The OpenNET Project / Index page

[ новости /+++ | форум | wiki | теги | ]

Интерактивная система просмотра системных руководств (man-ов)

 ТемаНаборКатегория 
 
 [Cписок руководств | Печать]

jail_attach (2)
  • >> jail_attach (2) ( FreeBSD man: Системные вызовы )

  • BSD mandoc
     

    NAME

    
    
    jail , jail_attach
    
     - imprison current process and future descendants
    
     
    

    LIBRARY

    Lb libc
    
     
    

    SYNOPSIS

       #include <sys/param.h>
       #include <sys/jail.h>
    int jail (struct jail *jail);
    int jail_attach (int jid);
     

    DESCRIPTION

    The jail ();
    system call sets up a jail and locks the current process in it.

    The argument is a pointer to a structure describing the prison:

    struct jail {
            u_int32_t       version;
            char            *path;
            char            *hostname;
            u_int32_t       ip_number;
    };
    

    ``version '' defines the version of the API in use. It should be set to zero at this time.

    The ``path '' pointer should be set to the directory which is to be the root of the prison.

    The ``hostname '' pointer can be set to the hostname of the prison. This can be changed from the inside of the prison.

    The ``ip_number '' can be set to the IP number assigned to the prison.

    The jail_attach ();
    system call attaches the current process to an existing jail, identified by Fa jid .  

    RETURN VALUES

    If successful, jail ();
    returns a non-negative integer, termed the jail identifier (JID). It returns -1 on failure, and sets errno to indicate the error.

    Rv -std jail_attach  

    PRISON?

    Once a process has been put in a prison, it and its descendants cannot escape the prison.

    Inside the prison, the concept of ``superuser'' is very diluted. In general, it can be assumed that nothing can be mangled from inside a prison which does not exist entirely inside that prison. For instance the directory tree below ``path '' can be manipulated all the ways a root can normally do it, including ``rm -rf /* '' but new device special nodes cannot be created because they reference shared resources (the device drivers in the kernel). The effective ``securelevel'' for a process is the greater of the global ``securelevel'' or, if present, the per-jail ``securelevel''

    All IP activity will be forced to happen to/from the IP number specified, which should be an alias on one of the network interfaces.

    It is possible to identify a process as jailed by examining ``/proc/<pid>/status '' it will show a field near the end of the line, either as a single hyphen for a process at large, or the hostname currently set for the prison for jailed processes.  

    ERRORS

    The jail ();
    system call will fail if:

    Bq Er EINVAL
    The version number of the argument is not correct.

    Further jail ();
    calls chroot(2) internally, so it can fail for all the same reasons. Please consult the chroot(2) manual page for details.  

    SEE ALSO

    chdir(2), chroot(2)  

    HISTORY

    The jail ();
    system call appeared in Fx 4.0 . The jail_attach ();
    system call appeared in Fx 5.1 .  

    AUTHORS

    The jail feature was written by An Poul-Henning Kamp for R&D Associates ``http://www.rndassociates.com/ '' who contributed it to Fx .


     

    Index

    NAME
    LIBRARY
    SYNOPSIS
    DESCRIPTION
    RETURN VALUES
    PRISON?
    ERRORS
    SEE ALSO
    HISTORY
    AUTHORS


    Поиск по тексту MAN-ов: 




    Партнёры:
    PostgresPro
    Inferno Solutions
    Hosting by Hoster.ru
    Хостинг:

    Закладки на сайте
    Проследить за страницей
    Created 1996-2024 by Maxim Chirkov
    Добавить, Поддержать, Вебмастеру