From owner-freebsd-doc@FreeBSD.ORG Tue Jun 25 23:30:00 2013 Return-Path: Delivered-To: freebsd-doc@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id C16A87D for ; Tue, 25 Jun 2013 23:30:00 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id A45641C3E for ; Tue, 25 Jun 2013 23:30:00 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r5PNU0l6046412 for ; Tue, 25 Jun 2013 23:30:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r5PNU0rM046402; Tue, 25 Jun 2013 23:30:00 GMT (envelope-from gnats) Resent-Date: Tue, 25 Jun 2013 23:30:00 GMT Resent-Message-Id: <201306252330.r5PNU0rM046402@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-doc@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Alex Weber Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 00A60DA4 for ; Tue, 25 Jun 2013 23:26:36 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from oldred.freebsd.org (oldred.freebsd.org [8.8.178.121]) by mx1.freebsd.org (Postfix) with ESMTP id E6F241C1B for ; Tue, 25 Jun 2013 23:26:36 +0000 (UTC) Received: from oldred.freebsd.org ([127.0.1.6]) by oldred.freebsd.org (8.14.5/8.14.7) with ESMTP id r5PNQa0t090918 for ; Tue, 25 Jun 2013 23:26:36 GMT (envelope-from nobody@oldred.freebsd.org) Received: (from nobody@localhost) by oldred.freebsd.org (8.14.5/8.14.5/Submit) id r5PNQadA090907; Tue, 25 Jun 2013 23:26:36 GMT (envelope-from nobody) Message-Id: <201306252326.r5PNQadA090907@oldred.freebsd.org> Date: Tue, 25 Jun 2013 23:26:36 GMT From: Alex Weber To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Subject: docs/179988: ThwackAFAQ - sandbox X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jun 2013 23:30:00 -0000 >Number: 179988 >Category: docs >Synopsis: ThwackAFAQ - sandbox >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Tue Jun 25 23:30:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Alex Weber >Release: >Organization: >Environment: >Description: This is a (potential) fix for part of the ThwackAFAQ 'red' section on sandboxes. It adds a description of the jail feature in FreeBSD, but does not address the other issues. >How-To-Repeat: >Fix: Patch included with this PR. Patch attached with submission follows: Index: en_US.ISO8859-1/books/faq/book.xml =================================================================== --- en_US.ISO8859-1/books/faq/book.xml (revision 42051) +++ en_US.ISO8859-1/books/faq/book.xml (working copy) @@ -5889,6 +5889,21 @@ it serves to firewall the process off from processes owned by other users. The user ID is also used to firewall off on-disk data. + + In addition to process and userid sandboxes offered by + the &unix; operating system, &os; provides the &man.jail.8; + feature, a secure, fast implementation of + operating system-level virtualization. This + allows a single &os; computer to run one or more guest &os; + system images with their own users, IP addresses, and + processes. Unlike &man.chroot.8;-based sandboxing, + processes are permanently confined to the jail they were + started in (including those owned by the jail's root user), + and cannot affect processes in other jails or the host + system. While the &man.jail.8; feature is unique to &os;, it + is similar to Solaris Zones, AIX Workload Partitions, and + Linux Containers. >Release-Note: >Audit-Trail: >Unformatted: