-I addr = limit to IP address, -R dir = chroot to dir, -V set = use virtual user set, -N = enclose process in its private namespace, -C cap-list = limit Linux capabilities for jailed processes,
-L = list all Linux capabilities, -S = list all SCD targets, -v = verbose, -i = allow access to IPC outside this jail, -P = allow access to IPC in the parent jail, -y = allow access to IPC in the syslog jail, -Y = this is the syslog jail, -n = allow all network families, not only UNIX and INET (IPv4), -r = allow INET (IPv4) raw sockets (e.g. for ping), -a = auto-adjust INET any address 0.0.0.0 to jail address, if set, -o = additionally allow to/from remote INET (IPv4) address 127.0.0.1, -d = allow read access on devices, -D allow write access -e = allow GET_STATUS_DATA on devices, -E allow MODIFY_SYSTEM_DATA -t = allow *_OPEN on tty devices -s = allow to create with / set mode to suid -u = allow to mount/umount -G scd ... = allow GET_STATUS_DATA on these scd targets -M scd ... = allow MODIFY_SYSTEM_DATA on these scd targets Deprecated old options, please use -G and -M: -l = allow to modify rlimits (-M rlimit), -c = allow to modify system clock (-M clock time_strucs), -m = allow to lock memory (-M mlock), -p = allow to modify priority (-M priority), -k = allow to get kernel symbols (-G ksyms)
*** Use: rsbac_jail [flags] [-I addr] [-R dir] [-C cap-list] prog args This program will put the process into a jail with chroot to path, ip address IP and then execute prog with args
-I addr = limit to IP address, -R dir = chroot to dir, -V set = use virtual user set, -N = enclose process in its private namespace, -C cap-list = limit Linux capabilities for jailed processes,
-L = list all Linux capabilities, -S = list all SCD targets, -v = verbose, -i = allow access to IPC outside this jail, -P = allow access to IPC in the parent jail, -y = allow access to IPC in the syslog jail, -Y = this is the syslog jail, -n = allow all network families, not only UNIX and INET (IPv4), -r = allow INET (IPv4) raw sockets (e.g. for ping), -a = auto-adjust INET any address 0.0.0.0 to jail address, if set, -o = additionally allow to/from remote INET (IPv4) address 127.0.0.1, -d = allow read access on devices, -D allow write access -e = allow GET_STATUS_DATA on devices, -E allow MODIFY_SYSTEM_DATA -t = allow *_OPEN on tty devices -s = allow to create with / set mode to suid -u = allow to mount/umount -G scd ... = allow GET_STATUS_DATA on these scd targets -M scd ... = allow MODIFY_SYSTEM_DATA on these scd targets Deprecated old options, please use -G and -M: -l = allow to modify rlimits (-M rlimit), -c = allow to modify system clock (-M clock time_strucs), -m = allow to lock memory (-M mlock), -p = allow to modify priority (-M priority), -k = allow to get kernel symbols (-G ksyms)