Date: Wed, 20 Oct 2010 21:19:36 +0000 (UTC) From: Jamie Gritton <jamie@FreeBSD.org> To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r214121 - projects/jailconf/lib/libc/sys Message-ID: <201010202119.o9KLJaZi069215@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jamie Date: Wed Oct 20 21:19:36 2010 New Revision: 214121 URL: http://svn.freebsd.org/changeset/base/214121 Log: Remove a section that went to jail(8), and fix a small grammar error. Modified: projects/jailconf/lib/libc/sys/jail.2 Modified: projects/jailconf/lib/libc/sys/jail.2 ============================================================================== --- projects/jailconf/lib/libc/sys/jail.2 Wed Oct 20 21:18:21 2010 (r214120) +++ projects/jailconf/lib/libc/sys/jail.2 Wed Oct 20 21:19:36 2010 (r214121) @@ -247,44 +247,6 @@ They return \-1 on failure, and set to indicate the error. .Pp .Rv -std jail_attach jail_remove -.Sh PRISON? -Once a process has been put in a prison, it and its descendants cannot escape -the prison. -.Pp -Inside the prison, the concept of -.Dq superuser -is very diluted. -In general, -it can be assumed that nothing can be mangled from inside a prison which -does not exist entirely inside that prison. -For instance the directory -tree below -.Dq Li path -can be manipulated all the ways a root can normally do it, including -.Dq Li "rm -rf /*" -but new device special nodes cannot be created because they reference -shared resources (the device drivers in the kernel). -The effective -.Dq securelevel -for a process is the greater of the global -.Dq securelevel -or, if present, the per-jail -.Dq securelevel . -.Pp -All IP activity will be forced to happen to/from the IP number specified, -which should be an alias on one of the network interfaces. -All connections to/from the loopback address -.Pf ( Li 127.0.0.1 -for IPv4, -.Li ::1 -for IPv6) will be changed to be to/from the primary address -of the jail for the given address family. -.Pp -It is possible to identify a process as jailed by examining -.Dq Li /proc/<pid>/status : -it will show a field near the end of the line, either as -a single hyphen for a process at large, or the name currently -set for the prison for jailed processes. .Sh ERRORS The .Fn jail @@ -413,7 +375,7 @@ and .Fn jail_attach call .Xr chroot 2 -internally, so it can fail for all the same reasons. +internally, so they can fail for all the same reasons. Please consult the .Xr chroot 2 manual page for details.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201010202119.o9KLJaZi069215>