Continuing with the last post deploying a Jail, now We’ll see how to personalize the restrictions of our jails over sysctl configuration, specifically using the directive security.jail.* for the FreeBSD Kernel. I’ll show some useful directives to configure and his definition:
– Determines if the root user can create raw sockets (raw sockets in contrast of standard sockets, raw sockets receives and sends raw packets including the headers), used in ICMP, IGMP or OSPF protocols:
security.jail.allow_raw_sockets=1
– Jails can change heir hostname:
security.jail.set_hostname_allowed=1
– Limit jails to allow only the network protocols known by the jail:
security.jail.socket_unixiproute_only=1
– Determines which information processes in a jail are able to get information about the mount points. Affects in the behaviours of the system calls statfs, fstatfs, getfstatfs and fhstatfs. (0 can view all mountpoints without restrictions, 1 only mountpoints below the jails chroot and 2 above syscalls can operate only on a mount point where the jail chroot directory is located):
security.jail.enforce_statfs= 2
– Processes can modify the file system flags:
security.jail.chflags_allow=1
– IPC (Inter Process Communication) is used in programming for the communication between a group of processes to exchange data or send commands. The SysV Unix specification describes three mechanisms for IPC (Messages queues, semaphors and shared memory). This directive may be necessary to run Apache or PostgreSQL services to allow sysvipc:
security.jail.sysvipc_allowed=1
We can configure this directive with the command line sysctl, for example:
# sysctl -d
or editing manually the file /etc/sysctl.conf
After changing the directives is necessary restart the jails to take effect the new configuration:
# /etc/rc.d/jail restart http
You can see all the directives with his values on jails configured with the next command:
# sysctl -a security.jail
Sources:
http://www.ibm.com/developerworks/aix/library/au-ipc/
http://www.freebsd.org/cgi/man.cgi?query=jail