=== Service jails -- Automatic jailing of rc.d services Links: + link:https://reviews.freebsd.org/D40370[D40370: Infrastructure for automatic jailing of rc.d-services] URL: link:https://reviews.freebsd.org/D40370[] + link:https://reviews.freebsd.org/D40371[D40371: automatic service jails: some setup for full functionality of the services in automatic service jails] URL: link:https://reviews.freebsd.org/D40371[] link:https://reviews.freebsd.org/D42779[D42779: Handbook / rc-article update for Service Jails] URL: link:https://reviews.freebsd.org/D42779[] Contact: Alexander Leidinger Service jails extend the man:rc[8] system to allow automatic jailing of rc.d services. A service jail inherits the filesystem of the parent host or jail, but uses all other limits of the jail (process visibility, restricted network access, filesystem mounting permissions, sysvipc, ...) by default. Additional configuration allows inheritance of the IPs of the parent, sysvipc, memory page locking, and use of the bhyve virtual machine monitor (man:vmm[4]). If you want to put e.g. local_unbound into a service jail and allow IPv4 and IPv6 access, simply change man:rc.conf[5] to have: ---- local_unbound_svcj_options=net_basic local_unbound_svcj=YES ---- Note: all base system services are covered in the patches with either name_svcj_options or a hard-coded disabling of the service jails feature where it does not make sense (e.g. pure services which change the runtime configuration but do not start daemons, or where things are run which can not be run in a sensible way inside a jail). As such the local_unbound_svcj_options line above is superfluous and serves just as an example about the amount of configuration needed in total. While this does not have the same security benefits as a manual jail setup with a separate filesystem and IP/VNET, it is much easier to set up, while providing some of the security benefits of a jail like hiding other processes of the same user. Since the link:../report-2023-04-2023-06/#_service_jailsautomatic_jailing_of_rc_d_services[previous service jails status report], the following were added: * support for NFS inside jails in the service jails framework (untested), * the possibility of jailing other service commands than `start` and `stop`, * service jails options / config for all base system services in the patch in D40371, * a first step at documenting the service jails in the Handbook. Not all services are tested, but all services are covered with a config. Any testing and feedback (even as simple as "service X works in a service jail") is welcome.