man filesystems: fix xrefs after move to section 4

Reviewed by: des, imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1077

jail: add the -C flag to clean up after a partially removed jail

Differential Revision: https://reviews.freebsd.org/D42670

jail(8): add support for ZFS datasets

Add zfs.dataset to jail(8) to add a list of ZFS datasets.
Bump FreeBSD version for jail managers to switch to native
dataset support.

Datasets are attached to the jail after the jail creation and
before the execution of any start command. Unlike current
implementations in jail managers which attach datasets after
the start command, this allows the zfs rc.d script to mount
the datasets on start.

Discussed with: jamie

jail: Don't allow jail_set(2) to resurrect dying jails.

Currently, a prison in "dying" state (removed but still holding
resources) can be brought back to alive state via "jail -d", or
the JAIL_DYING flag to jail_set(2). This seemed like a good idea
at the time.

Its main use was to improve support for specifying the jid when
creating a jail, which also seemed like a good idea at the time.
But resurrecting a jail that was partway through thr process of
shutting down is trouble waiting to happen.

This patch deprecates that flag, leaving it as a no-op for creating
jails (but still useful for looking at dying jails). It sill allows
creating a new jail with the same jid as a dying one, but will renumber
the old one in that case. That's imperfect, but allows for current
behavior.

Reviewed by: bz
Differential Revision: https://reviews.freebsd.org/D28150

jail(8): Fix mandoc warnings

Reviewed by: gbe
Differential Revision: https://reviews.freebsd.org/D41680
MFC after: 1 week

jail: Add the ability to access system-level filesystem extended attributes

Prior to this commit privileged accounts in a jail could not access to the
filesystem extended attributes in the system namespace. To control access to
the system namespace in a per-jail basis add a new configuration parameter
allow.extattr which is off by default.

Reported by: zirias
Tested by: zirias
Obtained from: HardenedBSD
Reviewed by: kevans, jamie
Differential revision: https://reviews.freebsd.org/D41643
MFC after: 1 week
Relnotes: yes

Re-remove $FreeBSD$ inadvertantly put back into jail.8

jail: make jail(8) man page more readable and more correct

The synopsis section of jail(8) is fine at showing everything that could
be on the command line, but doesn't make much sense. Add some sub-
ections for the different uses of the command.

Also fix up the paragraph about command-line parameter specification,
including removing some clearly erroneous information.

Reviewed by: dvl
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D41606

Remove $FreeBSD$: two-line nroff pattern

Remove /^\.\\"\n\.\\"\s*\$FreeBSD\$$\n/

jail.8: Update the allow.nfsd section

This patch updates the information for "allow.nfsd"
and adds configuration information.

This is a content change.

Reviewed by: karels, markj, pauamma (manpages)
MFC after: 3 months
Differential Revision: https://reviews.freebsd.org/D39033

jail: Correct jail_max_af_ips sysctl name

The sysctl is named "security.jail.jail_max_af_ips" with the jail_
prefix in the final part.

Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/605

jail.8: Update the man page for allow.nfsd

Commit bba7a2e89602 added "allow.nfsd" to optionally allow
mountd/nfsd to be run inside a vnet prison when the kernel
is built with "options VNET_NFSD".

This patch updates the man page for this change.

This is a content change.

Reviewed by: jamie, bcr (manpages)
MFC after: 4 months
Differential Revision: https://reviews.freebsd.org/D37665

jail.8: Fix formatting of synopsis and some code examples

MFC after: 3 days

Bump .Dd for recently modified manual pages

During the removal of named(8) references, some pages were modified but their
.Dd where not updated accordingly.

Reported by: lwhsu@
Fixes: 942e234d868d

Remove references to named(8)

named(8) hasn't been in base for some time. Remove all references to it in
manual pages.

Approved by: manpages (Pau Amma)
Differential Revision: https://reviews.freebsd.org/D35586

jail: fix jail(8) synposis and usage message to match reality.

Reported by: yuri
PR: 254741
MFC after: 5 days

jail: introduce per jail suser_enabled setting

The suser_enable sysctl allows to remove a privileged rights from uid 0.
This change introduce per jail setting which allow to make root a
normal user.

Reviewed by: jamie
Previous version reviewed by: kevans, emaste, markj, me_igalic.co
Discussed with: pjd
Differential Revision: https://reviews.freebsd.org/D27128

jail: Add exec.prepare and exec.release command hooks

This change introduces new jail command hooks that run before and after any
other actions.

The exec.prepare hook can be used for example to invoke a script that checks
if the jail's root exists, creating it if it does not. Since arbitrary
variables in jail.conf can be passed to the command, it can be pretty useful
for templating jails.

An example use case for exec.release would be to remove the filesystem of an
ephemeral jail.

The names "prepare" and "release" are borrowed from the names of similar hooks
in libvirt.

Reviewed by: jamie, manpages, mmacy
Approved by: mmacy (mentor)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D24829

jail(8): improve manual and usage information with more clear
description for "jail -e" mode to show that it does not take
additional jail name argument.

Reported by: David Marec <david.marec@davenulle.org>
MFC after: 3 days

add ability to set watchdog timeout for a shutdown

This change allows to specify a watchdog(9) timeout for a system
shutdown. The timeout is activated when the watchdogd daemon is
stopped. The idea is to a prevent any indefinite hang during late
stages of the shutdown. The feature is implemented in rc.d/watchdogd,
it builds upon watchdogd -x option.

Note that the shutdown timeout is not actiavted when the watchdogd
service is individually stopped by an operator. It is also not
activated for the 'shutdown' to the single-user mode. In those cases it
is assumed that the operator knows what they are doing and they have
means to recover the system should it hang.

Significant subchanges and implementation details:
- the argument to rc.shutdown, completely unused before, is assigned to
rc_shutdown variable that can be inspected by rc scripts
- init(8) passes "single" or "reboot" as the argument, this is not
changed
- the argument is not mandatory and if it is not set then rc_shutdown is
set to "unspecified"
- however, the default jail management scripts and jail configuration
examples have been updated to pass "jail" to rc.shutdown, just in case
- the new timeout can be set via watchdogd_shutdown_timeout rc option
- for consistency, the regular timeout can now be set via
watchdogd_timeout rc option
- watchdogd_shutdown_timeout and watchdogd_timeout override timeout
specifications in watchdogd_flags
- existing configurations, where the new rc options are not set, should
keep working as before

I am not particularly wed to any of the implementation specifics.
I am open to changing or removing any of them as long as the provided
functionality is the same (or very close) to the proposed one.
For example, I think it can be implemented without using watchdogd -x,
by means of watchdog(1) alone. In that case there would be a small
window between stopping watchdogd and running watchdog, but I think that
that is acceptable.

Reviewed by: bcr (man page changes)
MFC after: 5 weeks
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D21221

Change ed(4), ep(4), and fxp(4) examples to em(4).

ed(4) and ep(4) have been removed. fxp(4) remains popular in older
systems, but isn't as future proof as em(4).

Reviewed by: bz, jhb
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D20311

In hardened systems, where the security.bsd.unprivileged_proc_debug sysctl
node is set, allow setting security.bsd.unprivileged_proc_debug per-jail.
In part, this is needed to create jails in which the Address Sanitizer
(ASAN) fully works as ASAN utilizes libkvm to inspect the virtual address
space. Instead of having to allow unprivileged process debugging for the
entire system, allow setting it on a per-jail basis.

The sysctl node is still security.bsd.unprivileged_proc_debug and the
jail(8) param is allow.unprivileged_proc_debug. The sysctl code is now a
sysctl proc rather than a sysctl int. This allows us to determine setting
the flag for the corresponding jail (or prison0).

As part of the change, the dynamic allow.* API needed to be modified to
take into account pr_allow flags which may now be disabled in prison0.
This prevents conflicts with new pr_allow flags (like that of vmm(4)) that
are added (and removed) dynamically.

Also teach the jail creation KPI to allow differences for certain pr_allow
flags between the parent and child jail. This can happen when unprivileged
process debugging is disabled in the parent prison, but enabled in the
child.

Submitted by: Shawn Webb <lattera at gmail.com>
Obtained from: HardenedBSD (45b3625edba0f73b3e3890b1ec3d0d1e95fd47e1, deba0b5078cef0faae43cbdafed3035b16587afc, ab21eeb3b4c72f2500987c96ff603ccf3b6e7de8)
Relnotes: yes
Sponsored by: HardenedBSD and G2, Inc
Differential Revision: https://reviews.freebsd.org/D18319

jail(8): introduce new command option -e to exhibit
a list of configured non-wildcard jails with their parameters,
no matter running or not.

The option -e takes separator argument that is used
to separate printed parameters. It will be used with following
additions to system periodic scripts to differentiate parts
of directory tree belonging jails as opposed to host's.

MFC after: 1 month

Fix typos from r339409.

Reported by: maxim
Approved by: re (gjb)

Add a new jail permission, allow.read_msgbuf. When true, jailed processes
can see the dmesg buffer (this is the current behavior). When false (the
new default), dmesg will be unavailable to jailed users, whether root or
not.

The security.bsd.unprivileged_read_msgbuf sysctl still works as before,
controlling system-wide whether non-root users can see the buffer.

PR: 211580
Submitted by: bz
Approved by: re@ (kib@)
MFC after: 3 days

In r324732 sysinstall was replaced by bsdinstall.
However, for post-install configuration, bsdinstall
is not of much use. Point the user to bsdconfig instead.

Reviewed by: 0mp, bcr
Approved by: 0mp, bcr
Differential Revision: https://reviews.freebsd.org/D16751

- Add exec hook "exec.created". This is called when the jail is
created and before exec.start is called. [1]
- Bump __FreeBSD_version.

This allows to attach ZFS datasets and various other things to be
done before any command/service/rc-script is started in the new
jail.

PR: 228066 [1]
Reviewed by: jamie [1]
Submitted by: Stefan Grönke <stefan@gronke.net> [1]
Differential Revision: https://reviews.freebsd.org/D15330 [1]

- Add the ability to run bhyve(8) within a jail(8).

This patch adds a new sysctl(8) knob "security.jail.vmm_allowed",
by default this option is disable.

Submitted by: Shawn Webb <shawn.webb____hardenedbsd.org>
Reviewed by: jamie@ and myself.
Relnotes: Yes.
Sponsored by: HardenedBSD and G2, Inc.
Differential Revision: https://reviews.freebsd.org/D16057

Add allow.mlock to jail parameters
It allows locking or unlocking physical pages in memory within a jail

This allows running elasticsearch with "bootstrap.memory_lock" inside a jail

Reviewed by: jamie@
Differential Revision: https://reviews.freebsd.org/D16342

Allow mounting FUSE filesystems in jails

Reviewed by: jamie
MFC after: 2 weeks
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D16371

Make it easier for filesystems to count themselves as jail-enabled,
by doing most of the work in a new function prison_add_vfs in kern_jail.c
Now a jail-enabled filesystem need only mark itself with VFCF_JAIL, and
the rest is taken care of. This includes adding a jail parameter like
allow.mount.foofs, and a sysctl like security.jail.mount_foofs_allowed.
Both of these used to be a static list of known filesystems, with
predefined permission bits.

Reviewed by: kib
Differential Revision: D14681

Strip EOL whitespace in usr.sbin/{jail,jexec}

Adopt jail.8 to our brave new bsdinstall world

Submitted by: Steve Kargl
MFC after: 3 days

Jails: Optionally prevent jailed root from binding to privileged ports

You may now optionally specify allow.noreserved_ports to prevent root
inside a jail from using privileged ports (less than 1024)

PR: 217728
Submitted by: Matt Miller <mattm916@pulsar.neomailbox.ch>
Reviewed by: jamie, cem, smh
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D10202

typo

Submitted by: Jimmy Olgeni

Clarify when happens when there is a "depend" parameter in jail.conf,
and how this affects the "jail_list" option in rc.conf.

Encapsulate SYSV IPC objects in jails. Define per-module parameters
sysvmsg, sysvsem, and sysvshm, with the following bahavior:

inherit: allow full access to the IPC primitives. This is the same as
the current setup with allow.sysvipc is on. Jails and the base system
can see (and moduly) each other's objects, which is generally considered
a bad thing (though may be useful in some circumstances).

disable: all no access, same as the current setup with allow.sysvipc off.

new: A jail may see use the IPC objects that it has created. It also
gets its own IPC key namespace, so different jails may have their own
objects using the same key value. The parent jail (or base system) can
see the jail's IPC objects, but not its keys.

PR: 48471
Submitted by: based on work by kikuchan98@gmail.com
MFC after: 5 days

Note the existence of module-specific jail paramters, starting with the
linux.* parameters when linux emulation is loaded.

MFC after: 5 days

Remove man page references to rndassociates.com, which has been taken over
by a domain squatter.

Fix transposed words in man page.

PR: 201752
Reviewed by: bcr
MFC after: 3 days
Sponsored by: Essen FreeBSD Hackathon

Add support to the jail framework to be able to mount linsysfs(5) and
linprocfs(5).

Differential Revision: D2846
Submitted by: Nikolai Lifanov <lifanov@mail.lifanov.com>
Reviewed by: jamie

Fix minor mdoc issues.

Fix typo in jail(8) man page

PR: 198790
Differential Revision: https://reviews.freebsd.org/D2111
Submitted by: Jimmy Olgeni
Approved by: wblock (mentor)
Sponsored by: ScaleEngine Inc.

Allow the kern.osrelease and kern.osreldate sysctl values to be set in a
jail's creation parameters. This allows the kernel version to be reliably
spoofed within the jail whether examined directly with sysctl or
indirectly with the uname -r and -K options.

The values can only be set at jail creation time, to eliminate the need
for any locking when accessing the values via sysctl.

The overridden values are inherited by nested jails (unless the config for
the nested jails also overrides the values).

There is no sanity or range checking, other than disallowing an empty
release string or a zero release date, by design. The system
administrator is trusted to set sane values. Setting values that are
newer than the actual running kernel will likely cause compatibility
problems.

Differential Revision: https://reviews.freebsd.org/D1948
Relnotes: yes

Add mount.procfs jail parameter, so procfs can be mounted when a prison's
root is in its fstab.

Also fix a typo while I'm at it.

PR: 197237 197066
MFC after: 3 days

Add allow.mount.fdescfs jail flag.

PR: 192951
Submitted by: ruben@verweg.com
MFC after: 3 days

mdoc: sort SEE ALSO.

Added support for extra ifconfig args to jail ip4.addr & ip6.addr params

This allows for CARP interfaces to be used in jails e.g.
ip4.addr = "em0|10.10.1.20/32 vhid 1 pass MyPass advskew 100"

Before this change using exec.prestart to configure a CARP address
would result in the wrong MAC being broadcast on startup as jail creates
IP aliases to support ip[4|6].addr before exec.prestart is executed.

PR: 191832
Reviewed by: jamie
MFC after: 1 week
X-MFC-With: r269340
Phabric: D528
Sponsored by: Multiplay

The month's name shall not be abbreviated.

Reword an awkward option description

PR: 191726
Reported by: yaneurabeya gmail.com
MFC after: 3 days

Bump .Dd, missed in r266206

Approved by: hrs (mentor, implicit)

Review pass through jail.8

Replace usage of "prison" with "jail", since that term has mostly dropped
out of use. Note once at the beginning that the "prison" term is equivalent,
but do not use it otherwise. [1]

Some grammar issues.

Some mdoc formatting fixes.

Consistently use \(em for em dashes, with spaces around it.

Avoid contractions.

Prefer ssh to telnet.

PR: docs/176832 [1]
Approved by: hrs (mentor)

Line-wrapping tweak: make the sample jail command line fit in 80 characters.

MFC after: 3 days

Back out r261266 pending security buy-in.

r261266:
Add a jail parameter, allow.kmem, which lets jailed processes access
/dev/kmem and related devices (i.e. grants PRIV_IO and PRIV_KMEM_WRITE).
This in conjunction with changing the drm driver's permission check from
PRIV_DRIVER to PRIV_KMEM_WRITE will allow a jailed Xorg server.

Add a jail parameter, allow.kmem, which lets jailed processes access
/dev/kmem and related devices (i.e. grants PRIV_IO and PRIV_KMEM_WRITE).
This in conjunction with changing the drm driver's permission check from
PRIV_DRIVER to PRIV_KMEM_WRITE will allow a jailed Xorg server.

Submitted by: netchild
MFC after: 1 week

- Add mount.fdescfs parameter to jail(8). This is similar to
mount.devfs but mounts fdescfs. The mount happens just after
mount.devfs.

- rc.d/jail now displays whole error message from jail(8) when a jail
fails to start.

Approved by: re (gjb)

Allow tmpfs be mounted inside jail.

Warn about filesystem-based attacks.

Minor spelling fixes.

Fixes to man8 groff mandoc style, usage mistakes, or typos.

PR: 168016
Submitted by: Nobuyuki Koganemaru
Approved by: gjb
MFC after: 3 days

Note that the new jail(8) will be appearing in 9.1.

Remove end of line whitespace.

Fix .Pp macro.

Bump .Dd to reflect latest update

Reported by: bz
MFC after: 1 week

Add procfs to jail-mountable filesystems.

Reviewed by: jamie
MFC after: 1 week

mdoc(7) stype - start new sentences on new line

MFC after: 1 week

Use the defvs_ruleset paramater when mounting a jail's /dev,
instead of a mount.devfs.ruleset pseudo-parameter.

From r224286:

Document the potential for jail escape.

From r224615:

Always disable mount and unmount for jails with enforce_statfs==2.

From r231267:

A new jail(8) option "devfs_ruleset" defines the ruleset enforcement for
mounting devfs inside jails. A value of -1 disables mounting devfs in
jails, a value of zero means no restrictions. Nested jails can only
have mounting devfs disabled or inherit parent's enforcement as jails are
not allowed to view or manipulate devfs(8) rules.

From r232059:

To improve control over the use of mount(8) inside a jail(8), introduce
a new jail parameter node with the following parameters:

allow.mount.devfs:
allow mounting the devfs filesystem inside a jail

allow.mount.nullfs:
allow mounting the nullfs filesystem inside a jail

From r232186:

allow.mount.zfs:
allow mounting the zfs filesystem inside a jail

Analogous to r232059, add a parameter for the ZFS file system:

allow.mount.zfs:
allow mounting the zfs filesystem inside a jail

This way the permssions for mounting all current VFCF_JAIL filesystems
inside a jail are controlled wia allow.mount.* jail parameters.

Update sysctl descriptions.
Update jail(8) and zfs(8) manpages.

TODO: document the connection of allow.mount.* and VFCF_JAIL for kernel
developers

MFC after: 10 days

To improve control over the use of mount(8) inside a jail(8), introduce
a new jail parameter node with the following parameters:

allow.mount.devfs:
allow mounting the devfs filesystem inside a jail

allow.mount.nullfs:
allow mounting the nullfs filesystem inside a jail

Both parameters are disabled by default (equals the behavior before
devfs and nullfs in jails). Administrators have to explicitly allow
mounting devfs and nullfs for each jail. The value "-1" of the
devfs_ruleset parameter is removed in favor of the new allow setting.

Reviewed by: jamie
Suggested by: pjd
MFC after: 2 weeks

Add support for mounting devfs inside jails.

A new jail(8) option "devfs_ruleset" defines the ruleset enforcement for
mounting devfs inside jails. A value of -1 disables mounting devfs in
jails, a value of zero means no restrictions. Nested jails can only
have mounting devfs disabled or inherit parent's enforcement as jails are
not allowed to view or manipulate devfs(8) rules.

Utilizes new functions introduced in r231265.

Reviewed by: jamie
MFC after: 1 month

Better communicate the purpose of "-r *".

Always disable mount and unmount for jails with enforce_statfs==2.
A working statfs(2) is required for umount(8) in jail.

Reviewed by: pjd, kib
Approved by: re (kib)
MFC after: 2 weeks

Revert my last change to this file, as BETA1 is not announced yet.

Pointed out by: kib
Pointy hat to: me
Approved by: re (kib, implicit)

Add a section to the jail chapter that explains why it is not
recommended to allow root users in the jail to access the host system.

PR: docs/156853
Submitted by: crees
Patch by: crees
Approved by: re (kib) for BETA1

Document the potential for jail escape.

Submitted by: Vedad KAJTAZ (vedad % kajtaz net)
PR: 142341
Reviewed by: bz, rwatson
Rewording by: rwatson
Approved by: re (kensmith)
MFC after: 3 days

Update copyright dates and other whitespacey stuff.

Revert r221655:

Various people voiced their concerns about these changes.
Until this is resolved, we should use the old version.

Jails have a problem in that if the jail directory is world-readable,
an attacker with root access to the jail can create a setuid binary for
their own use in the host environment (if they also have this access),
thus breaking root in the host.

This exploit is impossible if the jail's files are not world-readable.
Add instructions to the man page on how to create a jail with the
correct permissions set.

PR: docs/156853
Submitted by: Chris Rees (utisoft at gmail dot com)
Reviewed by: cperciva (security parts)
MFC after: 9 days

Initial work on the new jail(8). There are more features to add, and some
cleaning up to do on existing features, but this is pretty much what the
final product will look like.

mdoc: drop redundant .Pp and .LP calls

They have no effect when coming in pairs, or before .Bl/.Bd

Back out r210975, which changed documentation to match the now backed-out
r210974.

Note that a jail without a command parameter will be persistent,
instead of explicitly requiring one of "command" or "persist".

MFC after: 3 days

Spelling fixes.

MFC r199818:

New style of jail(8) usage requires "-c" argument to create a jail.

Approved by: re (hrs)

mdoc: consistently spell our email addresses <foo@FreeBSD.org>

Reviewed by: ru

- fix typo

Create the altix project branch. The altix project will add support
for the SGI Altix 350 to FreeBSD/ia64. The hardware used for porting
is a two-module system, consisting of a base compute module and a
CPU expansion module. SGI's NUMAFlex architecture can be an excellent
platform to test CPU affinity and NUMA-aware features in FreeBSD.

Make 'make manlint' happy. No actual visible change.

MFC r202468:

Add ip4.saddrsel/ip4.nosaddrsel (and equivalent for ip6) to control
whether to use source address selection (default) or the primary
jail address for unbound outgoing connections.

This is intended to be used by people upgrading from single-IP
jails to multi-IP jails but not having to change firewall rules,
application ACLs, ... but to force their connections (unless
otherwise changed) to the primry jail IP they had been used for
years, as well as for people prefering to implement similar policies.

Note that for IPv6, if configured incorrectly, this might lead to
scope violations, which single-IPv6 jails could as well, as by the
design of jails. [1]

Reviewed by: jamie, hrs (ipv6 part)
Pointed out by: hrs [1]

Add ip4.saddrsel/ip4.nosaddrsel (and equivalent for ip6) to control
whether to use source address selection (default) or the primary
jail address for unbound outgoing connections.

This is intended to be used by people upgrading from single-IP
jails to multi-IP jails but not having to change firewall rules,
application ACLs, ... but to force their connections (unless
otherwise changed) to the primry jail IP they had been used for
years, as well as for people prefering to implement similar policies.

Note that for IPv6, if configured incorrectly, this might lead to
scope violations, which single-IPv6 jails could as well, as by the
design of jails. [1]

Reviewed by: jamie, hrs (ipv6 part)
Pointed out by: hrs [1]
MFC After: 2 weeks
Asked for by: Jase Thew (bazerka beardz.net)

- New style of jail(8) usage requires "-c" argument to create a jail.

Reviewed by: jamie

MFC various commits back to stable/8:

SVN r197174:
Make sure we never place the cursor outside the screen.

For some vague reason, it may be possible that scp->cursor_pos exceeds
scp->ysize * scp->xsize. This means that teken_set_cursor() may get
called with an invalid position. Just ignore the old cursor position in
this case.

Reported by: Paul B. Mahol <onemda gmail com>

SVN r198213:
Make lock devices work properly.

It turned out I did add the code to use the init state devices to set
the termios structure when opening the device, but it seems I totally
forgot to add the bits required to force the actual locking of flags
through the lock state devices.

Reported by: ru

SVN r198215, r198217:
Fix a typo in the jail(8) manpage.

Submitted by: Jille Timmermans <jille quis cx>

SVN r198216:
Fix qouting in a comment, to make it look more consistent

Submitted by: Jille Timmermans <jille quis cx>

SVN r198223:
Properly set the low watermarks when reducing the baud rate.

Now that buffers are deallocated lazily, we should not use
tty*q_getsize() to obtain the buffer size to calculate the low
watermarks. Doing this may cause the watermark to be placed outside the
typical buffer size.

This caused some regressions after my previous commit to the TTY code,
which allows pseudo-devices to resize the buffers as well.

Reported by: yongari, dougb

Don't forget to increment the man page date.

Reported by: bz

Fix a typo in the jail(8) manpage.

Submitted by: Jille Timmermans <jille quis cx>
MFC after: 1 week

Some jail parameters (in particular, "ip4" and "ip6" for IP address
restrictions) were found to be inadequately described by a boolean.
Define a new parameter type with three values (disable, new, inherit)
to handle these and future cases.

Approved by: re (kib), bz (mentor)
Discussed with: rwatson

Fix a typo in the examples.

Approved by: re (kib), bz (mentor)

Add a limit for child jails via the "children.cur" and "children.max"
parameters. This replaces the simple "allow.jails" permission.

Approved by: bz (mentor)

Fix grammar.

Submitted by: richardtoohey at paradise dot net dot nz on -doc

Place hostnames and similar information fully under the prison system.
The system hostname is now stored in prison0, and the global variable
"hostname" has been removed, as has the hostname_mtx mutex. Jails may
have their own host information, or they may inherit it from the
parent/system. The proper way to read the hostname is via
getcredhostname(), which will copy either the hostname associated with
the passed cred, or the system hostname if you pass NULL. The system
hostname can still be accessed directly (and without locking) at
prison0.pr_host, but that should be avoided where possible.

The "similar information" referred to is domainname, hostid, and
hostuuid, which have also become prison parameters and had their
associated global variables removed.

Approved by: bz (mentor)

Fix some inaccuracies in the extensible parameter addition.

Approved by: bz (mentor)

Add support for the arbitrary named jail parameters used by jail_set(2)
and jail_get(2). Jail(8) can now create jails using a "name=value"
format instead of just specifying a limited set of fixed parameters; it
can also modify parameters of existing jails. Jls(8) can display all
parameters of jails, or a specified set of parameters. The available
parameters are gathered from the kernel, and not hard-coded into these
programs.

Small patches on killall(1) and jexec(8) to support jail names with
jail_get(2).

Approved by: bz (mentor)

New sentence starts on a new line.

MFC after: 2 week

Update the description of the '-h' option wrt to primary addresses
per address family and add a reference to the ip-addresses option.

MFC after: 1 week

s,unmount 8,umount 8, it is unmount(2) which I did not mean.

Submitted by: pluknet@gmail.com
MFC after: 1 week

o Sort .Xr.

Add a short section talking about jails and file systems; mention the
mountand jail-aware file systems as well as quota.

PR: kern/68192
Reviewed by: simon
MFC after: 2 weeks

MFp4:
Bring in updated jail support from bz_jail branch.

This enhances the current jail implementation to permit multiple
addresses per jail. In addtion to IPv4, IPv6 is supported as well.
Due to updated checks it is even possible to have jails without
an IP address at all, which basically gives one a chroot with
restricted process view, no networking,..

SCTP support was updated and supports IPv6 in jails as well.

Cpuset support permits jails to be bound to specific processor
sets after creation.

Jails can have an unrestricted (no duplicate protection, etc.) name
in addition to the hostname. The jail name cannot be changed from
within a jail and is considered to be used for management purposes
or as audit-token in the future.

DDB 'show jails' command was added to aid debugging.

Proper compat support permits 32bit jail binaries to be used on 64bit
systems to manage jails. Also backward compatibility was preserved where
possible: for jail v1 syscalls, as well as with user space management
utilities.

Both jail as well as prison version were updated for the new features.
A gap was intentionally left as the intermediate versions had been
used by various patches floating around the last years.

Bump __FreeBSD_version for the afore mentioned and in kernel changes.

Special thanks to:
- Pawel Jakub Dawidek (pjd) for his multi-IPv4 patches
and Olivier Houchard (cognet) for initial single-IPv6 patches.
- Jeff Roberson (jeff) and Randall Stewart (rrs) for their
help, ideas and review on cpuset and SCTP support.
- Robert Watson (rwatson) for lots and lots of help, discussions,
suggestions and review of most of the patch at various stages.
- John Baldwin (jhb) for his help.
- Simon L. Nielsen (simon) as early adopter testing changes
on cluster machines as well as all the testers and people
who provided feedback the last months on freebsd-jail and
other channels.
- My employer, CK Software GmbH, for the support so I could work on this.

Reviewed by: (see above)
MFC after: 3 months (this is just so that I get the mail)
X-MFC Before: 7.2-RELEASE if possible

- Import the HEAD csup code which is the basis for the cvsmode work.

Bump date.

Add security.jail.mount_allowed sysctl, which allows to mount and
unmount jail-friendly file systems from within a jail.
Precisely it grants PRIV_VFS_MOUNT, PRIV_VFS_UNMOUNT and
PRIV_VFS_MOUNT_NONUSER privileges for a jailed super-user.
It is turned off by default.

A jail-friendly file system is a file system which driver registers
itself with VFCF_JAIL flag via VFS_SET(9) API.
The lsvfs(1) command can be used to see which file systems are
jail-friendly ones.

There currently no jail-friendly file systems, ZFS will be the first one.
In the future we may consider marking file systems like nullfs as
jail-friendly.

Reviewed by: rwatson

Change mount_devfs reference to "mount -t devfs".

Reminded by: ru

Markup fixes.

Use IP addresses out of "TEST-NET" (for use in documentation and
example code) [RFC3330].

Reviewed by: simon

Revert 1.73, since mounting devfs without a devfs ruleset inside a
jail is a very bad idea security wise.

Approved by: trhodes (jcamou mentor)
No response: jcamou

Mention ruleset #4 (devfsrules_jail) in jail's man page.

MFC after: 3

Add the -s option to set jail's securelevel. This is useful for jails run with non-root privileges.

PR: bin/80242
MFC after: 2 weeks

Use .Vt for struct xprison
Suggested by: keramida

document security.jail.list sysctl in jail(8)

PR: docs/96807
MFC after: 3

o Document security.jail.jailed sysctl.

PR: docs/94711
Submitted by: Andreas Kohn
MFC after: 2 weeks

Do `mount_devfs' when starting a jail.

PR: docs/86044
Noticed by: Dan Langille <dan@langille.org>
Reviewed by: Jose Biskofski <jbiskofski@grmims.com>
Approved by: trhodes (mentor)

Add [-J jid_file] option to write out a JidFile, similar to a PidFile,
containing the jailid, path, hostname, ip and the command used to start
the jail.

PR: misc/89883
Submitted by: L. Jason Godsey <lannygodsey -at- yahoo.com>
Reviewed by: phk
MFC after: 1 week

Note that the jail setup example is meant to be fed to sh(1), not csh(1).

PR: docs/87351
Submitted by: "Eli K. Breen" <bsd@unixforge.net>
Approved by: simon, brooks
MFC after: 3 days

Add some more info about jail startup and shutdown.

Submitted by: Jeremie Le Hen <jeremie@le-hen.org>
MFC after: 3 days

Move DNS configuration before sendmail configuration, because
newaliases(1) may hang without proper DNS configuration.

Approved by: brueffer

Mention that it is possible to have jails
started at boot time if specified in
/etc/rc.conf.

PR: docs/81040
Submitted by: matteo
Approved by: trhodes (mentor)
MFC after: 1 week

Markup fixes.

Approved by: re (blanket)

Update manual page after sysctl rename.

Corrected by: brueffer

Document 'jid' keyword for ps(1) and '-j' option for pgrep(1)/pkill(1).

Remove symblic link kernel->dev/null creation. We don't need it in 5.x/6.x
world (there is no /kernel file anymore).

Reminded by: Isaac Levy presentation

Fix spelling errors.

Approved by: brueffer (mentor)

Added the convenience "distribution" target which calls the
target of the same name from src/etc/Makefile with a proper
environment, suitable to be used during upgrades and cross-
builds.

Add a new sysctl, "security.jail.chflags_allowed", which controls the
behaviour of chflags within a jail. If set to 0 (the default), then a
jailed root user is treated as an unprivileged user; if set to 1, then
a jailed root user is treated the same as an unjailed root user.

This is necessary to allow "make installworld" to work inside a jail,
since it attempts to manipulate the system immutable flag on certain
files.

Discussed with: csjp, rwatson
MFC after: 2 weeks

Fixed punctuation in xrefs.

Scheduled mdoc(7) sweep.

o Add -l option to jail(8) similar to su(1): before running jail'ed
program under specific user's credentials, clean the environment and
set only a few variables.

PR: bin/70024
Submitted by: demon
MFC after: 1 month

Mechanically kill hard sentence breaks.

Markup nits.

Sentences should not start with conjunctions. Change "Because"
to "Since".

Pointed out by: Ceri

Add a warning note to security.jail.allow_raw_sockets
about the risks of enabling raw sockets in prisons.

Because raw sockets can be used to configure and interact
with various network subsystems, extra caution should be
used where privileged access to jails is given out to
untrusted parties. As such, by default this option is disabled.

A few others and I are currently auditing the kernel
source code to ensure that the use of raw sockets by
privledged prison users is safe.

Approved by: bmilekic (mentor)

o Implement -U flag: run command as user which exists only in jail.
o getpwnam(3) returns NULL and does not set errno when the user does
not exist. Bail out with "no such user" instead of "Unknown error: 0".

PR: bin/67262
Submitted by: demon (-U flag)
MFC after: 3 weeks

Typos and nits.

Document security.jail.getfsstatroot_only sysctl.

Obtained from: rwatson's commit log
Approved by: rwatson

mdoc(7) cleanup for the last commit to this file.

OK'ed by: bmilekic

Ammend jail(8) man page to explain new sysctl for raw-sockets
inside jails, Christian's last submission.

Submitted by: Christian S.J. Peron <maneo@bsdpro.com>

Correct typo.

A variety of content cleanups:

(1) Document the notion of using jail(8) to run "virtual servers" or
just to constrain specific applications. If only running specific
applications, some configuration steps are unnecessary (such as
editing rc.conf).

(2) Add some more subsection headers to break up the bigger chunks of
text.

(3) Clarify the problems associated with applications binding all IP
addresses in the host, and attempt to be more specific about
potential application problems. Document how to force sshd to
bind the the right socket.

(4) Suggest that in a jailed application scenario, you might want to
have the host syslogd listen on the socket in the jail, rather
than running syslogd in the jail.

(5) Catch another reference to /stand/sysinstall.

Approved by: re (bmah implicitly)

No need to copy sysinstall into a jail with -CURRENT, since in
-CURRENT, we have /usr/sbin/sysinstall.

Approved by: re (bmah implicitly)

- Add a note that there are two MIB variables that have per-jail
settings.

Reviewed by: rwatson
Approved by: blackend (mentor)

When pointing users at mount_devfs to populate the /dev of a jail,
tell them that they also need to use devfs rules to prevent
inappropriate devices from appearing in the jail; add an Xref. In
earlier versions of this man page, the user was instructed to use
sh MAKEDEV jail, which only created a minimal set of device nodes.

o Add jls(8) for listing active jails.
o Add jexec(8) to execute a command in an existing jail.
o Add -j option for killall(1) to kill all processes in a specified
jail.
o Add -i option to jail(8) to output jail ID of newly created jail.

o Add -u <username> flag to jail(8): set user context before exec.

PR: bin/44320
Submitted by: Mike Matsnev <mike@po.cs.msu.su>
Reviewed by: -current
MFC after: 6 weeks

portmap_enable -> rpcbind_enable.

Spotted by: Andrew Khlebutin <andreyh@perm.ru>

Remove traces of MAKEDEV & add xref to mount_devfs(8).
DEVFS is now mandatory in CURRENT.

PR: docs/48095
Submitted by: Grzegorz Czaplinski <G.Czaplinski@prioris.mini.pw.edu.pl>

Fix example, we do not need NO_MAKEDEV_RUN any more.

XXX: this example should be updated with a good example of devfs(8) rules.

The .Nm utility

Fix IP address typo.

PR: 38313
Submitted by: Jeff Ito <jeffi@rcn.com>

- Attempt to help declutter kern. sysctl by moving security out from
beneath it.

Reviewed by: rwatson

mdoc(7) police: ispell rev. 1.32.

mdoc(7) police: tidy up previous delta.

Add some wisdom to the jail setup instructions.

mdoc(7) police overhaul.

- Update the sysctl mibs in order to reflect the recent kern_jail.c
changes.

Approved by: rwatson
Reviewed by: rwatson

syslogd can now be configured to bind to a specific address.

This is not jail(2), or anything else suitable to be referenced with .Fn.

Remove whitespace at EOL.

mdoc(7) police: removed HISTORY info from the .Os call.

mdoc(7) police: sort xrefs.

Correct cross-reference:
portmap.8 --> rpcbind.8

Submitted by: .Xr testing script

Change NO_MAKEDEV to a finer granularity method:
NO_MAKEDEV_INSTALL and NO_MAKEDEV_RUN. The former implying the latter.
The names imply what they do. The last commit by DES based on a PR defeated
the original idea behind NO_MAKEDEV, which was not to run MAKEDEV, but to do
the installation of MAKEDEV. This should satisfy both parties on the MAKEDEV
challenge.
Reflect this in the documentation.

o Replace part-wise instructions for building world for jail(8) with
a simple make world; while this does a bit more work, it means that
jail(8) doesn't have to be kept in sync with /usr/src/Makefile{,.inc1}
which is a moving target. MFC candidate.

Submitted by: FUJISHIMA Satsuki <sf@FreeBSD.org>
Reviewed by: phk
Also pointed out by: Phil Kernick <Phil@Kernick.org>

mdoc(7) police: split punctuation characters + misc fixes.

mdoc(7) police: removed history info from the .Os FreeBSD call.

mdoc(7) police: use the new features of the Nm macro.

Use Fx macro wherever possible.

Whitespace only: Correct poor line-breaking introduced in rev 1.17,
which was limited to correcting mark-up.

Correct mark-up used in rev 1.16, as discussed with its contributor:

* Use a sub-section (Ss) instead of a section (Sh) for
"Sysctl MIB Entries".

* Use a tagged list (Bl, El and It) instead of sub-sections (Ss) for
the actual MIB entries.

* Mark paths up as such (Pa).

* Mark defined values up as such (Dv).

o Document various sysctl's available for managing services available
within jail()

Typo: "is unreliably by default" to "is unreliable by default".

PR: 19411
Submitted by: Benno Rice <benno@netizen.com.au>

Some minor mdoc style and spelling fixes.

Remove single-space hard sentence breaks. These degrade the quality
of the typeset output, tend to make diffs harder to read and provide
bad examples for new-comers to mdoc.

- As jail(8) has been almost completely rewritten, prepend another copyright/
BSD-style license, as an add-on to phk's beerware license. Please fedex
some beer to phk.

- Add a ``make depend'' line to the jail-building, which fixes openssl,
among other things. Suggested by: kris

- Add ``newaliases'' to the list of things to do when setting up a new
jail, so that the jailed sendmail doesn't complain.

- Correct references to ``kern.jail.set_hostname_allowed'' which now read
``jail.set_hostname_allowed''.

- Add a reference to sysctl.conf where the sysctl can easily be set in
a persistent way.

- Add a list of cross references to the man page.

- Fix a formatting nit or two.

Fix up a few documentation nits in jail(8), as well as improve the
instructions so as to reduce warnings during jail startup, etc.
Add a somewhat bolder warning recommending the use of
kern.jail.set_hostname to limit jail renamining.

Modified jail.8 to correct a typo (inetd_flas vs. inetd_flags), and add
a comment to the effect that I'm responsible for the additional
documentation, et al, so that phk gets fewer messages about my errors.

Add Robert Watson's much extended documentation including that of the
kern.jail.set_hostname_allowed sysctl MIB.

Submitted by: rwatson

Clean up the jail(8) documentation so that it suggests building a jail
userland in a safer way. Using the NO_MAKEDEV argument in make
distribution prevents the creation of a number of unsafe device nodes
in the jailed /dev, including disk devices, and more. This depends
on an earlier commit to /etc/Makefile to provide the NO_MAKEDEV
support.

Approved by: jkh

Properly manify this manpage.

A procfs mount is no longer needed for a jail.

$Id$ -> $FreeBSD$

Add example of how to create a jail.

Various cosmetics.

Submitted by: Rudolf Cejka <cejkar@dcse.fee.vutbr.cz>
Reviewed by: phk

Fix various bogons.

Submitted by: Rudolf Cejka <cejkar@dcse.fee.vutbr.cz>
Reviewed by: phk

This Implements the mumbled about "Jail" feature.

This is a seriously beefed up chroot kind of thing. The process
is jailed along the same lines as a chroot does it, but with
additional tough restrictions imposed on what the superuser can do.

For all I know, it is safe to hand over the root bit inside a
prison to the customer living in that prison, this is what
it was developed for in fact: "real virtual servers".

Each prison has an ip number associated with it, which all IP
communications will be coerced to use and each prison has its own
hostname.

Needless to say, you need more RAM this way, but the advantage is
that each customer can run their own particular version of apache
and not stomp on the toes of their neighbors.

It generally does what one would expect, but setting up a jail
still takes a little knowledge.

A few notes:

I have no scripts for setting up a jail, don't ask me for them.

The IP number should be an alias on one of the interfaces.

mount a /proc in each jail, it will make ps more useable.

/proc/<pid>/status tells the hostname of the prison for
jailed processes.

Quotas are only sensible if you have a mountpoint per prison.

There are no privisions for stopping resource-hogging.

Some "#ifdef INET" and similar may be missing (send patches!)

If somebody wants to take it from here and develop it into
more of a "virtual machine" they should be most welcome!

Tools, comments, patches & documentation most welcome.

Have fun...

Sponsored by: http://www.rndassociates.com/
Run for almost a year by: http://www.servetheweb.com/