git: f243b7e5d6 - main - Status/2023Q2/service-jails.adoc: Add report

From: Lorenzo Salvadore <>
Date: Wed, 05 Jul 2023 15:36:38 UTC
The branch main has been updated by salvadore:


commit f243b7e5d622fe00ee446f8705dcbdb54ef2c905
Author:     Alexander Leidinger <>
AuthorDate: 2023-07-05 12:20:15 +0000
Commit:     Lorenzo Salvadore <>
CommitDate: 2023-07-05 15:34:24 +0000

    Status/2023Q2/service-jails.adoc: Add report
    Reviewed by:    status (Pau Amma <>)
    Approved by:    dbaio (mentor, implicit)
 .../report-2023-04-2023-06/service-jails.adoc      | 27 ++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/website/content/en/status/report-2023-04-2023-06/service-jails.adoc b/website/content/en/status/report-2023-04-2023-06/service-jails.adoc
new file mode 100644
index 0000000000..efb58e7163
--- /dev/null
+++ b/website/content/en/status/report-2023-04-2023-06/service-jails.adoc
@@ -0,0 +1,27 @@
+=== Service Jails - automatic jailing of rc.d services
+Links: +
+link:[D40369: Extend /usr/bin/service with the possibility to set ENV vars] URL: link:[] +
+link:[D40370: Infrastructure for automatic jailing of rc.d-services] URL: link:[] +
+link:[D40371: automatic service jails: some setup for full functionality of the services in automatic service jails] URL: link:[]
+Contact: Alexander Leidinger <>
+Service Jails are an extension to the rc system which allows automatic jailing of rc.d services.
+Service jails inherit the filesystem of the parent host or jail, but use all the other limits of a jail (process visibility, restricted network access, filesystem mounting permissions, sysvipc, ...) by default.
+Additional configuration allows to inherit the IPs of the parent, sysvipc, memory page locking, and use of the bhyve virtual machine monitor (man:vmm[4]).
+If you want to put e.g. local_unbound into a service jail and allow IPv4 and IPv6 access, you simply have to change rc.conf to have
+While this doesn't have the same security benefits of a manual jail setup with a separate filesystem and IP/VNET, it is much easier to setup while providing some of the security benefits of a jail like hiding other processes of the same user.
+The patches in the links are a rewrite of link:[what I presented in 2019].
+The main difference is that an ENV variable is used to do some more rational tracking and as such requires a change to man:service[8].
+My intent is to commit link:[D40369] before the branch of 14-stable (which may have happened already when you read this).
+I will not commit link:[D40370] and link:[D40371] before 14.0 is released and both would benefit of some more eyes looking at them.