1.\" 2.\" Copyright (c) 2000, 2003 Robert N. M. Watson 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24.\" SUCH DAMAGE. 25.\" 26.\" 27.\" ---------------------------------------------------------------------------- 28.\" "THE BEER-WARE LICENSE" (Revision 42): 29.\" <phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you 30.\" can do whatever you want with this stuff. If we meet some day, and you think 31.\" this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp 32.\" ---------------------------------------------------------------------------- 33.\" 34.\" $FreeBSD$ 35.\" 36.Dd January 11, 2009 37.Dt JAIL 8 38.Os 39.Sh NAME 40.Nm jail 41.Nd "imprison process and its descendants" 42.Sh SYNOPSIS 43.Nm 44.Op Fl hi 45.Op Fl n Ar jailname 46.Op Fl J Ar jid_file 47.Op Fl s Ar securelevel 48.Op Fl l u Ar username | Fl U Ar username 49.Ar path hostname [ip[,..]] command ... 50.Sh DESCRIPTION 51The 52.Nm 53utility imprisons a process and all future descendants. 54.Pp 55The options are as follows: 56.Bl -tag -width ".Fl u Ar username" 57.It Fl h 58Resolve 59.Va hostname 60and add all IP addresses returned by the resolver 61to the list of 62.Va ip-addresses 63for this prison. 64This may affect default address selection for outgoing IPv4 connections 65of prisons. 66The address first returned by the resolver for the IPv4 address family 67will be used as default. 68For IPv6 source address selection is done by a well defined algorithm. 69.It Fl i 70Output the jail identifier of the newly created jail. 71.It Fl n Ar jailname 72Assign and administrative name to the jail that can be used for management 73or auditing purposes. 74The system will 75.Sy not enforce 76the name to be unique. 77.It Fl J Ar jid_file 78Write a 79.Ar jid_file 80file, containing jail identifier, path, hostname, IP and 81command used to start the jail. 82.It Fl l 83Run program in the clean environment. 84The environment is discarded except for 85.Ev HOME , SHELL , TERM 86and 87.Ev USER . 88.Ev HOME 89and 90.Ev SHELL 91are set to the target login's default values. 92.Ev USER 93is set to the target login. 94.Ev TERM 95is imported from the current environment. 96The environment variables from the login class capability database for the 97target login are also set. 98.It Fl s Ar securelevel 99Sets the 100.Va kern.securelevel 101sysctl variable to the specified value inside the newly created jail. 102.It Fl u Ar username 103The user name from host environment as whom the 104.Ar command 105should run. 106.It Fl U Ar username 107The user name from jailed environment as whom the 108.Ar command 109should run. 110.It Ar path 111Directory which is to be the root of the prison. 112.It Ar hostname 113Hostname of the prison. 114.It Ar ip-addresses 115None, one or more IPv4 and IPv6 addresses assigned to the prison. 116The first address of each address family that was assigned to the jail will 117be used as the source address in case source address selection on unbound 118sockets cannot find a better match. 119It is only possible to start multiple jails with the same IP address, 120if none of the jails has more than this single overlapping IP address 121assigned to itself for the address family in question. 122.It Ar command 123Pathname of the program which is to be executed. 124.El 125.Pp 126Jails are typically set up using one of two philosophies: either to 127constrain a specific application (possibly running with privilege), or 128to create a 129.Dq "virtual system image" 130running a variety of daemons and services. 131In both cases, a fairly complete file system install of 132.Fx 133is 134required, so as to provide the necessary command line tools, daemons, 135libraries, application configuration files, etc. 136However, for a virtual server configuration, a fair amount of 137additional work is required so as to configure the 138.Dq boot 139process. 140This manual page documents the configuration steps necessary to support 141either of these steps, although the configuration steps may be 142refined based on local requirements. 143.Pp 144Please see the 145.Xr jail 2 146man page for further details. 147.Sh EXAMPLES 148.Ss "Setting up a Jail Directory Tree" 149To set up a jail directory tree containing an entire 150.Fx 151distribution, the following 152.Xr sh 1 153command script can be used: 154.Bd -literal 155D=/here/is/the/jail 156cd /usr/src 157mkdir -p $D 158make world DESTDIR=$D 159make distribution DESTDIR=$D 160mount -t devfs devfs $D/dev 161.Ed 162.Pp 163NOTE: It is important that only appropriate device nodes in devfs be 164exposed to a jail; access to disk devices in the jail may permit processes 165in the jail to bypass the jail sandboxing by modifying files outside of 166the jail. 167See 168.Xr devfs 8 169for information on how to use devfs rules to limit access to entries 170in the per-jail devfs. 171A simple devfs ruleset for jails is available as ruleset #4 in 172.Pa /etc/defaults/devfs.rules . 173.Pp 174In many cases this example would put far more in the jail than needed. 175In the other extreme case a jail might contain only one file: 176the executable to be run in the jail. 177.Pp 178We recommend experimentation and caution that it is a lot easier to 179start with a 180.Dq fat 181jail and remove things until it stops working, 182than it is to start with a 183.Dq thin 184jail and add things until it works. 185.Ss "Setting Up a Jail" 186Do what was described in 187.Sx "Setting Up a Jail Directory Tree" 188to build the jail directory tree. 189For the sake of this example, we will 190assume you built it in 191.Pa /data/jail/192.0.2.100 , 192named for the jailed IP address. 193Substitute below as needed with your 194own directory, IP address, and hostname. 195.Ss "Setting up the Host Environment" 196First, you will want to set up your real system's environment to be 197.Dq jail-friendly . 198For consistency, we will refer to the parent box as the 199.Dq "host environment" , 200and to the jailed virtual machine as the 201.Dq "jail environment" . 202Since jail is implemented using IP aliases, one of the first things to do 203is to disable IP services on the host system that listen on all local 204IP addresses for a service. 205If a network service is present in the host environment that binds all 206available IP addresses rather than specific IP addresses, it may service 207requests sent to jail IP addresses if the jail did not bind the port. 208This means changing 209.Xr inetd 8 210to only listen on the 211appropriate IP address, and so forth. 212Add the following to 213.Pa /etc/rc.conf 214in the host environment: 215.Bd -literal -offset indent 216sendmail_enable="NO" 217inetd_flags="-wW -a 192.0.2.23" 218rpcbind_enable="NO" 219.Ed 220.Pp 221.Li 192.0.2.23 222is the native IP address for the host system, in this example. 223Daemons that run out of 224.Xr inetd 8 225can be easily set to use only the specified host IP address. 226Other daemons 227will need to be manually configured\(emfor some this is possible through 228the 229.Xr rc.conf 5 230flags entries; for others it is necessary to modify per-application 231configuration files, or to recompile the applications. 232The following frequently deployed services must have their individual 233configuration files modified to limit the application to listening 234to a specific IP address: 235.Pp 236To configure 237.Xr sshd 8 , 238it is necessary to modify 239.Pa /etc/ssh/sshd_config . 240.Pp 241To configure 242.Xr sendmail 8 , 243it is necessary to modify 244.Pa /etc/mail/sendmail.cf . 245.Pp 246For 247.Xr named 8 , 248it is necessary to modify 249.Pa /etc/namedb/named.conf . 250.Pp 251In addition, a number of services must be recompiled in order to run 252them in the host environment. 253This includes most applications providing services using 254.Xr rpc 3 , 255such as 256.Xr rpcbind 8 , 257.Xr nfsd 8 , 258and 259.Xr mountd 8 . 260In general, applications for which it is not possible to specify which 261IP address to bind should not be run in the host environment unless they 262should also service requests sent to jail IP addresses. 263Attempting to serve 264NFS from the host environment may also cause confusion, and cannot be 265easily reconfigured to use only specific IPs, as some NFS services are 266hosted directly from the kernel. 267Any third-party network software running 268in the host environment should also be checked and configured so that it 269does not bind all IP addresses, which would result in those services' also 270appearing to be offered by the jail environments. 271.Pp 272Once 273these daemons have been disabled or fixed in the host environment, it is 274best to reboot so that all daemons are in a known state, to reduce the 275potential for confusion later (such as finding that when you send mail 276to a jail, and its sendmail is down, the mail is delivered to the host, 277etc.). 278.Ss "Configuring the Jail" 279Start any jail for the first time without configuring the network 280interface so that you can clean it up a little and set up accounts. 281As 282with any machine (virtual or not) you will need to set a root password, time 283zone, etc. 284Some of these steps apply only if you intend to run a full virtual server 285inside the jail; others apply both for constraining a particular application 286or for running a virtual server. 287.Pp 288Start a shell in the jail: 289.Pp 290.Dl "jail /data/jail/192.0.2.100 testhostname 192.0.2.100 /bin/sh" 291.Pp 292Assuming no errors, you will end up with a shell prompt within the jail. 293You can now run 294.Pa /usr/sbin/sysinstall 295and do the post-install configuration to set various configuration options, 296or perform these actions manually by editing 297.Pa /etc/rc.conf , 298etc. 299.Pp 300.Bl -bullet -offset indent -compact 301.It 302Create an empty 303.Pa /etc/fstab 304to quell startup warnings about missing fstab (virtual server only) 305.It 306Disable the port mapper 307.Pa ( /etc/rc.conf : 308.Li rpcbind_enable="NO" ) 309(virtual server only) 310.It 311Configure 312.Pa /etc/resolv.conf 313so that name resolution within the jail will work correctly 314.It 315Run 316.Xr newaliases 1 317to quell 318.Xr sendmail 8 319warnings. 320.It 321Disable interface configuration to quell startup warnings about 322.Xr ifconfig 8 323.Pq Li network_interfaces="" 324(virtual server only) 325.It 326Set a root password, probably different from the real host system 327.It 328Set the timezone 329.It 330Add accounts for users in the jail environment 331.It 332Install any packages the environment requires 333.El 334.Pp 335You may also want to perform any package-specific configuration (web servers, 336SSH servers, etc), patch up 337.Pa /etc/syslog.conf 338so it logs as you would like, etc. 339If you are not using a virtual server, you may wish to modify 340.Xr syslogd 8 341in the host environment to listen on the syslog socket in the jail 342environment; in this example, the syslog socket would be stored in 343.Pa /data/jail/192.0.2.100/var/run/log . 344.Pp 345Exit from the shell, and the jail will be shut down. 346.Ss "Starting the Jail" 347You are now ready to restart the jail and bring up the environment with 348all of its daemons and other programs. 349If you are running a single application in the jail, substitute the 350command used to start the application for 351.Pa /etc/rc 352in the examples below. 353To start a virtual server environment, 354.Pa /etc/rc 355is run to launch various daemons and services. 356To do this, first bring up the 357virtual host interface, and then start the jail's 358.Pa /etc/rc 359script from within the jail. 360.Pp 361NOTE: If you plan to allow untrusted users to have root access inside the 362jail, you may wish to consider setting the 363.Va security.jail.set_hostname_allowed 364sysctl variable to 0. 365Please see the management discussion later in this document as to why this 366may be a good idea. 367If you do decide to set this variable, 368it must be set before starting any jails, and once each boot. 369.Bd -literal -offset indent 370ifconfig ed0 inet alias 192.0.2.100/32 371mount -t procfs proc /data/jail/192.0.2.100/proc 372jail /data/jail/192.0.2.100 testhostname 192.0.2.100 \\ 373 /bin/sh /etc/rc 374.Ed 375.Pp 376A few warnings will be produced, because most 377.Xr sysctl 8 378configuration variables cannot be set from within the jail, as they are 379global across all jails and the host environment. 380However, it should all 381work properly. 382You should be able to see 383.Xr inetd 8 , 384.Xr syslogd 8 , 385and other processes running within the jail using 386.Xr ps 1 , 387with the 388.Ql J 389flag appearing beside jailed processes. 390To see an active list of jails, use the 391.Xr jls 8 392utility. 393You should also be able to 394.Xr telnet 1 395to the hostname or IP address of the jailed environment, and log 396in using the accounts you created previously. 397.Pp 398It is possible to have jails started at boot time. 399Please refer to the 400.Dq jail_* 401variables in 402.Xr rc.conf 5 403for more information. 404The 405.Xr rc 8 406jail script provides a flexible system to start/stop jails: 407.Bd -literal 408/etc/rc.d/jail start 409/etc/rc.d/jail stop 410/etc/rc.d/jail start myjail 411/etc/rc.d/jail stop myjail 412.Ed 413.Ss "Managing the Jail" 414Normal machine shutdown commands, such as 415.Xr halt 8 , 416.Xr reboot 8 , 417and 418.Xr shutdown 8 , 419cannot be used successfully within the jail. 420To kill all processes in a 421jail, you may log into the jail and, as root, use one of the following 422commands, depending on what you want to accomplish: 423.Pp 424.Bd -literal -offset indent 425kill -TERM -1 426kill -KILL -1 427.Ed 428.Pp 429This will send the 430.Dv SIGTERM 431or 432.Dv SIGKILL 433signals to all processes in the jail from within the jail. 434Depending on 435the intended use of the jail, you may also want to run 436.Pa /etc/rc.shutdown 437from within the jail. 438To kill processes from outside the jail, use the 439.Xr jexec 8 440utility in conjunction with the one of the 441.Xr kill 1 442commands above. 443.Pp 444The 445.Pa /proc/ Ns Ar pid Ns Pa /status 446file contains, as its last field, the hostname of the jail in which the 447process runs, or 448.Dq Li - 449to indicate that the process is not running within a jail. 450The 451.Xr ps 1 452command also shows a 453.Ql J 454flag for processes in a jail. 455However, the hostname for a jail may be, by 456default, modified from within the jail, so the 457.Pa /proc 458status entry is unreliable by default. 459To disable the setting of the hostname 460from within a jail, set the 461.Va security.jail.set_hostname_allowed 462sysctl variable in the host environment to 0, which will affect all jails. 463You can have this sysctl set on each boot using 464.Xr sysctl.conf 5 . 465Just add the following line to 466.Pa /etc/sysctl.conf : 467.Pp 468.Dl security.jail.set_hostname_allowed=0 469.Pp 470You can also list/kill processes based on their jail ID. 471To show processes and their jail ID, use the following command: 472.Pp 473.Dl "ps ax -o pid,jid,args" 474.Pp 475To show and then kill processes in jail number 3 use the following commands: 476.Bd -literal -offset indent 477pgrep -lfj 3 478pkill -j 3 479.Ed 480or: 481.Pp 482.Dl "killall -j 3" 483.Ss "Jails and File Systems" 484It is not possible to 485.Xr mount 8 486or 487.Xr unmount 8 488any file system inside a jail unless the file system is marked 489jail-friendly. 490See 491.Va security.jail.mount_allowed 492in the 493.Va "Sysctl MIB Entries" 494section. 495.Pp 496Multiple jails sharing the same file system can influence each other. 497For example a user in one jail can fill the file system also 498leaving no space for processes in the other jail. 499Trying to use 500.Xr quota 1 501to prevent this will not work either as the file system quotas 502are not aware of jails but only look at the user and group IDs. 503This means the same user ID in two jails share the same file 504system quota. 505One would need to use one file system per jail to make this working. 506.Ss "Sysctl MIB Entries" 507Certain aspects of the jail containments environment may be modified from 508the host environment using 509.Xr sysctl 8 510MIB variables. 511Currently, these variables affect all jails on the system, although in 512the future this functionality may be finer grained. 513.Bl -tag -width XXX 514.It Va security.jail.allow_raw_sockets 515This MIB entry determines whether or not prison root is allowed to 516create raw sockets. 517Setting this MIB to 1 allows utilities like 518.Xr ping 8 519and 520.Xr traceroute 8 521to operate inside the prison. 522If this MIB 523is set, the source IP addresses are enforced to comply 524with the IP address bound to the jail, regardless of whether or not 525the 526.Dv IP_HDRINCL 527flag has been set on the socket. 528Since raw sockets can be used to configure 529and interact with various network subsystems, extra caution should be used 530where privileged access to jails is given out to untrusted parties. 531As such, 532by default this option is disabled. 533.It Va security.jail.enforce_statfs 534This MIB entry determines which information processes in a jail are 535able to get about mount-points. 536It affects the behaviour of the following syscalls: 537.Xr statfs 2 , 538.Xr fstatfs 2 , 539.Xr getfsstat 2 540and 541.Xr fhstatfs 2 542(as well as similar compatibility syscalls). 543When set to 0, all mount-points are available without any restrictions. 544When set to 1, only mount-points below the jail's chroot directory are 545visible. 546In addition to that, the path to the jail's chroot directory is removed 547from the front of their pathnames. 548When set to 2 (default), above syscalls can operate only on a mount-point 549where the jail's chroot directory is located. 550.It Va security.jail.set_hostname_allowed 551This MIB entry determines whether or not processes within a jail are 552allowed to change their hostname via 553.Xr hostname 1 554or 555.Xr sethostname 3 . 556In the current jail implementation, the ability to set the hostname from 557within the jail can impact management tools relying on the accuracy of jail 558information in 559.Pa /proc . 560As such, this should be disabled in environments where privileged access to 561jails is given out to untrusted parties. 562.It Va security.jail.socket_unixiproute_only 563The jail functionality binds an IPv4 address to each jail, and limits 564access to other network addresses in the IPv4 space that may be available 565in the host environment. 566However, jail is not currently able to limit access to other network 567protocol stacks that have not had jail functionality added to them. 568As such, by default, processes within jails may only access protocols 569in the following domains: 570.Dv PF_LOCAL , PF_INET , 571and 572.Dv PF_ROUTE , 573permitting them access to 574.Ux 575domain sockets, 576IPv4 addresses, and routing sockets. 577To enable access to other domains, this MIB variable may be set to 5780. 579.It Va security.jail.sysvipc_allowed 580This MIB entry determines whether or not processes within a jail have access 581to System V IPC primitives. 582In the current jail implementation, System V primitives share a single 583namespace across the host and jail environments, meaning that processes 584within a jail would be able to communicate with (and potentially interfere 585with) processes outside of the jail, and in other jails. 586As such, this functionality is disabled by default, but can be enabled 587by setting this MIB entry to 1. 588.It Va security.jail.chflags_allowed 589This MIB entry determines how a privileged user inside a jail will be 590treated by 591.Xr chflags 2 . 592If zero, such users are treated as unprivileged, and are unable to set 593or clear system file flags; if non-zero, such users are treated as 594privileged, and may manipulate system file flags subject to the usual 595constraints on 596.Va kern.securelevel . 597.It Va security.jail.mount_allowed 598This MIB entry determines if a privileged user inside a jail will be 599able to mount and unmount file system types marked as jail-friendly. 600The 601.Xr lsvfs 1 602command can be used to find file system types available for mount from within 603a jail. 604This functionality is disabled by default, but can be enabled by setting this 605MIB entry to 1. 606.It Va security.jail.jail_max_af_ips 607This MIB entry determines how may address per address family a prison 608may have. The default is 255. 609.El 610.Pp 611The read-only sysctl variable 612.Va security.jail.jailed 613can be used to determine if a process is running inside a jail (value 614is one) or not (value is zero). 615.Pp 616The 617.Va security.jail.list 618MIB entry is read-only and it returns an array of 619.Vt "struct xprison" 620defined in 621.In sys/jail.h . 622It is recommended to use the 623.Xr jls 8 624utility to see current active list of jails. 625.Pp 626There are currently two MIB related variables that have per-jail settings. 627Changes to these variables by a jailed process do not effect the host 628environment, only the jail environment. 629The variables are 630.Va kern.securelevel 631and 632.Va kern.hostname . 633.Sh SEE ALSO 634.Xr killall 1 , 635.Xr lsvfs 1 , 636.Xr newaliases 1 , 637.Xr pgrep 1 , 638.Xr pkill 1 , 639.Xr ps 1 , 640.Xr quota 1 , 641.Xr chroot 2 , 642.Xr jail 2 , 643.Xr jail_attach 2 , 644.Xr procfs 5 , 645.Xr rc.conf 5 , 646.Xr sysctl.conf 5 , 647.Xr devfs 8 , 648.Xr halt 8 , 649.Xr inetd 8 , 650.Xr jexec 8 , 651.Xr jls 8 , 652.Xr mount 8 , 653.Xr named 8 , 654.Xr reboot 8 , 655.Xr rpcbind 8 , 656.Xr sendmail 8 , 657.Xr shutdown 8 , 658.Xr sysctl 8 , 659.Xr syslogd 8 , 660.Xr unmount 8 661.Sh HISTORY 662The 663.Nm 664utility appeared in 665.Fx 4.0 . 666.Sh AUTHORS 667.An -nosplit 668The jail feature was written by 669.An Poul-Henning Kamp 670for R&D Associates 671.Pa http://www.rndassociates.com/ 672who contributed it to 673.Fx . 674.Pp 675.An Robert Watson 676wrote the extended documentation, found a few bugs, added 677a few new features, and cleaned up the userland jail environment. 678.Pp 679.An Bjoern A. Zeeb 680added multi-IP jail support for IPv4 and IPv6 based on a patch 681originally done by 682.An Pawel Jakub Dawidek 683for IPv4. 684.Sh BUGS 685Jail currently lacks the ability to allow access to 686specific jail information via 687.Xr ps 1 688as opposed to 689.Xr procfs 5 . 690Similarly, it might be a good idea to add an 691address alias flag such that daemons listening on all IPs 692.Pq Dv INADDR_ANY 693will not bind on that address, which would facilitate building a safe 694host environment such that host daemons do not impose on services offered 695from within jails. 696Currently, the simplest answer is to minimize services 697offered on the host, possibly limiting it to services offered from 698.Xr inetd 8 699which is easily configurable. 700