mirror of
https://github.com/hackacad/bastille.git
synced 2026-01-04 03:33:41 +01:00
preparing docs for 0.6.x release
This commit is contained in:
Christer Edwards
@@ -4,7 +4,7 @@ Bastille is available in the official FreeBSD ports tree at
|
||||
`sysutils/bastille`. Binary packages available in `quarterly` and `latest`
|
||||
repositories.
|
||||
|
||||
Current version is `0.5.20191128`.
|
||||
Current version is `0.6.20200202`.
|
||||
|
||||
To install from the FreeBSD package repository:
|
||||
|
||||
|
||||
@@ -13,25 +13,115 @@ template looks like this:
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
interface = {interface};
|
||||
host.hostname = {name};
|
||||
exec.consolelog = /usr/local/bastille/logs/{name}_console.log;
|
||||
path = /usr/local/bastille/jails/{name}/root;
|
||||
ip6 = disable;
|
||||
securelevel = 2;
|
||||
devfs_ruleset = 4;
|
||||
enforce_statfs = 2;
|
||||
exec.start = '/bin/sh /etc/rc';
|
||||
exec.stop = '/bin/sh /etc/rc.shutdown';
|
||||
exec.clean;
|
||||
mount.devfs;
|
||||
mount.fstab = /usr/local/bastille/jails/{name}/fstab;
|
||||
|
||||
{name} {
|
||||
devfs_ruleset = 4;
|
||||
enforce_statfs = 2;
|
||||
exec.clean;
|
||||
exec.consolelog = /usr/local/bastille/logs/{name}_console.log;
|
||||
exec.start = '/bin/sh /etc/rc';
|
||||
exec.stop = '/bin/sh /etc/rc.shutdown';
|
||||
host.hostname = {name};
|
||||
interface = {interface};
|
||||
mount.devfs;
|
||||
mount.fstab = /usr/local/bastille/jails/{name}/fstab;
|
||||
path = /usr/local/bastille/jails/{name}/root;
|
||||
securelevel = 2;
|
||||
|
||||
ip4.addr = x.x.x.x;
|
||||
ip6 = disable;
|
||||
}
|
||||
|
||||
|
||||
devfs_ruleset
|
||||
-------------
|
||||
.. code-block:: shell
|
||||
|
||||
devfs_ruleset
|
||||
The number of the devfs ruleset that is enforced for mounting
|
||||
devfs in this jail. A value of zero (default) means no ruleset
|
||||
is enforced. Descendant jails inherit the parent jail's devfs
|
||||
ruleset enforcement. Mounting devfs inside a jail is possible
|
||||
only if the allow.mount and allow.mount.devfs permissions are
|
||||
effective and enforce_statfs is set to a value lower than 2.
|
||||
Devfs rules and rulesets cannot be viewed or modified from inside
|
||||
a jail.
|
||||
|
||||
NOTE: It is important that only appropriate device nodes in devfs
|
||||
be exposed to a jail; access to disk devices in the jail may
|
||||
permit processes in the jail to bypass the jail sandboxing by
|
||||
modifying files outside of the jail. See devfs(8) for
|
||||
information on how to use devfs rules to limit access to entries
|
||||
in the per-jail devfs. A simple devfs ruleset for jails is
|
||||
available as ruleset #4 in /etc/defaults/devfs.rules.
|
||||
|
||||
|
||||
enforce_statfs
|
||||
--------------
|
||||
.. code-block:: shell
|
||||
|
||||
enforce_statfs
|
||||
This determines what information processes in a jail are able to
|
||||
get about mount points. It affects the behaviour of the
|
||||
following syscalls: statfs(2), fstatfs(2), getfsstat(2), and
|
||||
fhstatfs(2) (as well as similar compatibility syscalls). When
|
||||
set to 0, all mount points are available without any
|
||||
restrictions. When set to 1, only mount points below the jail's
|
||||
chroot directory are visible. In addition to that, the path to
|
||||
the jail's chroot directory is removed from the front of their
|
||||
pathnames. When set to 2 (default), above syscalls can operate
|
||||
only on a mount-point where the jail's chroot directory is
|
||||
located.
|
||||
|
||||
|
||||
exec.clean
|
||||
----------
|
||||
.. code-block:: shell
|
||||
|
||||
exec.clean
|
||||
Run commands in a clean environment. The environment is
|
||||
discarded except for HOME, SHELL, TERM and USER. HOME and SHELL
|
||||
are set to the target login's default values. USER is set to the
|
||||
target login. TERM is imported from the current environment.
|
||||
The environment variables from the login class capability
|
||||
database for the target login are also set.
|
||||
|
||||
|
||||
exec.consolelog
|
||||
---------------
|
||||
.. code-block:: shell
|
||||
|
||||
exec.consolelog
|
||||
A file to direct command output (stdout and stderr) to.
|
||||
|
||||
|
||||
exec.start
|
||||
----------
|
||||
.. code-block:: shell
|
||||
|
||||
exec.start
|
||||
Command(s) to run in the jail environment when a jail is created.
|
||||
A typical command to run is "sh /etc/rc".
|
||||
|
||||
|
||||
exec.stop
|
||||
---------
|
||||
.. code-block:: shell
|
||||
|
||||
exec.stop
|
||||
Command(s) to run in the jail environment before a jail is
|
||||
removed, and after any exec.prestop commands have completed. A
|
||||
typical command to run is "sh /etc/rc.shutdown".
|
||||
|
||||
|
||||
host.hostname
|
||||
-------------
|
||||
.. code-block:: shell
|
||||
|
||||
host.hostname
|
||||
The hostname of the jail. Other similar parameters are
|
||||
host.domainname, host.hostuuid and host.hostid.
|
||||
|
||||
|
||||
interface
|
||||
---------
|
||||
.. code-block:: shell
|
||||
@@ -43,28 +133,31 @@ interface
|
||||
the interface after the jail is removed.
|
||||
|
||||
|
||||
host.hostname
|
||||
-------------
|
||||
mount.devfs
|
||||
-----------
|
||||
.. code-block:: shell
|
||||
|
||||
host.hostname
|
||||
The hostname of the jail. Other similar parameters are
|
||||
host.domainname, host.hostuuid and host.hostid.
|
||||
mount.devfs
|
||||
Mount a devfs(5) filesystem on the chrooted /dev directory, and
|
||||
apply the ruleset in the devfs_ruleset parameter (or a default of
|
||||
ruleset 4: devfsrules_jail) to restrict the devices visible
|
||||
inside the jail.
|
||||
|
||||
|
||||
exec.consolelog
|
||||
---------------
|
||||
mount.fstab
|
||||
-----------
|
||||
.. code-block:: shell
|
||||
|
||||
exec.consolelog
|
||||
A file to direct command output (stdout and stderr) to.
|
||||
mount.fstab
|
||||
An fstab(5) format file containing filesystems to mount before
|
||||
creating a jail.
|
||||
|
||||
|
||||
path
|
||||
----
|
||||
.. code-block:: shell
|
||||
|
||||
path
|
||||
path
|
||||
The directory which is to be the root of the jail. Any commands
|
||||
run inside the jail, either by jail or from jexec(8), are run
|
||||
from this directory.
|
||||
@@ -114,95 +207,3 @@ cases.
|
||||
filter rules (see ipfw(8), ipfirewall(4) and pfctl(8)) cannot be
|
||||
changed and dummynet(4) or pf(4) configuration cannot be adjusted.
|
||||
|
||||
|
||||
devfs_ruleset
|
||||
-------------
|
||||
.. code-block:: shell
|
||||
|
||||
devfs_ruleset
|
||||
The number of the devfs ruleset that is enforced for mounting
|
||||
devfs in this jail. A value of zero (default) means no ruleset
|
||||
is enforced. Descendant jails inherit the parent jail's devfs
|
||||
ruleset enforcement. Mounting devfs inside a jail is possible
|
||||
only if the allow.mount and allow.mount.devfs permissions are
|
||||
effective and enforce_statfs is set to a value lower than 2.
|
||||
Devfs rules and rulesets cannot be viewed or modified from inside
|
||||
a jail.
|
||||
|
||||
NOTE: It is important that only appropriate device nodes in devfs
|
||||
be exposed to a jail; access to disk devices in the jail may
|
||||
permit processes in the jail to bypass the jail sandboxing by
|
||||
modifying files outside of the jail. See devfs(8) for
|
||||
information on how to use devfs rules to limit access to entries
|
||||
in the per-jail devfs. A simple devfs ruleset for jails is
|
||||
available as ruleset #4 in /etc/defaults/devfs.rules.
|
||||
|
||||
|
||||
enforce_statfs
|
||||
--------------
|
||||
.. code-block:: shell
|
||||
|
||||
enforce_statfs
|
||||
This determines what information processes in a jail are able to
|
||||
get about mount points. It affects the behaviour of the
|
||||
following syscalls: statfs(2), fstatfs(2), getfsstat(2), and
|
||||
fhstatfs(2) (as well as similar compatibility syscalls). When
|
||||
set to 0, all mount points are available without any
|
||||
restrictions. When set to 1, only mount points below the jail's
|
||||
chroot directory are visible. In addition to that, the path to
|
||||
the jail's chroot directory is removed from the front of their
|
||||
pathnames. When set to 2 (default), above syscalls can operate
|
||||
only on a mount-point where the jail's chroot directory is
|
||||
located.
|
||||
|
||||
|
||||
exec.start
|
||||
----------
|
||||
.. code-block:: shell
|
||||
|
||||
exec.start
|
||||
Command(s) to run in the jail environment when a jail is created.
|
||||
A typical command to run is "sh /etc/rc".
|
||||
|
||||
|
||||
exec.stop
|
||||
---------
|
||||
.. code-block:: shell
|
||||
|
||||
exec.stop
|
||||
Command(s) to run in the jail environment before a jail is
|
||||
removed, and after any exec.prestop commands have completed. A
|
||||
typical command to run is "sh /etc/rc.shutdown".
|
||||
|
||||
|
||||
exec.clean
|
||||
----------
|
||||
.. code-block:: shell
|
||||
|
||||
exec.clean
|
||||
Run commands in a clean environment. The environment is
|
||||
discarded except for HOME, SHELL, TERM and USER. HOME and SHELL
|
||||
are set to the target login's default values. USER is set to the
|
||||
target login. TERM is imported from the current environment.
|
||||
The environment variables from the login class capability
|
||||
database for the target login are also set.
|
||||
|
||||
|
||||
mount.devfs
|
||||
-----------
|
||||
.. code-block:: shell
|
||||
|
||||
mount.devfs
|
||||
Mount a devfs(5) filesystem on the chrooted /dev directory, and
|
||||
apply the ruleset in the devfs_ruleset parameter (or a default of
|
||||
ruleset 4: devfsrules_jail) to restrict the devices visible
|
||||
inside the jail.
|
||||
|
||||
|
||||
mount.fstab
|
||||
-----------
|
||||
.. code-block:: shell
|
||||
|
||||
mount.fstab
|
||||
An fstab(5) format file containing filesystems to mount before
|
||||
creating a jail.
|
||||
|
||||
Reference in New Issue
Block a user