<html><body><span style="display:block;" class="xfm_19309442"><div><span style="font-size:12pt;line-height:14pt;font-family:Arial;" class="xfmc1">Привет,</span><br/></div>
<div><br/></div>
<blockquote style="border-left:1px solid #cccccc;margin:0px 0px 0px 0.8ex;padding-left:1ex;">
<pre style="margin:5px 0;">Jail это chroot плюс опционально виртуализированный сетевой стек
плюс запрет руту из клетки влиять на хост. Не виртуальная машина даже близко,
для этого bhyve.</pre>
</blockquote>
<div><span style="font-size:12pt;font-family:Arial;line-height:14pt;"><br data-mce-bogus="1"/></span></div>
<div><span style="font-size:12pt;font-family:Arial;line-height:14pt;">Чуть больше:<br data-mce-bogus="1"/></span></div>
<ul style="margin:5px 0;"><li><span style="font-size:12pt;font-family:Arial;line-height:14pt;">процессы работают в собственном jailspace назовем его так, которые грохаются вместе с jail<br data-mce-bogus="1"/></span></li>
<li><span style="font-size:12pt;font-family:Arial;line-height:14pt;">affinity<br data-mce-bogus="1"/></span></li>
<li><span style="font-size:12pt;font-family:Arial;line-height:14pt;"><span style="font-family:Arial;font-size:12pt;line-height:14pt;">Limit the number of commands from exec.*</span></span></li>
<li><span style="font-size:12pt;font-family:Arial;line-height:14pt;"><span style="font-family:Arial;font-size:12pt;line-height:14pt;">Следующие sysctl'ки дают приблизительный обзор ограничений:<br data-mce-bogus="1"/></span></span></li>
</ul><div><span style="font-size:12pt;font-family:Arial;line-height:14pt;"><br data-mce-bogus="1"/></span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.bsd.see_jail_proc: 1</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.mount_tmpfs_allowed: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.mount_zfs_allowed: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.mount_procfs_allowed: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.mount_devfs_allowed: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.sysvshm.: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.sysvsem.: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.sysvmsg.: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.allow.mount.tmpfs: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.allow.mount.zfs: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.allow.mount.procfs: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.allow.mount.devfs: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.allow.mount.: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.allow.suser: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.allow.unprivileged_proc_debug: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.allow.read_msgbuf: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.allow.reserved_ports: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.allow.mlock: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.allow.socket_af: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.allow.quotas: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.allow.chflags: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.allow.raw_sockets: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.allow.sysvipc: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.allow.set_hostname: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.ip6.saddrsel: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.ip6.: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.ip4.saddrsel: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.ip4.: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.cpuset.id: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.host.hostid: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.host.hostuuid: 64</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.host.domainname: 256</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.host.hostname: 256</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.host.: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.children.max: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.children.cur: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.dying: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.vnet: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.persist: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.devfs_ruleset: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.enforce_statfs: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.osrelease: 32</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.osreldate: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.securelevel: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.path: 1024</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.name: 256</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.parent: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.param.jid: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.devfs_ruleset: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.enforce_statfs: 2</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.mount_allowed: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.chflags_allowed: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.allow_raw_sockets: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.sysvipc_allowed: 0</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.socket_unixiproute_only: 1</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.set_hostname_allowed: 1</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.jail_max_af_ips: 255</span></div>
<div><span style="font-family:Courier New;font-size:12pt;line-height:14pt;" class="xfmc2">security.jail.vnet: 0</span></div>
<div><br/></div>
<div><span style="font-size:12pt;font-family:Arial;line-height:14pt;"><br data-mce-bogus="1"/></span></div></span></body></html>