svn commit: r214121 - projects/jailconf/lib/libc/sys

Jamie Gritton jamie at FreeBSD.org
Wed Oct 20 21:19:37 UTC 2010


Author: jamie
Date: Wed Oct 20 21:19:36 2010
New Revision: 214121
URL: http://svn.freebsd.org/changeset/base/214121

Log:
  Remove a section that went to jail(8), and fix a small grammar error.

Modified:
  projects/jailconf/lib/libc/sys/jail.2

Modified: projects/jailconf/lib/libc/sys/jail.2
==============================================================================
--- projects/jailconf/lib/libc/sys/jail.2	Wed Oct 20 21:18:21 2010	(r214120)
+++ projects/jailconf/lib/libc/sys/jail.2	Wed Oct 20 21:19:36 2010	(r214121)
@@ -247,44 +247,6 @@ They return \-1 on failure, and set
 to indicate the error.
 .Pp
 .Rv -std jail_attach jail_remove
-.Sh PRISON?
-Once a process has been put in a prison, it and its descendants cannot escape
-the prison.
-.Pp
-Inside the prison, the concept of
-.Dq superuser
-is very diluted.
-In general,
-it can be assumed that nothing can be mangled from inside a prison which
-does not exist entirely inside that prison.
-For instance the directory
-tree below
-.Dq Li path
-can be manipulated all the ways a root can normally do it, including
-.Dq Li "rm -rf /*"
-but new device special nodes cannot be created because they reference
-shared resources (the device drivers in the kernel).
-The effective
-.Dq securelevel
-for a process is the greater of the global
-.Dq securelevel
-or, if present, the per-jail
-.Dq securelevel .
-.Pp
-All IP activity will be forced to happen to/from the IP number specified,
-which should be an alias on one of the network interfaces.
-All connections to/from the loopback address
-.Pf ( Li 127.0.0.1
-for IPv4,
-.Li ::1
-for IPv6) will be changed to be to/from the primary address
-of the jail for the given address family.
-.Pp
-It is possible to identify a process as jailed by examining
-.Dq Li /proc/<pid>/status :
-it will show a field near the end of the line, either as
-a single hyphen for a process at large, or the name currently
-set for the prison for jailed processes.
 .Sh ERRORS
 The
 .Fn jail
@@ -413,7 +375,7 @@ and
 .Fn jail_attach
 call
 .Xr chroot 2
-internally, so it can fail for all the same reasons.
+internally, so they can fail for all the same reasons.
 Please consult the
 .Xr chroot 2
 manual page for details.


More information about the svn-src-projects mailing list