=== Service jails -- Automatic jailing of rc.d services Links: + link:https://docs.freebsd.org/en/articles/rc-scripting/#rcng-service-jails[rc-article part for Service Jails] URL: link:https://docs.freebsd.org/en/articles/rc-scripting/#rcng-service-jails[] Contact: Alexander Leidinger Service jails extend the man:rc[8] system to allow automatic jailing of rc.d services. A service jail inherits the filesystem of the parent host or jail, but uses all other limits of the jail (process visibility, restricted network access, filesystem mounting permissions, sysvipc, ...) by default. Additional configuration allows inheritance of the IPs of the parent, sysvipc, memory page locking, and use of the bhyve virtual machine monitor (man:vmm[4]). The base system infrastructure and the basesystem rc.d services are committed to 15-current, and the handbook / rc article updates are committed to the documentation. Next steps are to extend services in the ports collection to be able to make use of it. If you want to put e.g. nginx into a service jail and allow IPv4 and IPv6 access, simply change man:rc.conf[5] to have: ---- nginx_svcj_options=net_basic nginx_svcj=YES ---- While this does not have the same security benefits as a manual jail setup with a separate filesystem and IP/VNET, it is much easier to set up, while providing some of the security benefits of a jail like hiding other processes of the same user. Any testing and feedback (even as simple as "service X works in a service jail") is welcome.