[[wiki:experiences/igraltist/run-jail|Back to igraltist's experiences/run-jail]] Examples ; ; RSBAC JAIL definition for apache ; 20060419 ; ; Tested by: ; Fuleki Miklos (RAk) ; Peter Busser (peter) ; "" "0.0.0.0" (allow-dev-read allow-dev-write allow-external-ipc) (setgid setuid net-bind-service kill) (sysctl) (rlimit) The above example does not run the application in a chroot. It is not restricted to any particular nework interface. And it allows reads and writes to devices, as well as other network protocols than IPv4. The program is allowed to perform setuid(), setgid(), open low network ports (net-bind-service capability) and to send signals to processes which owned by other users (kill capability). Furthermore it is allowed to read sysctl data and to modify (i.e. set) process resource limits. Development and debugging Probably the best way to develop a new jail definition file is to start with an empty file like: - **1. A path string** - This string specifies the optional chroot path. Since it is a string, it must be enclosed in double quotes (i.e. "). The empty string (i.e. "") should be used when no chroot should be performed. - 2. An IP number string** - The JAIL can be restricted to the IP number of one of the network interfaces available. The number must be specified as a string containing a dotted IP number, i.e. "127.0.0.1" or "193.78.157.1". - **3. A list of JAIL flags** - Each JAIL has a number of rights which can be configured when the JAIL is created. - **4. A list of Jail capabilities** - Adding capabilities. - **5. A list of SCD read targets** - Adding an SCD target to this list will grant read permissions. E.g. if you add clock to the list, the program is allowed to read the system clock. A complete list of SCD targets can be found below, in the ``SCD targets'' section. - **6. A list of SCD modify targets** - The same as the one above, except that modify rights are granted instead of read rights. ===== Point 3, Jail flags ===== The following jail flags are supported: allow-external-ipc Allow access to IPC and UNIX domain sockets outside this jail. allow-all-net-family Allow all network families, not only IPv4. allow-inet-raw Allow IPv4 raw sockets (e.g. for ping and traceroute) auto-adjust-inet-any Automatically adjust the INET any address 0.0.0.0 to the jail address, if set. allow-inet-localhost Additionally allow to/from remote IPv4 localhost, that is, address 127.0.0.1 allow-dev-get-status Allow GET_STATUS_DATA requests on devices. allow-dev-mod-system Allow MODIFY_SYSTEM_DATA requests. allow-dev-read Allow read access on devices. allow-dev-write Allow write access on devices. allow-tty-open Allow to open tty devices. SCD targets SCD is short for System Control Data. Each SCD target refers to a global system object, such as the system clock, the packet filter rules, the hostname, etc. These objects can be protected too by RSBAC by setting access rights to their corresponding SCD targets. time_strucs System timer clock System time and date host_id Host name net_id Domain name ioports Access Control for direct hardware access rlimit Setting process ressource limits swap Control of swapping syslog System log rsbac RSBAC data in /proc rsbaclog RSBAC own log kmem Direct access to kernel memory via proc or device other Any other SCD not specified separately firewall Firewall settings, packet filter etc. priority Set scheduler priority (nice value) sysfs Administrate through sysfs rsbac_remote_log Settings for RSBAC remote logging quota Quota administration sysctl Administrate through sysctl nfsd Kernel NFS server administration ksyms Kernel symbols mlock Memory locking capability Change Linux capabilities Capabilities The following capabilities are allowed in the jail files: chown To be written. dac-override To be written. dac-read-search To be written. fowner To be written. fsetid To be written. kill To be written. setgid To be written. setuid To be written. setpcap To be written. linux-immutable To be written. net-bind-service To be written. net-broadcast To be written. net-admin To be written. net-raw To be written. ipc-lock To be written. ipc-owner To be written. sys-module To be written. sys-rawio To be written. sys-chroot To be written. sys-ptrace To be written. sys-pacct To be written. sys-admin To be written. sys-pacct To be written. sys-admin To be written. sys-boot To be written. sys-nice To be written. sys-resource To be written. sys-time To be written. sys-tty-config To be written. mknod To be written. lease To be written. audit-write To be written. audit-control To be written.