1.\" 2.\" Copyright (c) 2000, 2003 Robert N. M. Watson 3.\" Copyright (c) 2008 James Gritton 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25.\" SUCH DAMAGE. 26.\" 27.\" 28.\" ---------------------------------------------------------------------------- 29.\" "THE BEER-WARE LICENSE" (Revision 42): 30.\" <phk@FreeBSD.org> wrote this file. As long as you retain this notice you 31.\" can do whatever you want with this stuff. If we meet some day, and you think 32.\" this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp 33.\" ---------------------------------------------------------------------------- 34.\" 35.\" $FreeBSD$ 36.\" 37.Dd July 23, 2011 38.Dt JAIL 8 39.Os 40.Sh NAME 41.Nm jail 42.Nd "create or modify a system jail" 43.Sh SYNOPSIS 44.Nm 45.Op Fl dhi 46.Op Fl J Ar jid_file 47.Op Fl l u Ar username | Fl U Ar username 48.Op Fl c | m 49.Op Ar parameter=value ... 50.Nm 51.Op Fl hi 52.Op Fl n Ar jailname 53.Op Fl J Ar jid_file 54.Op Fl s Ar securelevel 55.Op Fl l u Ar username | Fl U Ar username 56.Op Ar path hostname [ip[,..]] command ... 57.Nm 58.Op Fl r Ar jail 59.Sh DESCRIPTION 60The 61.Nm 62utility creates a new jail or modifies an existing jail, optionally 63imprisoning the current process (and future descendants) inside it. 64.Pp 65The options are as follows: 66.Bl -tag -width indent 67.It Fl d 68Allow making changes to a dying jail. 69.It Fl h 70Resolve the 71.Va host.hostname 72parameter (or 73.Va hostname ) 74and add all IP addresses returned by the resolver 75to the list of 76.Va ip 77addresses for this prison. 78This may affect default address selection for outgoing IPv4 connections 79of prisons. 80The address first returned by the resolver for each address family 81will be used as primary address. 82See the 83.Va ip4.addr 84and 85.Va ip6.addr 86parameters further down for details. 87.It Fl i 88Output the jail identifier of the newly created jail. 89.It Fl n Ar jailname 90Set the jail's name. 91This is deprecated and is equivalent to setting the 92.Va name 93parameter. 94.It Fl J Ar jid_file 95Write a 96.Ar jid_file 97file, containing jail identifier, path, hostname, IP and 98command used to start the jail. 99.It Fl l 100Run program in the clean environment. 101The environment is discarded except for 102.Ev HOME , SHELL , TERM 103and 104.Ev USER . 105.Ev HOME 106and 107.Ev SHELL 108are set to the target login's default values. 109.Ev USER 110is set to the target login. 111.Ev TERM 112is imported from the current environment. 113The environment variables from the login class capability database for the 114target login are also set. 115.It Fl s Ar securelevel 116Set the 117.Va kern.securelevel 118MIB entry to the specified value inside the newly created jail. 119This is deprecated and is equivalent to setting the 120.Va securelevel 121parameter. 122.It Fl u Ar username 123The user name from host environment as whom the 124.Ar command 125should run. 126.It Fl U Ar username 127The user name from jailed environment as whom the 128.Ar command 129should run. 130.It Fl c 131Create a new jail. 132The 133.Va jid 134and 135.Va name 136parameters (if specified) must not refer to an existing jail. 137.It Fl m 138Modify an existing jail. 139One of the 140.Va jid 141or 142.Va name 143parameters must exist and refer to an existing jail. 144.It Fl cm 145Create a jail if it does not exist, or modify a jail if it does exist. 146.It Fl r 147Remove the 148.Ar jail 149specified by jid or name. 150All jailed processes are killed, and all children of this jail are also 151removed. 152.El 153.Pp 154At least one of the 155.Fl c , 156.Fl m 157or 158.Fl r 159options must be specified. 160.Pp 161.Ar Parameters 162are listed in 163.Dq name=value 164form, following the options. 165Some parameters are boolean, and do not have a value but are set by the 166name alone with or without a 167.Dq no 168prefix, e.g. 169.Va persist 170or 171.Va nopersist . 172Any parameters not set will be given default values, often based on the 173current environment. 174.Pp 175The pseudo-parameter 176.Va command 177specifies that the current process should enter the new (or modified) jail, 178and run the specified command. 179It must be the last parameter specified, because it includes not only 180the value following the 181.Sq = 182sign, but also passes the rest of the arguments to the command. 183.Pp 184Instead of supplying named 185.Ar parameters , 186four fixed parameters may be supplied in order on the command line: 187.Ar path , 188.Ar hostname , 189.Ar ip , 190and 191.Ar command . 192As the 193.Va jid 194and 195.Va name 196parameters aren't in this list, this mode will always create a new jail, and 197the 198.Fl c 199and 200.Fl m 201options don't apply (and must not exist). 202.Pp 203Jails have a set a core parameters, and modules can add their own jail 204parameters. 205The current set of available parameters can be retrieved via 206.Dq Nm sysctl Fl d Va security.jail.param . 207The core parameters are: 208.Bl -tag -width indent 209.It Va jid 210The jail identifier. 211This will be assigned automatically to a new jail (or can be explicitly 212set), and can be used to identify the jail for later modification, or 213for such commands as 214.Xr jls 8 215or 216.Xr jexec 8 . 217.It Va name 218The jail name. 219This is an arbitrary string that identifies a jail (except it may not 220contain a 221.Sq \&. ) . 222Like the 223.Va jid , 224it can be passed to later 225.Nm 226commands, or to 227.Xr jls 8 228or 229.Xr jexec 8 . 230If no 231.Va name 232is supplied, a default is assumed that is the same as the 233.Va jid . 234.It Va path 235Directory which is to be the root of the prison. 236The 237.Va command 238(if any) is run from this directory, as are commands from 239.Xr jexec 8 . 240.It Va ip4.addr 241A comma-separated list of IPv4 addresses assigned to the prison. 242If this is set, the jail is restricted to using only these addresses. 243Any attempts to use other addresses fail, and attempts to use wildcard 244addresses silently use the jailed address instead. 245For IPv4 the first address given will be kept used as the source address 246in case source address selection on unbound sockets cannot find a better 247match. 248It is only possible to start multiple jails with the same IP address, 249if none of the jails has more than this single overlapping IP address 250assigned to itself. 251.It Va ip4.saddrsel 252A boolean option to change the formerly mentioned behaviour and disable 253IPv4 source address selection for the prison in favour of the primary 254IPv4 address of the jail. 255Source address selection is enabled by default for all jails and a 256.Va ip4.nosaddrsel 257setting of a parent jail is not inherited for any child jails. 258.It Va ip4 259Control the availability of IPv4 addresses. 260Possible values are 261.Dq inherit 262to allow unrestricted access to all system addresses, 263.Dq new 264to restrict addresses via 265.Va ip4.addr 266above, and 267.Dq disable 268to stop the jail from using IPv4 entirely. 269Setting the 270.Va ip4.addr 271parameter implies a value of 272.Dq new . 273.It Va ip6.addr , Va ip6.saddrsel , Va ip6 274A set of IPv6 options for the prison, the counterparts to 275.Va ip4.addr , 276.Va ip4.saddrsel 277and 278.Va ip4 279above. 280.It Va host.hostname 281Hostname of the prison. 282Other similar parameters are 283.Va host.domainname , 284.Va host.hostuuid 285and 286.Va host.hostid . 287.It Va host 288Set the origin of hostname and related information. 289Possible values are 290.Dq inherit 291to use the system information and 292.Dq new 293for the jail to use the information from the above fields. 294Setting any of the above fields implies a value of 295.Dq new . 296.It Va securelevel 297The value of the jail's 298.Va kern.securelevel 299sysctl. 300A jail never has a lower securelevel than the default system, but by 301setting this parameter it may have a higher one. 302If the system securelevel is changed, any jail securelevels will be at 303least as secure. 304.It Va children.max 305The number of child jails allowed to be created by this jail (or by 306other jails under this jail). 307This limit is zero by default, indicating the jail is not allowed to 308create child jails. 309See the 310.Va "Hierarchical Jails" 311section for more information. 312.It Va children.cur 313The number of descendents of this jail, including its own child jails 314and any jails created under them. 315.It Va enforce_statfs 316This determines which information processes in a jail are able to get 317about mount points. 318It affects the behaviour of the following syscalls: 319.Xr statfs 2 , 320.Xr fstatfs 2 , 321.Xr getfsstat 2 322and 323.Xr fhstatfs 2 324(as well as similar compatibility syscalls). 325When set to 0, all mount points are available without any restrictions. 326When set to 1, only mount points below the jail's chroot directory are 327visible. 328In addition to that, the path to the jail's chroot directory is removed 329from the front of their pathnames. 330When set to 2 (default), above syscalls can operate only on a mount-point 331where the jail's chroot directory is located. 332.It Va persist 333Setting this boolean parameter allows a jail to exist without any 334processes. 335Normally, a jail is destroyed as its last process exits. 336A new jail must have either the 337.Va persist 338parameter or 339.Va command 340pseudo-parameter set. 341.It Va cpuset.id 342The ID of the cpuset associated with this jail (read-only). 343.It Va dying 344This is true if the jail is in the process of shutting down (read-only). 345.It Va parent 346The 347.Va jid 348of the parent of this jail, or zero if this is a top-level jail 349(read-only). 350.It Va allow.* 351Some restrictions of the jail environment may be set on a per-jail 352basis. 353With the exception of 354.Va allow.set_hostname , 355these boolean parameters are off by default. 356.Bl -tag -width indent 357.It Va allow.set_hostname 358The jail's hostname may be changed via 359.Xr hostname 1 360or 361.Xr sethostname 3 . 362.It Va allow.sysvipc 363A process within the jail has access to System V IPC primitives. 364In the current jail implementation, System V primitives share a single 365namespace across the host and jail environments, meaning that processes 366within a jail would be able to communicate with (and potentially interfere 367with) processes outside of the jail, and in other jails. 368.It Va allow.raw_sockets 369The prison root is allowed to create raw sockets. 370Setting this parameter allows utilities like 371.Xr ping 8 372and 373.Xr traceroute 8 374to operate inside the prison. 375If this is set, the source IP addresses are enforced to comply 376with the IP address bound to the jail, regardless of whether or not 377the 378.Dv IP_HDRINCL 379flag has been set on the socket. 380Since raw sockets can be used to configure and interact with various 381network subsystems, extra caution should be used where privileged access 382to jails is given out to untrusted parties. 383.It Va allow.chflags 384Normally, privileged users inside a jail are treated as unprivileged by 385.Xr chflags 2 . 386When this parameter is set, such users are treated as privileged, and 387may manipulate system file flags subject to the usual constraints on 388.Va kern.securelevel . 389.It Va allow.mount 390privileged users inside the jail will be able to mount and unmount file 391system types marked as jail-friendly. 392The 393.Xr lsvfs 1 394command can be used to find file system types available for mount from 395within a jail. 396This permission is effective only if 397.Va enforce_statfs 398is set to a value lower than 2. 399.It Va allow.quotas 400The prison root may administer quotas on the jail's filesystem(s). 401This includes filesystems that the jail may share with other jails or 402with non-jailed parts of the system. 403.It Va allow.socket_af 404Sockets within a jail are normally restricted to IPv4, IPv6, local 405(UNIX), and route. This allows access to other protocol stacks that 406have not had jail functionality added to them. 407.El 408.El 409.Pp 410Jails are typically set up using one of two philosophies: either to 411constrain a specific application (possibly running with privilege), or 412to create a 413.Dq "virtual system image" 414running a variety of daemons and services. 415In both cases, a fairly complete file system install of 416.Fx 417is 418required, so as to provide the necessary command line tools, daemons, 419libraries, application configuration files, etc. 420However, for a virtual server configuration, a fair amount of 421additional work is required so as to configure the 422.Dq boot 423process. 424This manual page documents the configuration steps necessary to support 425either of these steps, although the configuration steps may be 426refined based on local requirements. 427.Sh EXAMPLES 428.Ss "Setting up a Jail Directory Tree" 429To set up a jail directory tree containing an entire 430.Fx 431distribution, the following 432.Xr sh 1 433command script can be used: 434.Bd -literal 435D=/here/is/the/jail 436cd /usr/src 437mkdir -p $D 438make world DESTDIR=$D 439make distribution DESTDIR=$D 440mount -t devfs devfs $D/dev 441.Ed 442.Pp 443NOTE: It is important that only appropriate device nodes in devfs be 444exposed to a jail; access to disk devices in the jail may permit processes 445in the jail to bypass the jail sandboxing by modifying files outside of 446the jail. 447See 448.Xr devfs 8 449for information on how to use devfs rules to limit access to entries 450in the per-jail devfs. 451A simple devfs ruleset for jails is available as ruleset #4 in 452.Pa /etc/defaults/devfs.rules . 453.Pp 454In many cases this example would put far more in the jail than needed. 455In the other extreme case a jail might contain only one file: 456the executable to be run in the jail. 457.Pp 458We recommend experimentation and caution that it is a lot easier to 459start with a 460.Dq fat 461jail and remove things until it stops working, 462than it is to start with a 463.Dq thin 464jail and add things until it works. 465.Ss "Setting Up a Jail" 466Do what was described in 467.Sx "Setting Up a Jail Directory Tree" 468to build the jail directory tree. 469For the sake of this example, we will 470assume you built it in 471.Pa /data/jail/192.0.2.100 , 472named for the jailed IP address. 473Substitute below as needed with your 474own directory, IP address, and hostname. 475.Ss "Setting up the Host Environment" 476First, you will want to set up your real system's environment to be 477.Dq jail-friendly . 478For consistency, we will refer to the parent box as the 479.Dq "host environment" , 480and to the jailed virtual machine as the 481.Dq "jail environment" . 482Since jail is implemented using IP aliases, one of the first things to do 483is to disable IP services on the host system that listen on all local 484IP addresses for a service. 485If a network service is present in the host environment that binds all 486available IP addresses rather than specific IP addresses, it may service 487requests sent to jail IP addresses if the jail did not bind the port. 488This means changing 489.Xr inetd 8 490to only listen on the 491appropriate IP address, and so forth. 492Add the following to 493.Pa /etc/rc.conf 494in the host environment: 495.Bd -literal -offset indent 496sendmail_enable="NO" 497inetd_flags="-wW -a 192.0.2.23" 498rpcbind_enable="NO" 499.Ed 500.Pp 501.Li 192.0.2.23 502is the native IP address for the host system, in this example. 503Daemons that run out of 504.Xr inetd 8 505can be easily set to use only the specified host IP address. 506Other daemons 507will need to be manually configured\(emfor some this is possible through 508the 509.Xr rc.conf 5 510flags entries; for others it is necessary to modify per-application 511configuration files, or to recompile the applications. 512The following frequently deployed services must have their individual 513configuration files modified to limit the application to listening 514to a specific IP address: 515.Pp 516To configure 517.Xr sshd 8 , 518it is necessary to modify 519.Pa /etc/ssh/sshd_config . 520.Pp 521To configure 522.Xr sendmail 8 , 523it is necessary to modify 524.Pa /etc/mail/sendmail.cf . 525.Pp 526For 527.Xr named 8 , 528it is necessary to modify 529.Pa /etc/namedb/named.conf . 530.Pp 531In addition, a number of services must be recompiled in order to run 532them in the host environment. 533This includes most applications providing services using 534.Xr rpc 3 , 535such as 536.Xr rpcbind 8 , 537.Xr nfsd 8 , 538and 539.Xr mountd 8 . 540In general, applications for which it is not possible to specify which 541IP address to bind should not be run in the host environment unless they 542should also service requests sent to jail IP addresses. 543Attempting to serve 544NFS from the host environment may also cause confusion, and cannot be 545easily reconfigured to use only specific IPs, as some NFS services are 546hosted directly from the kernel. 547Any third-party network software running 548in the host environment should also be checked and configured so that it 549does not bind all IP addresses, which would result in those services' also 550appearing to be offered by the jail environments. 551.Pp 552Once 553these daemons have been disabled or fixed in the host environment, it is 554best to reboot so that all daemons are in a known state, to reduce the 555potential for confusion later (such as finding that when you send mail 556to a jail, and its sendmail is down, the mail is delivered to the host, 557etc.). 558.Ss "Configuring the Jail" 559Start any jail for the first time without configuring the network 560interface so that you can clean it up a little and set up accounts. 561As 562with any machine (virtual or not) you will need to set a root password, time 563zone, etc. 564Some of these steps apply only if you intend to run a full virtual server 565inside the jail; others apply both for constraining a particular application 566or for running a virtual server. 567.Pp 568Start a shell in the jail: 569.Bd -literal -offset indent 570jail -c path=/data/jail/192.0.2.100 host.hostname=testhostname \\ 571 ip4.addr=192.0.2.100 command=/bin/sh 572.Ed 573.Pp 574Assuming no errors, you will end up with a shell prompt within the jail. 575You can now run 576.Pa /usr/sbin/sysinstall 577and do the post-install configuration to set various configuration options, 578or perform these actions manually by editing 579.Pa /etc/rc.conf , 580etc. 581.Pp 582.Bl -bullet -offset indent -compact 583.It 584Create an empty 585.Pa /etc/fstab 586to quell startup warnings about missing fstab (virtual server only) 587.It 588Disable the port mapper 589.Pa ( /etc/rc.conf : 590.Li rpcbind_enable="NO" ) 591(virtual server only) 592.It 593Configure 594.Pa /etc/resolv.conf 595so that name resolution within the jail will work correctly 596.It 597Run 598.Xr newaliases 1 599to quell 600.Xr sendmail 8 601warnings. 602.It 603Disable interface configuration to quell startup warnings about 604.Xr ifconfig 8 605.Pq Li network_interfaces="" 606(virtual server only) 607.It 608Set a root password, probably different from the real host system 609.It 610Set the timezone 611.It 612Add accounts for users in the jail environment 613.It 614Install any packages the environment requires 615.El 616.Pp 617You may also want to perform any package-specific configuration (web servers, 618SSH servers, etc), patch up 619.Pa /etc/syslog.conf 620so it logs as you would like, etc. 621If you are not using a virtual server, you may wish to modify 622.Xr syslogd 8 623in the host environment to listen on the syslog socket in the jail 624environment; in this example, the syslog socket would be stored in 625.Pa /data/jail/192.0.2.100/var/run/log . 626.Pp 627Exit from the shell, and the jail will be shut down. 628.Ss "Starting the Jail" 629You are now ready to restart the jail and bring up the environment with 630all of its daemons and other programs. 631If you are running a single application in the jail, substitute the 632command used to start the application for 633.Pa /etc/rc 634in the examples below. 635To start a virtual server environment, 636.Pa /etc/rc 637is run to launch various daemons and services. 638To do this, first bring up the 639virtual host interface, and then start the jail's 640.Pa /etc/rc 641script from within the jail. 642.Bd -literal -offset indent 643ifconfig ed0 inet alias 192.0.2.100/32 644mount -t procfs proc /data/jail/192.0.2.100/proc 645jail -c path=/data/jail/192.0.2.100 host.hostname=testhostname \\ 646 ip4.addr=192.0.2.100 command=/bin/sh /etc/rc 647.Ed 648.Pp 649A few warnings will be produced, because most 650.Xr sysctl 8 651configuration variables cannot be set from within the jail, as they are 652global across all jails and the host environment. 653However, it should all 654work properly. 655You should be able to see 656.Xr inetd 8 , 657.Xr syslogd 8 , 658and other processes running within the jail using 659.Xr ps 1 , 660with the 661.Ql J 662flag appearing beside jailed processes. 663To see an active list of jails, use the 664.Xr jls 8 665utility. 666You should also be able to 667.Xr telnet 1 668to the hostname or IP address of the jailed environment, and log 669in using the accounts you created previously. 670.Pp 671It is possible to have jails started at boot time. 672Please refer to the 673.Dq jail_* 674variables in 675.Xr rc.conf 5 676for more information. 677The 678.Xr rc 8 679jail script provides a flexible system to start/stop jails: 680.Bd -literal 681/etc/rc.d/jail start 682/etc/rc.d/jail stop 683/etc/rc.d/jail start myjail 684/etc/rc.d/jail stop myjail 685.Ed 686.Ss "Managing the Jail" 687Normal machine shutdown commands, such as 688.Xr halt 8 , 689.Xr reboot 8 , 690and 691.Xr shutdown 8 , 692cannot be used successfully within the jail. 693To kill all processes in a 694jail, you may log into the jail and, as root, use one of the following 695commands, depending on what you want to accomplish: 696.Bd -literal -offset indent 697kill -TERM -1 698kill -KILL -1 699.Ed 700.Pp 701This will send the 702.Dv SIGTERM 703or 704.Dv SIGKILL 705signals to all processes in the jail from within the jail. 706Depending on 707the intended use of the jail, you may also want to run 708.Pa /etc/rc.shutdown 709from within the jail. 710To kill processes from outside the jail, use the 711.Xr jexec 8 712utility in conjunction with the one of the 713.Xr kill 1 714commands above. 715You may also remove the jail with 716.Nm 717.Ar -r , 718which will killall the jail's processes with 719.Dv SIGKILL . 720.Pp 721The 722.Pa /proc/ Ns Ar pid Ns Pa /status 723file contains, as its last field, the name of the jail in which the 724process runs, or 725.Dq Li - 726to indicate that the process is not running within a jail. 727The 728.Xr ps 1 729command also shows a 730.Ql J 731flag for processes in a jail. 732.Pp 733You can also list/kill processes based on their jail ID. 734To show processes and their jail ID, use the following command: 735.Pp 736.Dl "ps ax -o pid,jid,args" 737.Pp 738To show and then kill processes in jail number 3 use the following commands: 739.Bd -literal -offset indent 740pgrep -lfj 3 741pkill -j 3 742.Ed 743or: 744.Pp 745.Dl "killall -j 3" 746.Ss "Jails and File Systems" 747It is not possible to 748.Xr mount 8 749or 750.Xr umount 8 751any file system inside a jail unless the file system is marked 752jail-friendly, the jail's 753.Va allow.mount 754parameter is set and the jail's 755.Va enforce_statfs 756parameter is lower than 2. 757.Pp 758Multiple jails sharing the same file system can influence each other. 759For example a user in one jail can fill the file system also 760leaving no space for processes in the other jail. 761Trying to use 762.Xr quota 1 763to prevent this will not work either as the file system quotas 764are not aware of jails but only look at the user and group IDs. 765This means the same user ID in two jails share the same file 766system quota. 767One would need to use one file system per jail to make this work. 768.Ss "Sysctl MIB Entries" 769The read-only entry 770.Va security.jail.jailed 771can be used to determine if a process is running inside a jail (value 772is one) or not (value is zero). 773.Pp 774The variable 775.Va security.jail.max_af_ips 776determines how may address per address family a prison may have. 777The default is 255. 778.Pp 779Some MIB variables have per-jail settings. 780Changes to these variables by a jailed process do not effect the host 781environment, only the jail environment. 782These variables are 783.Va kern.securelevel , 784.Va kern.hostname , 785.Va kern.domainname , 786.Va kern.hostid , 787and 788.Va kern.hostuuid . 789.Ss "Hierarchical Jails" 790By setting a jail's 791.Va children.max 792parameter, processes within a jail may be able to create jails of their own. 793These child jails are kept in a hierarchy, with jails only able to see and/or 794modify the jails they created (or those jails' children). 795Each jail has a read-only 796.Va parent 797parameter, containing the 798.Va jid 799of the jail that created it; a 800.Va jid 801of 0 indicates the jail is a child of the current jail (or is a top-level 802jail if the current process isn't jailed). 803.Pp 804Jailed processes are not allowed to confer greater permissions than they 805themselves are given, e.g. if a jail is created with 806.Va allow.nomount , 807it is not able to create a jail with 808.Va allow.mount 809set. 810Similarly, such restrictions as 811.Va ip4.addr 812and 813.Va securelevel 814may not be bypassed in child jails. 815.Pp 816A child jail may in turn create its own child jails if its own 817.Va children.max 818parameter is set (remember it is zero by default). 819These jails are visible to and can be modified by their parent and all 820ancestors. 821.Pp 822Jail names reflect this hierarchy, with a full name being an MIB-type string 823separated by dots. 824For example, if a base system process creates a jail 825.Dq foo , 826and a process under that jail creates another jail 827.Dq bar , 828then the second jail will be seen as 829.Dq foo.bar 830in the base system (though it is only seen as 831.Dq bar 832to any processes inside jail 833.Dq foo ) . 834Jids on the other hand exist in a single space, and each jail must have a 835unique jid. 836.Pp 837Like the names, a child jail's 838.Va path 839is relative to its creator's own 840.Va path . 841This is by virtue of the child jail being created in the chrooted 842environment of the first jail. 843.Sh SEE ALSO 844.Xr killall 1 , 845.Xr lsvfs 1 , 846.Xr newaliases 1 , 847.Xr pgrep 1 , 848.Xr pkill 1 , 849.Xr ps 1 , 850.Xr quota 1 , 851.Xr chroot 2 , 852.Xr jail_set 2 , 853.Xr jail_attach 2 , 854.Xr procfs 5 , 855.Xr rc.conf 5 , 856.Xr sysctl.conf 5 , 857.Xr devfs 8 , 858.Xr halt 8 , 859.Xr inetd 8 , 860.Xr jexec 8 , 861.Xr jls 8 , 862.Xr mount 8 , 863.Xr named 8 , 864.Xr reboot 8 , 865.Xr rpcbind 8 , 866.Xr sendmail 8 , 867.Xr shutdown 8 , 868.Xr sysctl 8 , 869.Xr syslogd 8 , 870.Xr umount 8 871.Sh HISTORY 872The 873.Nm 874utility appeared in 875.Fx 4.0 . 876Hierarchical/extensible jails were introduced in 877.Fx 8.0 . 878.Sh AUTHORS 879.An -nosplit 880The jail feature was written by 881.An Poul-Henning Kamp 882for R&D Associates 883.Pa http://www.rndassociates.com/ 884who contributed it to 885.Fx . 886.Pp 887.An Robert Watson 888wrote the extended documentation, found a few bugs, added 889a few new features, and cleaned up the userland jail environment. 890.Pp 891.An Bjoern A. Zeeb 892added multi-IP jail support for IPv4 and IPv6 based on a patch 893originally done by 894.An Pawel Jakub Dawidek 895for IPv4. 896.Pp 897.An James Gritton 898added the extensible jail parameters and hierarchical jails. 899.Sh BUGS 900Jail currently lacks the ability to allow access to 901specific jail information via 902.Xr ps 1 903as opposed to 904.Xr procfs 5 . 905Similarly, it might be a good idea to add an 906address alias flag such that daemons listening on all IPs 907.Pq Dv INADDR_ANY 908will not bind on that address, which would facilitate building a safe 909host environment such that host daemons do not impose on services offered 910from within jails. 911Currently, the simplest answer is to minimize services 912offered on the host, possibly limiting it to services offered from 913.Xr inetd 8 914which is easily configurable. 915.Sh NOTES 916Great care should be taken when managing directories visible within the jail. 917For example, if a jailed process has its current working directory set to a 918directory that is moved out of the jail's chroot, then the process may gain 919access to the file space outside of the jail. 920It is recommended that directories always be copied, rather than moved, out 921of a jail. 922