=== Service Jails -- automatic jailing of rc.d services Links: + link:https://reviews.freebsd.org/D40369[D40369: Extend /usr/bin/service with the possibility to set ENV vars] URL: link:https://reviews.freebsd.org/D40369[] + link:https://reviews.freebsd.org/D40370[D40370: Infrastructure for automatic jailing of rc.d-services] URL: link:https://reviews.freebsd.org/D40370[] + link:https://reviews.freebsd.org/D40371[D40371: automatic service jails: some setup for full functionality of the services in automatic service jails] URL: link:https://reviews.freebsd.org/D40371[] Contact: Alexander Leidinger Service jails extend the man:rc[8] system to allow automatic jailing of rc.d services. A service jail inherits the filesystem of the parent host or jail, but uses all other limits of the jail (process visibility, restricted network access, filesystem mounting permissions, sysvipc, ...) by default. Additional configuration allows inheritance of the IPs of the parent, sysvipc, memory page locking, and use of the bhyve virtual machine monitor (man:vmm[4]). If you want to put e.g. local_unbound into a service jail and allow IPv4 and IPv6 access, simply change man:rc.conf[5] to have: ---- local_unbound_svcj_options=net_basic local_unbound_svcj=YES ---- While this does not have the same security benefits of a manual jail setup with a separate filesystem and IP/VNET, it is much easier to setup, while providing some of the security benefits of a jail like hiding other processes of the same user. The patches in the links are a rewrite of link:https://lists.freebsd.org/pipermail/freebsd-jail/2019-February/003710.html[what I presented in 2019]. The main difference is that an ENV variable is used to do more rational tracking and as such, requires a change to man:service[8]. My intent is to commit link:https://reviews.freebsd.org/D40369[D40369] before the branch of `stable/14`. I will not commit link:https://reviews.freebsd.org/D40370[D40370] or link:https://reviews.freebsd.org/D40371[D40371] before 14.0 is released and both will benefit from more eyes.