Continuing with the last post deploying a Jail, now We’ll see how to personalize the restrictions of our jails over sysctl configuration, specifically using the directive security.jail.* for the FreeBSD Kernel. I’ll show some useful directives to configure and his definition:

– Determines if the root user can create raw sockets (raw sockets in contrast of standard sockets, raw sockets receives and sends raw packets including the headers), used in ICMP, IGMP or OSPF protocols:

security.jail.allow_raw_sockets=1

– Jails can change heir hostname:

security.jail.set_hostname_allowed=1

– Limit jails to allow only the network protocols known by the jail:

security.jail.socket_unixiproute_only=1

– Determines which information processes in a jail are able to get information about the mount points. Affects in the behaviours of the system calls statfs, fstatfs, getfstatfs and fhstatfs. (0 can view all mountpoints without restrictions, 1 only mountpoints below the jails chroot and 2 above syscalls can operate only on a mount point where the jail chroot directory is located):

security.jail.enforce_statfs= 2

– Processes can modify the file system flags:

security.jail.chflags_allow=1

– IPC (Inter Process Communication) is used in programming for the communication between a group of processes to exchange data or send commands. The SysV Unix specification describes three mechanisms for IPC (Messages queues, semaphors and shared memory). This directive may be necessary to run Apache or PostgreSQL services to allow sysvipc:

security.jail.sysvipc_allowed=1

We can configure this directive with the command line sysctl, for example:

# sysctl -d

sysctl-d

or editing manually the file /etc/sysctl.conf

sysctlconf

After changing the directives is necessary restart the jails to take effect the new configuration:

# /etc/rc.d/jail restart http

You can see all the directives with his values on jails configured with the next command:

# sysctl -a security.jail

Sources:

http://www.ibm.com/developerworks/aix/library/au-ipc/

http://www.freebsd.org/cgi/man.cgi?query=jail

Implementation of FreeBSD Jails (Part II): Tuning Jails
Tagged on:         

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Follow

Get every new post delivered to your Inbox

Join other followers: