diff options
author | mike <mike@FreeBSD.org> | 2003-04-09 02:55:18 +0000 |
---|---|---|
committer | mike <mike@FreeBSD.org> | 2003-04-09 02:55:18 +0000 |
commit | 75859ca578ff1bc109e1263e5c52d225315515e0 (patch) | |
tree | c6122edf636b885d1df318cda6d94636af3212f8 /lib/libc/sys/jail.2 | |
parent | 979ed3a82ea34d46466c4d6f755b15b85df66f15 (diff) | |
download | FreeBSD-src-75859ca578ff1bc109e1263e5c52d225315515e0.zip FreeBSD-src-75859ca578ff1bc109e1263e5c52d225315515e0.tar.gz |
o In struct prison, add an allprison linked list of prisons (protected
by allprison_mtx), a unique prison/jail identifier field, two path
fields (pr_path for reporting and pr_root vnode instance) to store
the chroot() point of each jail.
o Add jail_attach(2) to allow a process to bind to an existing jail.
o Add change_root() to perform the chroot operation on a specified
vnode.
o Generalize change_dir() to accept a vnode, and move namei() calls
to callers of change_dir().
o Add a new sysctl (security.jail.list) which is a group of
struct xprison instances that represent a snapshot of active jails.
Reviewed by: rwatson, tjr
Diffstat (limited to 'lib/libc/sys/jail.2')
-rw-r--r-- | lib/libc/sys/jail.2 | 32 |
1 files changed, 29 insertions, 3 deletions
diff --git a/lib/libc/sys/jail.2 b/lib/libc/sys/jail.2 index 4656438..288f30d 100644 --- a/lib/libc/sys/jail.2 +++ b/lib/libc/sys/jail.2 @@ -8,7 +8,7 @@ .\" .\"$FreeBSD$ .\" -.Dd April 28, 1999 +.Dd April 8, 2003 .Dt JAIL 2 .Os .Sh NAME @@ -17,10 +17,12 @@ .Sh LIBRARY .Lb libc .Sh SYNOPSIS -.In sys/types.h +.In sys/param.h .In sys/jail.h .Ft int .Fn jail "struct jail *jail" +.Ft int +.Fn jail_attach "int jid" .Sh DESCRIPTION The .Fn jail @@ -52,9 +54,29 @@ from the inside of the prison. The .Dq Li ip_number can be set to the IP number assigned to the prison. +.Pp +The +.Fn jail_attach +system call attaches the current process to an existing jail, +identified by +.Va jid . +.Sh RETURN VALUES +If successful, +.Fn jail +returns a non-negative integer, termed the jail identifier (JID). +It returns -1 on failure, and sets +.Va errno +to indicate the error. +.Pp +If successful, +.Fn jail_attach +returns 0. +It returns -1 on failure, and sets +.Va errno +to indicate the error. .Sh PRISON? Once a process has been put in a prison, it and its decendants cannot escape -the prison. It is not possible to add a process to a preexisting prison. +the prison. .Pp Inside the prison, the concept of "superuser" is very diluted. In general, it can be assumed that nothing can be mangled from inside a prison which @@ -100,6 +122,10 @@ The .Fn jail system call appeared in .Fx 4.0 . +The +.Fn jail_attach +system call appeared in +.Fx 5.1 . .Sh AUTHORS The jail feature was written by .An Poul-Henning Kamp |