Your program runs primarily (if not
exclusively) on FreeBSD, and you want to impose restrictions on your
program's filesystem and network capabilities that
are above and beyond what chroot( ) can do. (See
Recipe 2.12.)
FreeBSD implements a system call known as jail(
)
, which
will "imprison" a process and its
descendants. It does all that chroot( ) does and
more.
Ordinarily, a jail is constructed on FreeBSD by the system
administrator using the jail program, which is
essentially a wrapper around the jail( ) system
call. (Discounting comments and blank lines, the code is a mere 35
lines.) However, it is possible to use the jail( )
system call in your own programs.
The FreeBSD jail does everything that chroot(
)
does, and then some. It restricts
much of the superuser's normal abilities, and it
restricts the IP address that programs running inside the jail may
use.
Creating a jail is as simple as filling in a data structure with the
appropriate information and calling jail( ). The
same caveats that apply to chroot( ) also apply to
jail( ) because jail( ) calls
chroot( ) internally. In particular, only the
superuser may create a jail successfully.
Presently, the jail configuration structure contains only four
fields: version, path,
hostname, and ip_number. The
version field must be set to 0, and the
path field is treated the same as chroot(
)'s argument is. The
hostname field sets the hostname of the jail;
however, it is possible to change it from within the jail.
The ip_number field is the IP address to which
processes running within the jail are restricted. Processes within
the jail will only be able to bind to this address regardless of what
other IP addresses are assigned to the system. In addition, all IP
traffic emanating from processes within the jail will be forced to
use this address as its source.
The IP address assigned to a jail must be configured on the system; typically, it should be set up as an alias rather than as the primary address for a network interface unless the network interface is dedicated to the jail. For example, a system with two network interfaces may be configured to route all traffic from processes outside the jail to one interface, and route all traffic from processes inside the jail to the other.