A "micro jail" Example
The following example creates and runs an nginx "micro jail", a service jail, which is a jail containing only the files and paths that are required for the jail to perform its function, in this case running an instance of nginx. In essence, it bootstraps the jail with basic required directories like /dev and /var/run, and most importantly copies from the host system libc and ld-elf shared libs, as well as any other may be required for the program inside the jail to run.
This can be expanded with making the root readonly and mounting from the host any read-write paths, for example /var/log/nginx for nginx, for better security.
If the service in the jail requires syslog (eg. Postfix only logs through syslog), a listening socket can be created in the jail, from the host's syslogd(8), by using -l (lowercase L) for syslogd_flags. The flag can be added more than once, so the host's syslogd can listen in multiple jails.
syslogd_flags = "-s -l /path/to/the/jail/root/var/run/log"
1 #!/bin/sh
2
3 ROOT="/path/to/the/jail/root"
4
5 bootstrap() {
6 mkdir -p ${ROOT}/dev
7 mkdir -p ${ROOT}/etc
8 mkdir -p ${ROOT}/lib
9 mkdir -p ${ROOT}/libexec
10 mkdir -p ${ROOT}/sbin
11 mkdir -p ${ROOT}/var/run
12
13 # Temporarily hardcoded here for this example, use ldd to automatically find needed base libs
14 cp /lib/libthr.so.3 ${ROOT}/lib/
15 cp /lib/libcrypt.so.5 ${ROOT}/lib/
16 cp /lib/libz.so.6 ${ROOT}/lib/
17 cp /lib/libc.so.7 ${ROOT}/lib/
18 cp /libexec/ld-elf.so.1 ${ROOT}/libexec/
19
20 # At minimum the root user is needed, assuming pkg will install whatever additional user is required
21 echo "root:*:0:0::0:0:Charlie &:/root:/bin/csh" > ${ROOT}/etc/master.passwd
22 echo "wheel:*:0:root" > ${ROOT}/etc/group
23 pwd_mkdb -d ${ROOT}/etc -p /${ROOT}/etc/master.passwd
24 }
25
26 install_pkg() {
27 pkg -r ${ROOT} install -y nginx
28 }
29
30 configure() {
31 mkdir -p ${ROOT}/usr/local/www/nginx/
32
33 cp ${ROOT}/usr/local/etc/nginx/nginx.conf-dist ${ROOT}/usr/local/etc/nginx/nginx.conf
34 cp ${ROOT}/usr/local/etc/nginx/mime.types-dist ${ROOT}/usr/local/etc/nginx/mime.types
35 cp ${ROOT}/usr/local/www/nginx-dist/index.html ${ROOT}/usr/local/www/nginx/
36
37 ldconfig -f ${ROOT}/var/run/ld-elf.so.hints /usr/local/lib
38 }
39
40 run() {
41 jail \
42 -c path=${ROOT} \
43 mount.devfs \
44 securelevel=3 \
45 host.hostname=nginx \
46 ip4=inherit \
47 exec.jail_user=www \
48 command=/usr/local/sbin/nginx
49 }
50
51 bootstrap
52 install_pkg
53 configure
54 run