wiki:experiences:igraltist:run-jail:run-jail-explaination [RSBAC: Extending Linux Security Beyond the Limits]

Releases

Current version
Git/Latestdiff: 1.5.6

Latest Snapshots
Produced after each commit or rebase to new upstream version

GIT
RSBAC source code, can be unstable sometimes

Events

No events planned

Back to igraltist's experiences/run-jail

Examples

;
; RSBAC JAIL definition for apache
; 20060419
;
; Tested by:
; Fuleki Miklos (RAk)
; Peter Busser (peter)
;
 
""
"0.0.0.0"
(allow-dev-read
 allow-dev-write
 allow-external-ipc)
(setgid
 setuid
 net-bind-service
 kill)
(sysctl)
(rlimit)

The above example does not run the application in a chroot. It is not restricted to any particular nework interface. And it allows reads and writes to devices, as well as other network protocols than IPv4. The program is allowed to perform setuid(), setgid(), open low network ports (net-bind-service capability) and to send signals to processes which owned by other users (kill capability). Furthermore it is allowed to read sysctl data and to modify (i.e. set) process resource limits. Development and debugging

Probably the best way to develop a new jail definition file is to start with an empty file like:

1. A path string
1. This string specifies the optional chroot path. Since it is a string, it must be enclosed in double quotes (i.e. “). The empty string (i.e. ”“) should be used when no chroot should be performed.
2. An IP number string - The JAIL can be restricted to the IP number of one of the network interfaces available. The number must be specified as a string containing a dotted IP number, i.e. “127.0.0.1” or “193.78.157.1”. - 3. A list of JAIL flags - Each JAIL has a number of rights which can be configured when the JAIL is created. - 4. A list of Jail capabilities - Adding capabilities. - 5. A list of SCD read targets - Adding an SCD target to this list will grant read permissions. E.g. if you add clock to the list, the program is allowed to read the system clock. A complete list of SCD targets can be found below, in the ``SCD targets'' section. - 6. A list of SCD modify targets**
1. The same as the one above, except that modify rights are granted instead of read rights.

Point 3, Jail flags

The following jail flags are supported:

allow-external-ipc

  Allow access to IPC and UNIX domain sockets outside this jail.

allow-all-net-family

  Allow all network families, not only IPv4.

allow-inet-raw

  Allow IPv4 raw sockets (e.g. for ping and traceroute)

auto-adjust-inet-any

  Automatically adjust the INET any address 0.0.0.0 to the jail address, if set.

allow-inet-localhost

  Additionally allow to/from remote IPv4 localhost, that is, address 127.0.0.1

allow-dev-get-status

  Allow GET_STATUS_DATA requests on devices.

allow-dev-mod-system

  Allow MODIFY_SYSTEM_DATA requests.

allow-dev-read

  Allow read access on devices.

allow-dev-write

  Allow write access on devices.

allow-tty-open

  Allow to open tty devices.

SCD targets

SCD is short for System Control Data. Each SCD target refers to a global system object, such as the system clock, the packet filter rules, the hostname, etc. These objects can be protected too by RSBAC by setting access rights to their corresponding SCD targets.

time_strucs System timer clock System time and date host_id Host name net_id Domain name ioports Access Control for direct hardware access rlimit Setting process ressource limits swap Control of swapping syslog System log rsbac RSBAC data in /proc rsbaclog RSBAC own log kmem Direct access to kernel memory via proc or device other Any other SCD not specified separately firewall Firewall settings, packet filter etc. priority Set scheduler priority (nice value) sysfs Administrate through sysfs rsbac_remote_log Settings for RSBAC remote logging quota Quota administration sysctl Administrate through sysctl nfsd Kernel NFS server administration ksyms Kernel symbols mlock Memory locking capability Change Linux capabilities Capabilities

The following capabilities are allowed in the jail files:

chown

  To be written.

dac-override

  To be written.

dac-read-search

  To be written.

fowner

  To be written.

fsetid

  To be written.

kill

  To be written.

setgid

  To be written.

setuid

  To be written.

setpcap

  To be written.

linux-immutable

  To be written.

net-bind-service

  To be written.

net-broadcast

  To be written.

net-admin

  To be written.

net-raw

  To be written.

ipc-lock

  To be written.

ipc-owner

  To be written.

sys-module

  To be written.

sys-rawio

  To be written.

sys-chroot

  To be written.

sys-ptrace

  To be written.

sys-pacct

  To be written.

sys-admin

  To be written.

sys-pacct

  To be written.

sys-admin

  To be written.

sys-boot

  To be written.

sys-nice

  To be written.

sys-resource

  To be written.

sys-time

  To be written.

sys-tty-config

  To be written.

mknod

  To be written.

lease

  To be written.

audit-write

  To be written.

audit-control

  To be written.

//