sysjail – a userland virtualisation system

DESCRIPTION

IMPORTANT: Due to handling semantics of user/kernel memory in concurrent environments, the sysjail tools, in inheriting from systrace(4), are vulnerable to exploitation. Details available here. Many thanks to Robert Watson for discovering these issues! Until these problems have been addressed, we do not recommend using sysjail (or any systrace(4) tools, including systrace(1)) for security purposes.

sysjail is a userland virtualisation system for OpenBSD and derivatives. It provides a similar function as FreeBSD's jail(8) utility while being significantly more flexible. The package provides jail(1), a drop-in replacement of FreeBSD's jail(8); sysjail(1), a more featureful version of jail(1); jls(1), a drop-in replacement of FreeBSD's jls(8); sjls(1), a more featureful version of jls(1); and sysjail(3), the function library backing these tools, designed to be droppable into any source tree. There is also a testing mechanism, sjtest(1).

sysjail fully supports Linux and FreeBSD emulation, that is, Linux and FreeBSD binaries (with some exceptions) that run in sysjail(1) or jail(1) will receive the same protection as native binaries. Emulated binaries may either be started as shown below or executed from an existing jailed binary.

The sysjail suite is a BSD.lv Project member.

SOURCES

Sources tested variously on i386, AMD64, alpha, and others. It will only work with OpenBSD 3.9, 4.0, 4.1, 4.2, and 4.3. The most current version is 1.2.35, dated 29 May 2010.

Current

OpenBSD port /dist/sysjail-obsd.tar.gz (md5)
Source archive /dist/sysjail.tar.gz (md5)
Online source cvsweb

Historical

Source archive /dist/

DOCUMENTATION

These manuals are generated automatically and refer to the current snapshot.

jail(1) imprison a process and its descendents
jls(1) list active jails
mkjail(1) create a full-system prison environment
sjls(1) list active jails
sjtest(1) test sysjail for correctness
sysjail(1) imprison a process and its descendents
sysjail(3) systrace process jailing library

CONTACT

For all issues related to sysjail, contact Kristaps Dzonsons, kris...@bsd.lv.

You may also subscribe to several mailing lists (these require subscription, which is moderated). An archive is not yet available on-line, although you may request one once subscribed.

disc...@sysjail.bsd.lv high-level discussions and version announcements
sou...@sysjail.bsd.lv source commit messages

EXAMPLES

# echo $$ ; jail / ahost 127.0.0.1 /bin/sh
1975
# echo $$
2578
# kill 1975
/bin/sh: kill: 1975: No such process
# exit
exit

Figure: native mode (OpenBSD 4.0): interception of kill(2)

# echo $$ ; jail /emul/linux/ ahost 127.0.0.1 /bin/sh
1975
lappy:/# echo $$
28940
lappy:/# kill 1975
sh: kill: (1975) - No such process
lappy:/# exit
exit

Figure: Linux emulation mode (RedHat) (OpenBSD 4.0): interception of kill(2)

NEWS

29-05-2010: version 1.2.35

Re-opening the sysjail infrastructure for maintenance. Updated www files and cleaned up manuals to run with mandoc.

Copyright © 2007–2010 Kristaps Dzonsons, $Date: 2010/05/29 11:57:31 $