summaryrefslogtreecommitdiffstats
path: root/usr.sbin/jail/jail.8
diff options
context:
space:
mode:
Diffstat (limited to 'usr.sbin/jail/jail.8')
-rw-r--r--usr.sbin/jail/jail.859
1 files changed, 54 insertions, 5 deletions
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8
index 0831fcd..1200d34 100644
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@@ -25,7 +25,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd July 6, 2015
+.Dd April 25, 2016
.Dt JAIL 8
.Os
.Sh NAME
@@ -493,10 +493,14 @@ or
.Xr sethostname 3 .
.It Va allow.sysvipc
A process within the jail has access to System V IPC primitives.
-In the current jail implementation, System V primitives share a single
-namespace across the host and jail environments, meaning that processes
-within a jail would be able to communicate with (and potentially interfere
-with) processes outside of the jail, and in other jails.
+This is deprecated in favor of the per-module parameters (see below).
+When this parameter is set, it is equivalent to setting
+.Va sysvmsg ,
+.Va sysvsem ,
+and
+.Va sysvshm
+all to
+.Dq inherit .
.It Va allow.raw_sockets
The jail root is allowed to create raw sockets.
Setting this parameter allows utilities like
@@ -610,6 +614,51 @@ have not had jail functionality added to them.
.El
.El
.Pp
+Kernel modules may add their own parameters, which only exist when the
+module is loaded.
+These are typically headed under a parameter named after the module,
+with values of
+.Dq inherit
+to give the jail full use of the module,
+.Dq new
+to encapsulate the jail in some module-specific way,
+and
+.Dq disable
+to make the module unavailable to the jail.
+There also may be other parameters to define jail behavior within the module.
+Module-specific parameters include:
+.Bl -tag -width indent
+.It Va linux
+Determine how a jail's Linux emulation environment appears.
+A value of
+.Dq inherit
+will keep the same environment, and
+.Dq new
+will give the jail it's own environment (still originally inherited when
+the jail is created).
+.It Va linux.osname , linux.osrelease , linux.oss_version
+The Linux OS name, OS release, and OSS version associated with this jail.
+.It Va sysvmsg
+Allow access to SYSV IPC message primitives.
+If set to
+.Dq inherit ,
+all IPC objects on the system are visible to this jail, whether they
+were created by the jail itself, the base system, or other jails.
+If set to
+.Dq new ,
+the jail will have its own key namespace, and can only see the objects
+that it has created;
+the system (or parent jail) has access to the jail's objects, but not to
+its keys.
+If set to
+.Dq disable ,
+the jail cannot perform any sysvmsg-related system calls.
+.It Va sysvsem, sysvmsg
+Allow access to SYSV IPC semaphore and shared memory primitives, in the
+same manner as
+.Va sysvmsg.
+.El
+.Pp
There are pseudo-parameters that are not passed to the kernel, but are
used by
.Nm
OpenPOWER on IntegriCloud