2.11. JAIL

2.11.1. Basics

All Linux kernels provide the chroot system call to confine a process in a subdirectory. However, it still has all usual privileges, specially when run as root. Also, there are several ways to break out if the chroot environment.

The JAIL module provides a new call rsbac_jail, which makes a chroot call (with chdir("/")) and adds further restrictions on the calling process and all subprocesses. Some of these restrictions can be turned off by flags to the syscall or the rsbac_jail command line wrapper, these are marked with an * in the following list. The rsbac_jail system call also takes the allowed IP-Address for binding (may be 0.0.0.0 for any) as parameter.

Processes in a jail may not:

The JAIL module provides a superset of the FreeBSD jail functionality (except individual kernel level hostnames).

All processes in jails are listed in /proc/rsbac-info/jails, if RSBAC proc support has been enabled.

2.11.2. When to use JAIL module

Use this module for simple service encapsulation, where chroot environments are applicable, but insufficient. Please do not forget that objects within the environment must be protected separately, e.g. with FF flag read_only. As usual, the JAIL module only places further restrictions, so all other modules can be used.