Before starting with RSBAC jails your should read the JAIL description.
All processes in jails are listed in /proc/rsbac-info/jails, if RSBAC proc support has been enabled.
To create a jail, start a program with the rsbac_jail command. Several parameters allow to remove some restrictions. Possible switches controlling access in details:
-I addr = limit to IP address
-R dir = chroot to dir
-N = enclose process in its private namespace, process won't be able to see any filesystem tree that was mounted after it was jailed, 2.6 kernel only !
-C cap-list = limit Linux capabilities for jailed processes, use bit-vector, numeric value or list names of desired caps, A = all, FS_MASK = all filesystem related
-L = list all Linux capabilities
-S = list all SCD targets
-v = verbose startup
-i = allow access to IPC outside this jail
-n = allow all network families, not only UNIX and INET (IPv4)
-r = allow INET (IPv4) raw sockets (e.g. for ping)
-a = auto-adjust INET any address 0.0.0.0 to jail address, if set
-o = additionally allow to/from remote INET (IPv4) address 127.0.0.1
-d = allow read access on devices, -D allow write access
-e = allow GET_STATUS_DATA on devices, -E allow MODIFY_SYSTEM_DATA
-t = allow *_OPEN on tty devices
-G scd … = allow GET_STATUS_DATA on these scd targets
-M scd … = allow MODIFY_SYSTEM_DATA on these scd targets
Deprecated old options, please use -G and -M:
-l = allow to modify rlimits (-M rlimit)
-c = allow to modify system clock (-M SCD clock time_strucs)
-m = allow to lock memory (-M mlock)
-p = allow to modify priority (-M priority)
-k = allow to get kernel symbols (-G ksyms)
Example to start the Mozilla browser in a jail:
rsbac_jail -d -D -P -G priority -M priority mozilla
Table of Contents: RSBAC Handbook
Previous: RC
Next: CAP
Alternative: Setting up Modules