Before starting with RSBAC jails your should read the JAIL description.

All processes in jails are listed in /proc/rsbac-info/jails, if RSBAC proc support has been enabled.

To create a jail, start a program with the rsbac_jail command. Several parameters allow to remove some restrictions. Possible switches controlling access in details:

• -I addr = limit to IP address
• -R dir = chroot to dir
• -N = enclose process in its private namespace, process won't be able to see any filesystem tree that was mounted after it was jailed, 2.6 kernel only !
• -C cap-list = limit Linux capabilities for jailed processes, use bit-vector, numeric value or list names of desired caps, A = all, FS_MASK = all filesystem related
• -L = list all Linux capabilities
• -S = list all SCD targets
• -v = verbose startup
• -i = allow access to IPC outside this jail
• -n = allow all network families, not only UNIX and INET (IPv4)
• -r = allow INET (IPv4) raw sockets (e.g. for ping)
• -a = auto-adjust INET any address 0.0.0.0 to jail address, if set
• -o = additionally allow to/from remote INET (IPv4) address 127.0.0.1
• -d = allow read access on devices, -D allow write access
• -e = allow GET_STATUS_DATA on devices, -E allow MODIFY_SYSTEM_DATA
• -t = allow *_OPEN on tty devices
• -G scd … = allow GET_STATUS_DATA on these scd targets
• -M scd … = allow MODIFY_SYSTEM_DATA on these scd targets

Deprecated old options, please use -G and -M:

• -l = allow to modify rlimits (-M rlimit)
• -c = allow to modify system clock (-M SCD clock time_strucs)
• -m = allow to lock memory (-M mlock)
• -p = allow to modify priority (-M priority)
• -k = allow to get kernel symbols (-G ksyms)

Example to start the Mozilla browser in a jail:

rsbac_jail -d -D -P -G priority -M priority mozilla

Table of Contents: RSBAC Handbook
Previous: RC
Next: CAP
Alternative: Setting up Modules