.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.36.
.TH RSBAC_JAIL "1" "May 2010" "Gentoo" "User Commands"
.SH NAME
rsbac_jail \- manual page for rsbac_jail (RSBAC 1.4.4)
.SH DESCRIPTION
rsbac_jail (RSBAC 1.4.4)
***
Use: rsbac_jail [flags] [\-I addr] [\-R dir] [\-C cap\-list] prog args
This program will put the process into a jail with chroot to path,
ip address IP and then execute prog with args
.HP
\fB\-h\fR = this help, \fB\-\-\fR = no more flags,
.PP
\fB\-I\fR addr = limit to IP address,
\fB\-R\fR dir  = chroot to dir,
\fB\-V\fR set  = use virtual user set,
\fB\-N\fR = enclose process in its private namespace,
\fB\-C\fR cap\-list  = limit Linux capabilities for jailed processes,
.IP
use bit\-vector, numeric value or list names of desired caps,
A = all, FS_MASK = all filesystem related,
.PP
\fB\-L\fR = list all Linux capabilities,
\fB\-S\fR = list all SCD targets,
\fB\-v\fR = verbose, \fB\-i\fR = allow access to IPC outside this jail,
\fB\-P\fR = allow access to IPC in the parent jail,
\fB\-y\fR = allow access to IPC in the syslog jail,
\fB\-Y\fR = this is the syslog jail,
\fB\-n\fR = allow all network families, not only UNIX and INET (IPv4),
\fB\-r\fR = allow INET (IPv4) raw sockets (e.g. for ping),
\fB\-a\fR = auto\-adjust INET any address 0.0.0.0 to jail address, if set,
\fB\-o\fR = additionally allow to/from remote INET (IPv4) address 127.0.0.1,
\fB\-d\fR = allow read access on devices, \fB\-D\fR allow write access
\fB\-e\fR = allow GET_STATUS_DATA on devices, \fB\-E\fR allow MODIFY_SYSTEM_DATA
\fB\-t\fR = allow *_OPEN on tty devices
\fB\-s\fR = allow to create with / set mode to suid
\fB\-u\fR = allow to mount/umount
\fB\-G\fR scd ... = allow GET_STATUS_DATA on these scd targets
\fB\-M\fR scd ... = allow MODIFY_SYSTEM_DATA on these scd targets
Deprecated old options, please use \fB\-G\fR and \fB\-M\fR:
\fB\-l\fR = allow to modify rlimits (\fB\-M\fR rlimit),
\fB\-c\fR = allow to modify system clock (\fB\-M\fR clock time_strucs),
\fB\-m\fR = allow to lock memory (\fB\-M\fR mlock),
\fB\-p\fR = allow to modify priority (\fB\-M\fR priority),
\fB\-k\fR = allow to get kernel symbols (\fB\-G\fR ksyms)
.PP
***
Use: rsbac_jail [flags] [\-I addr] [\-R dir] [\-C cap\-list] prog args
This program will put the process into a jail with chroot to path,
ip address IP and then execute prog with args
.HP
\fB\-h\fR = this help, \fB\-\-\fR = no more flags,
.PP
\fB\-I\fR addr = limit to IP address,
\fB\-R\fR dir  = chroot to dir,
\fB\-V\fR set  = use virtual user set,
\fB\-N\fR = enclose process in its private namespace,
\fB\-C\fR cap\-list  = limit Linux capabilities for jailed processes,
.IP
use bit\-vector, numeric value or list names of desired caps,
A = all, FS_MASK = all filesystem related,
.PP
\fB\-L\fR = list all Linux capabilities,
\fB\-S\fR = list all SCD targets,
\fB\-v\fR = verbose, \fB\-i\fR = allow access to IPC outside this jail,
\fB\-P\fR = allow access to IPC in the parent jail,
\fB\-y\fR = allow access to IPC in the syslog jail,
\fB\-Y\fR = this is the syslog jail,
\fB\-n\fR = allow all network families, not only UNIX and INET (IPv4),
\fB\-r\fR = allow INET (IPv4) raw sockets (e.g. for ping),
\fB\-a\fR = auto\-adjust INET any address 0.0.0.0 to jail address, if set,
\fB\-o\fR = additionally allow to/from remote INET (IPv4) address 127.0.0.1,
\fB\-d\fR = allow read access on devices, \fB\-D\fR allow write access
\fB\-e\fR = allow GET_STATUS_DATA on devices, \fB\-E\fR allow MODIFY_SYSTEM_DATA
\fB\-t\fR = allow *_OPEN on tty devices
\fB\-s\fR = allow to create with / set mode to suid
\fB\-u\fR = allow to mount/umount
\fB\-G\fR scd ... = allow GET_STATUS_DATA on these scd targets
\fB\-M\fR scd ... = allow MODIFY_SYSTEM_DATA on these scd targets
Deprecated old options, please use \fB\-G\fR and \fB\-M\fR:
\fB\-l\fR = allow to modify rlimits (\fB\-M\fR rlimit),
\fB\-c\fR = allow to modify system clock (\fB\-M\fR clock time_strucs),
\fB\-m\fR = allow to lock memory (\fB\-M\fR mlock),
\fB\-p\fR = allow to modify priority (\fB\-M\fR priority),
\fB\-k\fR = allow to get kernel symbols (\fB\-G\fR ksyms)