git: f243b7e5d6 - main - Status/2023Q2/service-jails.adoc: Add report
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 05 Jul 2023 15:36:38 UTC
The branch main has been updated by salvadore: URL: https://cgit.FreeBSD.org/doc/commit/?id=f243b7e5d622fe00ee446f8705dcbdb54ef2c905 commit f243b7e5d622fe00ee446f8705dcbdb54ef2c905 Author: Alexander Leidinger <netchild@FreeBSD.org> AuthorDate: 2023-07-05 12:20:15 +0000 Commit: Lorenzo Salvadore <salvadore@FreeBSD.org> CommitDate: 2023-07-05 15:34:24 +0000 Status/2023Q2/service-jails.adoc: Add report Reviewed by: status (Pau Amma <pauamma@gundo.com>) Approved by: dbaio (mentor, implicit) --- .../report-2023-04-2023-06/service-jails.adoc | 27 ++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/website/content/en/status/report-2023-04-2023-06/service-jails.adoc b/website/content/en/status/report-2023-04-2023-06/service-jails.adoc new file mode 100644 index 0000000000..efb58e7163 --- /dev/null +++ b/website/content/en/status/report-2023-04-2023-06/service-jails.adoc @@ -0,0 +1,27 @@ +=== Service Jails - automatic jailing of rc.d services + +Links: + + +link:https://reviews.freebsd.org/D40369[D40369: Extend /usr/bin/service with the possibility to set ENV vars] URL: link:https://reviews.freebsd.org/D40369[] + +link:https://reviews.freebsd.org/D40370[D40370: Infrastructure for automatic jailing of rc.d-services] URL: link:https://reviews.freebsd.org/D40370[] + +link:https://reviews.freebsd.org/D40371[D40371: automatic service jails: some setup for full functionality of the services in automatic service jails] URL: link:https://reviews.freebsd.org/D40371[] + +Contact: Alexander Leidinger <netchild@FreeBSD.org> + +Service Jails are an extension to the rc system which allows automatic jailing of rc.d services. +Service jails inherit the filesystem of the parent host or jail, but use all the other limits of a jail (process visibility, restricted network access, filesystem mounting permissions, sysvipc, ...) by default. +Additional configuration allows to inherit the IPs of the parent, sysvipc, memory page locking, and use of the bhyve virtual machine monitor (man:vmm[4]). + +If you want to put e.g. local_unbound into a service jail and allow IPv4 and IPv6 access, you simply have to change rc.conf to have +---- +local_unbound_svcj_options=net_basic +local_unbound_svcj=YES +---- + +While this doesn't have the same security benefits of a manual jail setup with a separate filesystem and IP/VNET, it is much easier to setup while providing some of the security benefits of a jail like hiding other processes of the same user. + +The patches in the links are a rewrite of link:https://lists.freebsd.org/pipermail/freebsd-jail/2019-February/003710.html[what I presented in 2019]. +The main difference is that an ENV variable is used to do some more rational tracking and as such requires a change to man:service[8]. + +My intent is to commit link:https://reviews.freebsd.org/D40369[D40369] before the branch of 14-stable (which may have happened already when you read this). +I will not commit link:https://reviews.freebsd.org/D40370[D40370] and link:https://reviews.freebsd.org/D40371[D40371] before 14.0 is released and both would benefit of some more eyes looking at them.