diff options
author | sheldonh <sheldonh@FreeBSD.org> | 2000-11-01 07:49:29 +0000 |
---|---|---|
committer | sheldonh <sheldonh@FreeBSD.org> | 2000-11-01 07:49:29 +0000 |
commit | 89bac1ebf5396da3a0b0021722c77562d107d0b6 (patch) | |
tree | 2e34e63f7541e79d4148ea6876b5da0e1c6be77e /usr.sbin/jail | |
parent | 034a1560930e55f0161fb4614618c1cdd9641c79 (diff) | |
download | FreeBSD-src-89bac1ebf5396da3a0b0021722c77562d107d0b6.zip FreeBSD-src-89bac1ebf5396da3a0b0021722c77562d107d0b6.tar.gz |
Correct mark-up used in rev 1.16, as discussed with its contributor:
* Use a sub-section (Ss) instead of a section (Sh) for
"Sysctl MIB Entries".
* Use a tagged list (Bl, El and It) instead of sub-sections (Ss) for
the actual MIB entries.
* Mark paths up as such (Pa).
* Mark defined values up as such (Dv).
Diffstat (limited to 'usr.sbin/jail')
-rw-r--r-- | usr.sbin/jail/jail.8 | 21 |
1 files changed, 14 insertions, 7 deletions
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index c7c0e18..a6857aa 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -281,15 +281,15 @@ jail.set_hostname_allowed=0 .Pp In a future version of FreeBSD, the mechanisms for managing jails will be more refined. -.Sh SYSCTL MIB ENTRIES +.Ss Sysctl MIB Entries Certain aspects of the jail containments environment may be modified from the host environment using .Xr sysctl 8 MIB variables. Currently, these variables affect all jails on the system, although in the future this functionality may be finer grained. -.Pp -.Ss jail.set_hostname_allowed +.Bl -tag -width XXX +.It jail.set_hostname_allowed This MIB entry determines whether or not processes within a jail are allowed to change their hostname via .Xr hostname 1 @@ -297,21 +297,27 @@ or .Xr sethostname 3 . In the current jail implementation, the ability to set the hostname from within the jail can impact management tools relying on the accuracy of jail -information in /proc. +information in +.Pa /proc . As such, this should be disabled in environments where privileged access to jails is given out to untrusted parties. -.Ss jail.socket_unixiproute_only +.It jail.socket_unixiproute_only The jail functionality binds an IPv4 address to each jail, and limits access to other network addresses in the IPv4 space that may be available in the host environment. However, jail is not currently able to limit access to other network protocol stacks that have not had jail functionality added to them. As such, by default, processes within jails may only access protocols -in the following domains: PF_LOCAL, PF_INET, and PF_ROUTE, permitting +in the following domains: +.Dv PF_LOCAL , +.Dv PF_INET , +and +.Dv PF_ROUTE , +permitting them access to UNIX domain sockets, IPv4 addresses, and routing sockets. To enable access to other domains, this MIB variable may be set to 0. -.Ss jail.sysvipc_allowed +.It jail.sysvipc_allowed This MIB entry determines whether or not processes within a jail have access to System V IPC primitives. In the current jail implementation, System V primitives share a single @@ -320,6 +326,7 @@ within a jail would be able to communicate with (and potentially interfere with) processes outside of the jail, and in other jails. As such, this functionality is disabled by default, but can be enabled by setting this MIB entry to 1. +.El .Sh SEE ALSO .Xr newaliases 1 , .Xr ps 1 , |