Add new knobs for controlling jails in rc.d and document them.

Approved by:	makrm (mentor)

2 files changed, 45 insertions, 1 deletions

diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf
index 651b0de..36ace89 100644
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@@ -426,6 +426,11 @@ harvest_interrupt="YES"	# Entropy device harvests interrupt randomness
 harvest_ethernet="YES"	# Entropy device harvests ethernet randomness
 harvest_p_to_p="YES"	# Entropy device harvests point-to-point randomness
 dmesg_enable="YES"	# Save dmesg(8) to /var/run/dmesg.boot
+jail_enable="NO"	# Set to NO to disable starting of any jails
+jail_list=""		# Space separated list of names of jails
+jail_set_hostname_allow="YES" # Allow root user in a jail to change its hostname
+jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail
+jail_sysvipc_allow="NO"       # Allow SystemV IPC use from within a jail
 
 ##############################################################
 ### Define source_rc_confs, the mechanism used by /etc/rc.* ##
diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5
index bb1deed..609ac55 100644
--- a/share/man/man5/rc.conf.5
+++ b/share/man/man5/rc.conf.5
@@ -2378,6 +2378,45 @@ is set to
 these are the flags passed to
 .Xr usbd 8
 daemon.
+.It Va jail_enable
+.Pq Vt bool
+If set to
+.Dq Li NO ,
+any configured jails will not be started.
+.It Va jail_list
+.Pq Vt str
+A space separated list of names for jails.
+This is purely a configuration aid to help identify and
+configure multiple jails.
+The names specified in this list will be used to
+identify settings common to an instance of a jail.
+Assuming that the jail in question was named
+.Li vjail ,
+you would have the following dependant variables:
+.Bd -literal
+jail_vjail_hostname="jail.example.com"
+jail_vjail_ip="192.168.1.100"
+jail_vjail_rootdir="/var/jails/vjail/root"
+jail_vjail_exec="/bin/sh /etc/rc"
+.Ed
+.Pp
+The last one is optional. It defaults to
+.Pa /etc/rc
+if it is not set.
+.It Va jail_set_hostname_allow
+.Pq Vt bool
+If set to NO,
+do not allow the root user in a jail to set its hostname.
+.It Va jail_socket_unixiproute_only
+.Pq Vt bool
+If set to NO,
+do not allow any protocol,
+besides TCP/IP,
+to be used within a jail.
+.It Va jail_sysvipc_allow
+.Pq Vt bool
+If set to YES,
+allow applications within a jail to use System V IPC.
 .It Va unaligned_print
 .Pq Vt bool
 If set to
@@ -2743,4 +2782,4 @@ The
 file appeared in
 .Fx 2.2.2 .
 .Sh AUTHORS
-.An Jordan K. Hubbard .
\ No newline at end of file
+.An Jordan K. Hubbard .