===== The JAIL module ===== The JAIL module provides a new call rsbac_jail, which makes a chroot call (with chdir("/")) and adds further restrictions on the calling process and all subprocesses. Some of these restrictions can be turned off by flags to the syscall or the rsbac_jail command line wrapper, these are marked with an * in the following list. The rsbac_jail system call also takes the allowed IP-Address for binding (may be 0.0.0.0 for any) as parameter. Both chroot and IP address limits are optional. Processes in a jail may not: * Add or remove kernel modules. * Shutdown or reboot the system. * Mount or umount filesystems. * Create sockets of other types than UNIX and INET (IPv4). * Use other INET (IPv4) addresses than given (optionally, the ANY address 0.0.0.0 can be silently changed to the given address). * Create INET raw sockets. * Access IPC objects outside this jail. * Create device special files (to prevent unwanted device accesses). * Signal, trace or get status from processes outside this jail. * Change Linux file modes to include suid or sgid flags. * Set rlimits. * Modify settings of any non-rlimit SCD or NETDEV target. * Access RSBAC attributes. * Access RSBAC Network Templates. * Switch off Linux DAC. * Switch RSBAC modules, softmode or log settings. * Access any other namespaces than its own (if enabled) All processes in jails are listed in /proc/rsbac-info/jails, if RSBAC proc support has been enabled. More details are given on the [[documentation:rsbac_handbook:configuration_basics:setting_up_modules:jail|configuration page]] \\ ---- **Table of Contents:** [[documentation:rsbac_handbook|RSBAC Handbook]]\\ **Back:** [[documentation:rsbac_handbook:security_models|Security Models]]\\