Re: [RFC] [PATCH] [3/3] LSM Stacking: stackable bsdjail(Documentation)

[Serge Hallyn]

The documentation for the bsdjail LSM.

Signed-off-by: Serge E. Hallyn <serue@xxxxxxxxxx>

diff -Nrup linux-2.6.9/Documentation/bsdjail.txt
linux-2.6.9-jail/Documentation/bsdjail.txt
--- linux-2.6.9/Documentation/bsdjail.txt	1969-12-31 18:00:00.000000000
-0600
+++ linux-2.6.9-jail/Documentation/bsdjail.txt	2004-10-20
14:41:28.266075800 -0500
@@ -0,0 +1,135 @@
+BSD Jail Linux Security Module
+Serge E. Hallyn <serue@xxxxxxxxxx>
+
+Description:
+
+Used in conjunction with per-process namespaces, this implements
+a subset of the BSD Jail functionality as a Linux LSM. What is
+currently implemented:
+
+  If a proces is in a jail, it:
+
+    2. Cannot mount or umount
+    3. Cannot send signals outside of jail
+    4. Cannot ptrace processes outside of jail
+    5. Cannot create devices
+    6. Cannot renice processes
+    7. Cannot load or unload modules
+    8. Cannot change network settings
+    9. May be assigned a specific ip address which will be used
+         for all it's socket binds.
+   10. Cannot see contents of /proc/<pid> entries of processes not in
the
+         same jail.  (We hide their existence for convenience's sake,
but
+         their existance can still be detected using, for instance,
statfs)
+   11. Has no CAP_SYS_RAWIO capability (no ioperm/iopl)
+   12. May not share IPC resources with processes outside its own jail.
+   13. May find it's valid network address (if restricted) under
+       /proc/$$/attr/current.
+
+  If properly locked into its own namespace, processes will not be able
+  to escape to parts of the system's filesystem which were made
+  unavailable (without outside help).
+
+WARNINGS:
+The security of this module is very much dependent on the security
+of the rest of the system.  You must carefully think through your
+use of the system.
+
+Some examples:
+	1. If you leave /dev/hda1 in the jail, processes in the
+	jail can access that filesystem (i.e. /sbin/debugfs).
+	2. If you provide root access within a jail, this can of
+	course be used to setuid binaries in the jail.  Combined
+	with an unjailed regular user account, this gives jailed
+	users unjailed root access.  (thanks to Brad Spender for
+	pointing this out).
+
+How to use:
+    1. Load the bsdjail module if not already loaded or compiled in:
+    
+         modprobe bsdjail
+
+    3. (Optional) Set up an ipv4 alias for the jail
+
+         # /sbin/ifconfig eth0:0 192.168.1.101
+         # /sbin/route add -host 192.168.1.101 dev eth0:0
+
+    3. Execute a shell under a new namespace:
+
+         exec clone_ns
+
+       (see http://www.win.tue.nl/~aeb/linux/lk/lk-6.html#6.3)
+
+    4. If not already done, set up the filesystem for the jail.  in our
+       example, we will set it up under /opt.
+    
+          mount /dev/hdc5 /opt
+          mount -t proc proc /opt/proc
+
+    5. Make sure there is an empty directory to put the old root in. 
We
+       will just use /opt/mnt
+
+          mkdir /opt/mnt
+
+    6. Pivot the old and new roots:
+
+          cd /opt
+          /sbin/pivot_root . mnt
+          /usr/sbin/chroot . /bin/sh
+
+    7. Unmount the old root
+
+          umount -l /mnt
+
+    6. Give the desired arguments for the jail.  If no arguments are
+       necessary, just say:
+
+          echo lock > /proc/$$/attr/exec
+
+       To lock the process into an ip alias, say:
+
+          echo "ip 192.168.1.101" > /proc/$$/attr/exec
+
+    7. Execute a new shell.  The shell will be under the new jail, and
in
+       the private namespace you've been setting up.
+    
+          exec /bin/sh
+
+    8. To allow friends/customers/whoever to use this system, you might
start
+       start some services.
+
+          sshd
+
+    9. Ssh is now running under the jail, so you no longer need the
original
+    shell:
+
+          exit
+
+The new shell runs in a private jail on the filesystem on /dev/hdc5. If
proc
+has been mounted under /dev/hdc5, then a "ps -auxw" under the jailed
shell
+will show only entries for processes started under that jail.
+
+If a private IP was specified for the jail, then
+		cat /proc/$$/attr/current
+will show the address for the private network device.  Other network
+devices will be visible through /sbin/ifconfig -a, but not usable.
+
+If the reading process is not in a jail, then
+		cat /proc/$$/attr/current
+returns information about the root and ip * for the target process,
+or "Not Jailed" if the target process is not jailed.
+
+Cat /proc/$$/attr/exec gives a list of the valid keywords to cat into
+/proc/$$/attr/exec when starting a jail.
+
+Current valid keywords for creating a jail are:
+
+     lock: specifies the next exec should land us in a jail.  (only
needed
+                if you don't want to give any other keywords)
+     ip: IPV4 addr for this jail
+     ip6: IPV6 addr for this jail
+     nrtask: Number of tasks in this jail
+     nice: The nice level for this jail.  (maybe should be min/max?)
+     slice: Max timeslice per process
+     data: Max size of DATA segment per process
+     memlock: Max size of memory which can be locked per process


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/