Scribd
Upload
77 views14 pages

Jails: Lightweight, Operating-System-level Virtualization

Jails provide lightweight operating system-level virtualization in FreeBSD. They address issues with the UNIX security model and root user having too much power. Jails implement file system access limitations, process isolation, and network stack isolation. They work by restricting the filesystem namespace, limiting network resource binding, and restricting access to system resources for jailed processes. Implementation involves new system calls, modifying chroot, restricting process visibility and network isolation between jails. Administrators can further configure restrictions using tools like rctl and sysctl.

Uploaded by

Supriya Sharma
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
77 views14 pages

Jails: Lightweight, Operating-System-level Virtualization

Jails provide lightweight operating system-level virtualization in FreeBSD. They address issues with the UNIX security model and root user having too much power. Jails implement file system access limitations, process isolation, and network stack isolation. They work by restricting the filesystem namespace, limiting network resource binding, and restricting access to system resources for jailed processes. Implementation involves new system calls, modifying chroot, restricting process visibility and network isolation between jails. Administrators can further configure restrictions using tools like rctl and sysctl.

Uploaded by

Supriya Sharma
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

1

Jails
Lightweight, Operating-
System-level virtualization
Oct 2018
Fehmi Noyan ISI
So, what was the motivation
• UNIX security model and the root user –
sharp, efficient and an extremely
dangerous tool :/

• Real isolation?
• File system access limitations

• Process isolation

• Network stack isolation

https://xkcd.com/1200/
2
chroot(8)

[3]

3
Solution?

• File system access limitations

• Process isolation

• Network stack isolation

4
Operating System level virtualization

• Jails
• Docker
• Zones

[1]
5
Operating System level virtualization

With increasing number of virtual environments


with the usage of virtual machines it triggers
the resource consumption. While with the use
of ambient jail these resources are mainly
channelled to the services provided, and the
number of instances has a
negligible impact on the computer system [6]

6
jail(8)

• First appeared in FreeBSD 4.0-


RELEASE in March 2000.
• Implemented by Poul-Henning
Kamp and Robert Watson
• Provides
• Virtualization
• Security
• Delegation
[3]

7
Limitations in a jail

• File system name-space is


restricted in the style of chroot(2)
• The ability to bind network
resources is limited to jail IP
addresses only
• The ability to manipulate system
resources is limited
• IPC is limited to communication
with the processes in the same
jail
8
Implementation of jail(8)

• New system calls (jail(2), jail_attach(2) etc.) and data structures


• Fortification of chroot(2)
• Process visibility restrictions (prison_check(2))
• TCP/IP network stack isolation
• Adding jail awareness to some device drivers
• Restriction of super-user powers for jailed root

9
Implementation of jail(8)

1 ) jail creation, jail(8) and jail(2)

2 ) Attaching, jexec(8) and jail_attach(2)


/usr/src/usr.sbin/jexec/jexec.c
jid = jail_getid(argv[0]);
jail_attach(jid);
chdir("/");
execvp(argv[1], argv + 1);

10
Fine tuning

1 ) rctl(8)
2 ) sysctl(8)
o security.jail.set_hostname_allowed: 1
o security.jail.socket_unixiproute_only: 1
o security.jail.sysvipc_allowed: 0
o security.jail.enforce_statfs: 2
o security.jail.allow_raw_sockets: 0
o security.jail.chflags_allowed: 0
o security.jail.jailed: 0

11
Live demo

12
https://www.explainxkcd.com/wiki/index.php/1168:_tar

13
References
[1] Srivastava P, Pande S, A novel architecture for identity management
system using virtual appliance technology
[2] Cantrill B, Jails and Solaris Zones
[3] Kamp P, Watson R, Jails: Confining the omnipotent root
[4] The FreeBSD Documentation Project, FreeBSD Architecture
Handbook
[5] The FreeBSD Documentation Project, FreeBSD Handbook
[6] Antunes C, Vardasca R, Performance of Jails versus Virtualization for
Cloud Computing Solutions

14

You might also like