*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->FreeBSD man pages -> jail (2)              



NAME    [Toc]    [Back]

     jail, jail_attach -- imprison current process and future decendants

LIBRARY    [Toc]    [Back]

     Standard C Library (libc, -lc)

SYNOPSIS    [Toc]    [Back]

     #include <sys/param.h>
     #include <sys/jail.h>

     jail(struct jail *jail);

     jail_attach(int jid);

DESCRIPTION    [Toc]    [Back]

     The jail() system call sets up a jail and locks the current process in

     The argument is a pointer to a structure describing the prison:

	   struct jail {
		   u_int32_t	   version;
		   char 	   *path;
		   char 	   *hostname;
		   u_int32_t	   ip_number;

     ``version'' defines the version of the API in use.  It should be set to
     zero at this time.

     The ``path'' pointer should be set to the directory which is to be the
     root of the prison.

     The ``hostname'' pointer can be set to the hostname of the prison.  This
     can be changed from the inside of the prison.

     The ``ip_number'' can be set to the IP number assigned to the prison.

     The jail_attach() system call attaches the current process to an existing
     jail, identified by jid.

RETURN VALUES    [Toc]    [Back]

     If successful, jail() returns a non-negative integer, termed the jail
     identifier (JID).	It returns -1 on failure, and sets errno to indicate
     the error.

     The jail_attach() function returns the value 0 if successful; otherwise
     the value -1 is returned and the global variable errno is set to indicate
     the error.

     Once a process has been put in a prison, it and its decendants cannot
     escape the prison.

     Inside the prison, the concept of ``superuser'' is very diluted.  In general,
 it can be assumed that nothing can be mangled from inside a prison
     which does not exist entirely inside that prison.	For instance the
     directory tree below ``path'' can be manipulated all the ways a root can
     normally do it, including ``rm -rf /*'' but new device special nodes cannot
 be created because they reference shared resources (the device drivers
 in the kernel).  The effective ``securelevel'' for a process is the
     greater of the global ``securelevel'' or, if present, the per-jail

     All IP activity will be forced to happen to/from the IP number specified,
     which should be an alias on one of the network interfaces.

     It is possible to identify a process as jailed by examining
     ``/proc/<pid>/status'': it will show a field near the end of the line,
     either as a single hyphen for a process at large, or the hostname currently
 set for the prison for jailed processes.

ERRORS    [Toc]    [Back]

     The jail() system call will fail if:

     [EINVAL]		The version number of the argument is not correct.

     Further jail() calls chroot(2) internally, so it can fail for all the
     same reasons.  Please consult the chroot(2) manual page for details.

SEE ALSO    [Toc]    [Back]

     chdir(2), chroot(2)

HISTORY    [Toc]    [Back]

     The jail() system call appeared in FreeBSD 4.0.  The jail_attach() system
     call appeared in FreeBSD 5.1.

AUTHORS    [Toc]    [Back]

     The jail feature was written by Poul-Henning Kamp for R&D Associates
     ``http://www.rndassociates.com/'' who contributed it to FreeBSD.

FreeBSD 5.2.1			 April 8, 2003			 FreeBSD 5.2.1
[ Back ]
 Similar pages
Name OS Title
jail FreeBSD imprison process and its descendants
setaudproc HP-UX controls process level auditing for the current process and its decendents
_exit Linux terminate the current process
getaudid HP-UX get the audit ID (aid) for the current process
issetugid FreeBSD is current process tainted by uid or gid changes
issetugid NetBSD is current process tainted by uid or gid changes
setaudid HP-UX set the audit ID (aid) for the current process
portal HP-UX a "window to the future" for applications
vroom IRIX slot car racing in the future
tt_default_procid HP-UX identify the current default process
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service