Welcome to Scribd!

Jails: Lightweight, Operating-System-level Virtualization

Uploaded by

0% found this document useful (0 votes)

41 views14 pages

Jails provide lightweight operating system-level virtualization in FreeBSD. They address issues with the UNIX security model and root user having too much power. Jails implement file system access limitations, process isolation, and network stack isolation. They work by restricting the filesystem namespace, limiting network resource binding, and restricting access to system resources for jailed processes. Implementation involves new system calls, modifying chroot, restricting process visibility and network isolation between jails. Administrators can further configure restrictions using tools like rctl and sysctl.

Original Description:

Original Title

fehmi-noyan-isi-bsd-jails

Copyright

Available Formats

PDF, TXT or read online from Scribd

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Report this Document

Copyright:

Available Formats

Download as PDF, TXT or read online from Scribd

Flag for inappropriate content

Download as pdf or txt

0% found this document useful (0 votes)

41 views14 pages

Jails: Lightweight, Operating-System-level Virtualization

Uploaded by

Supriya Sharma

Copyright:

Available Formats

Download as PDF, TXT or read online from Scribd

Flag for inappropriate content

Download as pdf or txt

Jump to Page

You are on page 1of 14

Search inside document

1

Jails
Lightweight, Operating-
System-level virtualization
Oct 2018
Fehmi Noyan ISI
So, what was the motivation
• UNIX security model and the root user –
sharp, efficient and an extremely
dangerous tool :/

• Real isolation?
• File system access limitations

• Process isolation

• Network stack isolation

https://xkcd.com/1200/
2
chroot(8)

[3]

3
Solution?

• File system access limitations

• Process isolation

• Network stack isolation

4
Operating System level virtualization

• Jails
• Docker
• Zones

[1]
5
Operating System level virtualization

With increasing number of virtual environments

with the usage of virtual machines it triggers
the resource consumption. While with the use
of ambient jail these resources are mainly
channelled to the services provided, and the
number of instances has a
negligible impact on the computer system [6]

6
jail(8)

• First appeared in FreeBSD 4.0-

RELEASE in March 2000.
• Implemented by Poul-Henning
Kamp and Robert Watson
• Provides
• Virtualization
• Security
• Delegation
[3]

7
Limitations in a jail

• File system name-space is

restricted in the style of chroot(2)
• The ability to bind network
resources is limited to jail IP
addresses only
• The ability to manipulate system
resources is limited
• IPC is limited to communication
with the processes in the same
jail
8
Implementation of jail(8)

• New system calls (jail(2), jail_attach(2) etc.) and data structures

• Fortification of chroot(2)
• Process visibility restrictions (prison_check(2))
• TCP/IP network stack isolation
• Adding jail awareness to some device drivers
• Restriction of super-user powers for jailed root

9
Implementation of jail(8)

1 ) jail creation, jail(8) and jail(2)

2 ) Attaching, jexec(8) and jail_attach(2)

/usr/src/usr.sbin/jexec/jexec.c
jid = jail_getid(argv[0]);
jail_attach(jid);
chdir("/");
execvp(argv[1], argv + 1);

10
Fine tuning

1 ) rctl(8)
2 ) sysctl(8)
o security.jail.set_hostname_allowed: 1
o security.jail.socket_unixiproute_only: 1
o security.jail.sysvipc_allowed: 0
o security.jail.enforce_statfs: 2
o security.jail.allow_raw_sockets: 0
o security.jail.chflags_allowed: 0
o security.jail.jailed: 0

11
Live demo

12
https://www.explainxkcd.com/wiki/index.php/1168:_tar

13
References
[1] Srivastava P, Pande S, A novel architecture for identity management
system using virtual appliance technology
[2] Cantrill B, Jails and Solaris Zones
[3] Kamp P, Watson R, Jails: Confining the omnipotent root
[4] The FreeBSD Documentation Project, FreeBSD Architecture
Handbook
[5] The FreeBSD Documentation Project, FreeBSD Handbook
[6] Antunes C, Vardasca R, Performance of Jails versus Virtualization for
Cloud Computing Solutions

Docker SBeliakou Part01
Document63 pages
Docker SBeliakou Part01
fqkjcwfcidtsmlcxaa
No ratings yet
Aps Push Service Via Soap v1.8 en
Document61 pages
Aps Push Service Via Soap v1.8 en
S
No ratings yet
Mastering Proxmox - Second Edition
From Everand
Mastering Proxmox - Second Edition
Wasim Ahmed
No ratings yet
w211 Unit 5 Lectures
Document39 pages
w211 Unit 5 Lectures
Matthew Garrett
No ratings yet
ECE 751-Cells: A Virtual Mobile Smartphone Architecture: Mikkel Nielsen Mnielsen3 @wisc - Edu
Document20 pages
ECE 751-Cells: A Virtual Mobile Smartphone Architecture: Mikkel Nielsen Mnielsen3 @wisc - Edu
Marvin Atienza
No ratings yet
P. Mato, D. Piparo, E. Tejedor - EP-SFT M. Lamanna, L. Mascetti, J. Moscicki - IT-ST
Document39 pages
P. Mato, D. Piparo, E. Tejedor - EP-SFT M. Lamanna, L. Mascetti, J. Moscicki - IT-ST
Mulat Shieraw
No ratings yet
Anti Forensic Rootkits
Document49 pages
Anti Forensic Rootkits
Darren Chaker
100% (2)
Oracle RAC and Docker
Document43 pages
Oracle RAC and Docker
ali
0% (1)
Ha Cluster With Os Leap 161010101038 PDF
Document39 pages
Ha Cluster With Os Leap 161010101038 PDF
Amit
No ratings yet
Introduction To Mobile Security: Dominic Chen
Document64 pages
Introduction To Mobile Security: Dominic Chen
epha
No ratings yet
Best Linux Exp
Document19 pages
Best Linux Exp
Ashok K
No ratings yet
Krishan Saluja Lecture - 1 (2022-2023) Inherent Vulernabilities in Internet Architecture
Document27 pages
Krishan Saluja Lecture - 1 (2022-2023) Inherent Vulernabilities in Internet Architecture
Anshul Singh
No ratings yet
EDU CC 70405 ch04 - Takeaway
Document15 pages
EDU CC 70405 ch04 - Takeaway
MES Betise
No ratings yet
2021 09 28 - Landlock Oss
Document30 pages
2021 09 28 - Landlock Oss
Y Y
No ratings yet
Financial Consulting: IT 240 Intro To LAN Technologies
Document13 pages
Financial Consulting: IT 240 Intro To LAN Technologies
Tamptress Vamp
No ratings yet
Cloud OS Presentation (068,076,77,095)
Document24 pages
Cloud OS Presentation (068,076,77,095)
hamza.alkhairi802
No ratings yet
CC Ques Bank Cloud Computing QB UNIT 3
Document9 pages
CC Ques Bank Cloud Computing QB UNIT 3
aparna chinnaraj
No ratings yet
Firewalls Complete
Document406 pages
Firewalls Complete
Ing Alfredo Jean
No ratings yet
Chapter 2.5
Document21 pages
Chapter 2.5
Ankita Sharma
No ratings yet
Solaris 10 Security: Darren J Moffat Sr. Staff Engineer, Solaris Security
Document40 pages
Solaris 10 Security: Darren J Moffat Sr. Staff Engineer, Solaris Security
Mahahvir Shah
No ratings yet
Intro To Openstack & SDN Meetup 1 SDNRG ITB: Ady Saputra - Ady@comlabs - Itb.ac - Id
Document22 pages
Intro To Openstack & SDN Meetup 1 SDNRG ITB: Ady Saputra - Ady@comlabs - Itb.ac - Id
no07
No ratings yet
Linux Overview and RHEL Installation: Presenter: Raj Singh
Document24 pages
Linux Overview and RHEL Installation: Presenter: Raj Singh
baburam_123
No ratings yet
Introduction To Containers: Nabil Abdennadher
Document38 pages
Introduction To Containers: Nabil Abdennadher
ARTHUR
No ratings yet
Tech Skills - Red Hat Enterprise Linux 7 - 3.0 Securing Services
Document2 pages
Tech Skills - Red Hat Enterprise Linux 7 - 3.0 Securing Services
DDDD
No ratings yet
CyBOK v1.1.0-3
Document200 pages
CyBOK v1.1.0-3
Adrian N
No ratings yet
Coda
Document25 pages
Coda
creeti
No ratings yet
Network Security Essentials
Document29 pages
Network Security Essentials
Min Lwin
No ratings yet
Singapore WindowsKernelOverview
Document87 pages
Singapore WindowsKernelOverview
Artur
No ratings yet
CC Domain4
Document67 pages
CC Domain4
sasijo9863
No ratings yet
8.1.1 Multiprocessors Hardware 8.1.2 Multiprocessors Operation System Types 8.1.3 Multiprocessors Synchronization 8.1.4 Multiprocessors Scheduling
Document49 pages
8.1.1 Multiprocessors Hardware 8.1.2 Multiprocessors Operation System Types 8.1.3 Multiprocessors Synchronization 8.1.4 Multiprocessors Scheduling
Hoàng Võ
No ratings yet
Lecture 7 2
Document26 pages
Lecture 7 2
atef shaar
No ratings yet
MSCHN Semester 1
Document8 pages
MSCHN Semester 1
BWUMCA21078 SOUVIK SARKAR
No ratings yet
Cryptographic Security For A High-Performance Distributed File System
Document6 pages
Cryptographic Security For A High-Performance Distributed File System
vikasbhowate
No ratings yet
STF - Skybox Architecture
Document13 pages
STF - Skybox Architecture
Prashant Biswas
No ratings yet
System Administrator Resume (OS:Linux)
Document3 pages
System Administrator Resume (OS:Linux)
sravanchalikonda
86% (14)
Zephyr (Operating System) - Wikipedia
Document3 pages
Zephyr (Operating System) - Wikipedia
ciuciu.denis.2023
No ratings yet
SDN Controller and Implementation PDF
Document63 pages
SDN Controller and Implementation PDF
hadje benilha
No ratings yet
PS 19 - Carranza 2022
Document6 pages
PS 19 - Carranza 2022
einstein.ortiz27
No ratings yet
Rhcsa Rhce
Document3 pages
Rhcsa Rhce
ümitavar
No ratings yet
Powered by Ignite Technologies: Network Penetration Testing
Document9 pages
Powered by Ignite Technologies: Network Penetration Testing
rberrospi
No ratings yet
Network Penetration Testing Course Online 1644336442
Document9 pages
Network Penetration Testing Course Online 1644336442
yonas
No ratings yet
Institute: Uie Department: Cse: Bachelor of Engineering (Computer Science & Engineering)
Document29 pages
Institute: Uie Department: Cse: Bachelor of Engineering (Computer Science & Engineering)
sukhpreet singh
No ratings yet
Openstack Super Bootcamp
Document28 pages
Openstack Super Bootcamp
Chet Tar
No ratings yet
Zephyr (Operating System) - Wikipedia
Document17 pages
Zephyr (Operating System) - Wikipedia
Aditya Swaroop
No ratings yet
Network Security
Document15 pages
Network Security
egalakshman124
No ratings yet
Certified Penetration Testing Professional CPTP
Document12 pages
Certified Penetration Testing Professional CPTP
lasaus
No ratings yet
Lecture Notes Unit-1 (Network Operating System) : Session: 2021-22
Document21 pages
Lecture Notes Unit-1 (Network Operating System) : Session: 2021-22
Pradeep Bedi
No ratings yet
Red Hat Cluster1
Document49 pages
Red Hat Cluster1
rctrct
No ratings yet
Final Project
Document9 pages
Final Project
api-522484422
No ratings yet
Hardware Firewalls
Document31 pages
Hardware Firewalls
its4deepak
100% (9)
Virtuoso: Distributed Computing Using Virtual Machines: Peter A. Dinda
Document49 pages
Virtuoso: Distributed Computing Using Virtual Machines: Peter A. Dinda
akashree
No ratings yet
Slides - OSI Model
Document32 pages
Slides - OSI Model
divyagoyal891
No ratings yet
Practicum - Research Paper
Document10 pages
Practicum - Research Paper
Gavin Fitzpatrick
No ratings yet
Network Function Virtualization
Document8 pages
Network Function Virtualization
avaunp
No ratings yet
Network Security and Firewall - ClearOS
Document41 pages
Network Security and Firewall - ClearOS
Huynh Khoa
No ratings yet
FreeBSD Mastery: Jails: IT Mastery, #15
From Everand
FreeBSD Mastery: Jails: IT Mastery, #15
Michael W. Lucas
Rating: 5 out of 5 stars
5/5 (2)
Fundamentos de Seguridad de la Red
From Everand
Fundamentos de Seguridad de la Red
NUMA EDITORIAL
No ratings yet
Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide
From Everand
Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide
Lee Allen
Rating: 4.5 out of 5 stars
4.5/5 (6)
Docker: The Complete Guide to the Most Widely Used Virtualization Technology. Create Containers and Deploy them to Production Safely and Securely.: Docker & Kubernetes, #1
From Everand
Docker: The Complete Guide to the Most Widely Used Virtualization Technology. Create Containers and Deploy them to Production Safely and Securely.: Docker & Kubernetes, #1
Jordan Lioy
No ratings yet
Advanced Penetration Testing for Highly-Secured Environments - Second Edition
From Everand
Advanced Penetration Testing for Highly-Secured Environments - Second Edition
Lee Allen
No ratings yet
OpenStack Cloud Security
From Everand
OpenStack Cloud Security
Fabio Alessandro Locati
No ratings yet
Curt Sampson - Career Summary
Document4 pages
Curt Sampson - Career Summary
Supriya Sharma
No ratings yet
Senior DevOps Engineer - TL Consulting
Document1 page
Senior DevOps Engineer - TL Consulting
Supriya Sharma
No ratings yet
SRC Ctags
Document1 page
SRC Ctags
Supriya Sharma
No ratings yet
Sample DevOpsEngineer
Document10 pages
Sample DevOpsEngineer
Supriya Sharma
No ratings yet
RESUME REST WebServices
Document11 pages
RESUME REST WebServices
Supriya Sharma
No ratings yet
FortiSwitch and Security Fabric v2 - Public PDF
Document37 pages
FortiSwitch and Security Fabric v2 - Public PDF
DJ JAM
No ratings yet
Hadoop Distributed File System (HDFS) : Suresh Pathipati
Document43 pages
Hadoop Distributed File System (HDFS) : Suresh Pathipati
Kancharla
No ratings yet
Mimosa A5 Datasheet
Document2 pages
Mimosa A5 Datasheet
KoThet
No ratings yet
Meeting 5 Malicious Software
Document12 pages
Meeting 5 Malicious Software
Adi Agus Prayoga
No ratings yet
IR1101 Integrated Services Router
Document26 pages
IR1101 Integrated Services Router
Fernando Armendariz
No ratings yet
Criar Certificado Autoassinado Letsencript
Document18 pages
Criar Certificado Autoassinado Letsencript
César Novoa
No ratings yet
Cisco Switch Configuration Template For Aastra Phones: Advanced Technical Assistance Center (ATAC)
Document7 pages
Cisco Switch Configuration Template For Aastra Phones: Advanced Technical Assistance Center (ATAC)
ausmitch
No ratings yet
Events
Document21 pages
Events
rogerbwilson
No ratings yet
HMS EWON Flexy Integration To AWS
Document6 pages
HMS EWON Flexy Integration To AWS
Trong Huynh
No ratings yet
Configuring SiteScope To Monitor Oracle RAC
Document6 pages
Configuring SiteScope To Monitor Oracle RAC
Faizul Abu Bakar
No ratings yet
Virtual SD-WAN Interactive Test Drive: Instructor Facilitated Customer Experience
Document43 pages
Virtual SD-WAN Interactive Test Drive: Instructor Facilitated Customer Experience
Gustavo Carvalho
No ratings yet
Omnipcx Enterprise PDF
Document44 pages
Omnipcx Enterprise PDF
Jhon Lee
No ratings yet
Meyers CompTIA 4e PPT Ch15
Document105 pages
Meyers CompTIA 4e PPT Ch15
ali_bohaha
No ratings yet
CV Jorge Barriga - Jul2014
Document3 pages
CV Jorge Barriga - Jul2014
Juan Luzon
No ratings yet
3com SuperStack 4 Switch 5500G-EI - Command Reference Guide v3.1.x
Document530 pages
3com SuperStack 4 Switch 5500G-EI - Command Reference Guide v3.1.x
Andresito de Pereira
No ratings yet
Border Router Deployment Guide
Document32 pages
Border Router Deployment Guide
Anouar Marrakchi
No ratings yet
Professional Cloud DevOps Engineer Questions
Document4 pages
Professional Cloud DevOps Engineer Questions
sama akram
No ratings yet
Zhengjue KAC User Manual - Toshiba Air Conditioner
Document10 pages
Zhengjue KAC User Manual - Toshiba Air Conditioner
AS Simple Autmation
No ratings yet
API Security Testing
Document4 pages
API Security Testing
Abhijit Chatterjee
No ratings yet
Last Minute Notes - Computer Networks - GeeksforGeeks
Document13 pages
Last Minute Notes - Computer Networks - GeeksforGeeks
Arjun Karanwal
No ratings yet
Sales Email Integration Security
Document22 pages
Sales Email Integration Security
Social Smocial
No ratings yet
Ijert Ijert: Packet Loss in Wireless Networks
Document4 pages
Ijert Ijert: Packet Loss in Wireless Networks
Marcelo Bl
No ratings yet
8 Sem Syllabus Bit Sindri Ece
Document4 pages
8 Sem Syllabus Bit Sindri Ece
Simaab Amir
No ratings yet
Telnet
Document14 pages
Telnet
Gangaa Shelvi
No ratings yet
SG 007 SD Wan SD Lan Design Arch Guide
Document120 pages
SG 007 SD Wan SD Lan Design Arch Guide
Jonny Tek
No ratings yet
FALLSEM2023-24 BECE401L TH VL2023240100285 2023-06-06 Reference-Material-I
Document12 pages
FALLSEM2023-24 BECE401L TH VL2023240100285 2023-06-06 Reference-Material-I
Kamali Siddharthan
No ratings yet
Veex ManualMX100e+ - 120e+ - E-Manual - D07-00-050P - RevD00 - LR
Document115 pages
Veex ManualMX100e+ - 120e+ - E-Manual - D07-00-050P - RevD00 - LR
yazan
No ratings yet
Fingerprint Time Attendance & Access Control Terminal: Features
Document2 pages
Fingerprint Time Attendance & Access Control Terminal: Features
Luis Fernando Morales Tarazona
No ratings yet
Lecture 01 - Wireless Communication
Document22 pages
Lecture 01 - Wireless Communication
kamran
No ratings yet