signals to all processes in the jail from within the jail. 436Depending on 437the intended use of the jail, you may also want to run 438.Pa /etc/rc.shutdown 439from within the jail. 440To kill processes from outside the jail, use the 441.Xr jexec 8 442utility in conjunction with the one of the 443.Xr kill 1 444commands above. 445.Pp 446The 447.Pa /proc/ Ns Ar pid Ns Pa /status 448file contains, as its last field, the hostname of the jail in which the 449process runs, or 450.Dq Li - 451to indicate that the process is not running within a jail. 452The 453.Xr ps 1 454command also shows a 455.Ql J 456flag for processes in a jail. 457However, the hostname for a jail may be, by 458default, modified from within the jail, so the 459.Pa /proc 460status entry is unreliable by default. 461To disable the setting of the hostname 462from within a jail, set the 463.Va security.jail.set_hostname_allowed 464sysctl variable in the host environment to 0, which will affect all jails. 465You can have this sysctl set on each boot using 466.Xr sysctl.conf 5 . 467Just add the following line to 468.Pa /etc/sysctl.conf : 469.Pp 470.Dl security.jail.set_hostname_allowed=0 471.Pp 472You can also list/kill processes based on their jail ID. 473To show processes and their jail ID, use the following command: 474.Pp 475.Dl "ps ax -o pid,jid,args" 476.Pp 477To show and then kill processes in jail number 3 use the following commands: 478.Bd -literal -offset indent 479pgrep -lfj 3 480pkill -j 3 481.Ed 482or: 483.Pp 484.Dl "killall -j 3" 485.Ss "Jails and File Systems" 486It is not possible to 487.Xr mount 8 488or 489.Xr umount 8 490any file system inside a jail unless the file system is marked 491jail-friendly. 492See 493.Va security.jail.mount_allowed 494in the 495.Va "Sysctl MIB Entries" 496section. 497.Pp 498Multiple jails sharing the same file system can influence each other. 499For example a user in one jail can fill the file system also 500leaving no space for processes in the other jail. 501Trying to use 502.Xr quota 1 503to prevent this will not work either as the file system quotas 504are not aware of jails but only look at the user and group IDs. 505This means the same user ID in two jails share the same file 506system quota. 507One would need to use one file system per jail to make this working. 508.Ss "Sysctl MIB Entries" 509Certain aspects of the jail containments environment may be modified from 510the host environment using 511.Xr sysctl 8 512MIB variables. 513Currently, these variables affect all jails on the system, although in 514the future this functionality may be finer grained. 515.Bl -tag -width XXX 516.It Va security.jail.allow_raw_sockets 517This MIB entry determines whether or not prison root is allowed to 518create raw sockets. 519Setting this MIB to 1 allows utilities like 520.Xr ping 8 521and 522.Xr traceroute 8 523to operate inside the prison. 524If this MIB 525is set, the source IP addresses are enforced to comply 526with the IP address bound to the jail, regardless of whether or not 527the 528.Dv IP_HDRINCL 529flag has been set on the socket. 530Since raw sockets can be used to configure 531and interact with various network subsystems, extra caution should be used 532where privileged access to jails is given out to untrusted parties. 533As such, 534by default this option is disabled. 535.It Va security.jail.enforce_statfs 536This MIB entry determines which information processes in a jail are 537able to get about mount-points. 538It affects the behaviour of the following syscalls: 539.Xr statfs 2 , 540.Xr fstatfs 2 , 541.Xr getfsstat 2 542and 543.Xr fhstatfs 2 544(as well as similar compatibility syscalls). 545When set to 0, all mount-points are available without any restrictions. 546When set to 1, only mount-points below the jail's chroot directory are 547visible. 548In addition to that, the path to the jail's chroot directory is removed 549from the front of their pathnames. 550When set to 2 (default), above syscalls can operate only on a mount-point 551where the jail's chroot directory is located. 552.It Va security.jail.set_hostname_allowed 553This MIB entry determines whether or not processes within a jail are 554allowed to change their hostname via 555.Xr hostname 1 556or 557.Xr sethostname 3 . 558In the current jail implementation, the ability to set the hostname from 559within the jail can impact management tools relying on the accuracy of jail 560information in 561.Pa /proc . 562As such, this should be disabled in environments where privileged access to 563jails is given out to untrusted parties. 564.It Va security.jail.socket_unixiproute_only 565The jail functionality binds an IPv4 address to each jail, and limits 566access to other network addresses in the IPv4 space that may be available 567in the host environment. 568However, jail is not currently able to limit access to other network 569protocol stacks that have not had jail functionality added to them. 570As such, by default, processes within jails may only access protocols 571in the following domains: 572.Dv PF_LOCAL , PF_INET , 573and 574.Dv PF_ROUTE , 575permitting them access to 576.Ux 577domain sockets, 578IPv4 addresses, and routing sockets. 579To enable access to other domains, this MIB variable may be set to 5800. 581.It Va security.jail.sysvipc_allowed 582This MIB entry determines whether or not processes within a jail have access 583to System V IPC primitives. 584In the current jail implementation, System V primitives share a single 585namespace across the host and jail environments, meaning that processes 586within a jail would be able to communicate with (and potentially interfere 587with) processes outside of the jail, and in other jails. 588As such, this functionality is disabled by default, but can be enabled 589by setting this MIB entry to 1. 590.It Va security.jail.chflags_allowed 591This MIB entry determines how a privileged user inside a jail will be 592treated by 593.Xr chflags 2 . 594If zero, such users are treated as unprivileged, and are unable to set 595or clear system file flags; if non-zero, such users are treated as 596privileged, and may manipulate system file flags subject to the usual 597constraints on 598.Va kern.securelevel . 599.It Va security.jail.mount_allowed 600This MIB entry determines if a privileged user inside a jail will be 601able to mount and unmount file system types marked as jail-friendly. 602The 603.Xr lsvfs 1 604command can be used to find file system types available for mount from within 605a jail. 606This functionality is disabled by default, but can be enabled by setting this 607MIB entry to 1. 608.It Va security.jail.jail_max_af_ips 609This MIB entry determines how may address per address family a prison 610may have. The default is 255. 611.El 612.Pp 613The read-only sysctl variable 614.Va security.jail.jailed 615can be used to determine if a process is running inside a jail (value 616is one) or not (value is zero). 617.Pp 618The 619.Va security.jail.list 620MIB entry is read-only and it returns an array of 621.Vt "struct xprison" 622defined in 623.In sys/jail.h . 624It is recommended to use the 625.Xr jls 8 626utility to see current active list of jails. 627.Pp 628There are currently two MIB related variables that have per-jail settings. 629Changes to these variables by a jailed process do not effect the host 630environment, only the jail environment. 631The variables are 632.Va kern.securelevel 633and 634.Va kern.hostname . 635.Sh SEE ALSO 636.Xr killall 1 , 637.Xr lsvfs 1 , 638.Xr newaliases 1 , 639.Xr pgrep 1 , 640.Xr pkill 1 , 641.Xr ps 1 , 642.Xr quota 1 , 643.Xr chroot 2 , 644.Xr jail 2 , 645.Xr jail_attach 2 , 646.Xr procfs 5 , 647.Xr rc.conf 5 , 648.Xr sysctl.conf 5 , 649.Xr devfs 8 , 650.Xr halt 8 , 651.Xr inetd 8 , 652.Xr jexec 8 , 653.Xr jls 8 , 654.Xr mount 8 , 655.Xr named 8 , 656.Xr reboot 8 , 657.Xr rpcbind 8 , 658.Xr sendmail 8 , 659.Xr shutdown 8 , 660.Xr sysctl 8 , 661.Xr syslogd 8 , 662.Xr umount 8 663.Sh HISTORY 664The 665.Nm 666utility appeared in 667.Fx 4.0 . 668.Sh AUTHORS 669.An -nosplit 670The jail feature was written by 671.An Poul-Henning Kamp 672for R&D Associates 673.Pa http://www.rndassociates.com/ 674who contributed it to 675.Fx . 676.Pp 677.An Robert Watson 678wrote the extended documentation, found a few bugs, added 679a few new features, and cleaned up the userland jail environment. 680.Pp 681.An Bjoern A. Zeeb 682added multi-IP jail support for IPv4 and IPv6 based on a patch 683originally done by 684.An Pawel Jakub Dawidek 685for IPv4. 686.Sh BUGS 687Jail currently lacks the ability to allow access to 688specific jail information via 689.Xr ps 1 690as opposed to 691.Xr procfs 5 . 692Similarly, it might be a good idea to add an 693address alias flag such that daemons listening on all IPs 694.Pq Dv INADDR_ANY 695will not bind on that address, which would facilitate building a safe 696host environment such that host daemons do not impose on services offered 697from within jails. 698Currently, the simplest answer is to minimize services 699offered on the host, possibly limiting it to services offered from 700.Xr inetd 8 701which is easily configurable. 702