2 files changed, 89 insertions, 2 deletions

diff --git a/lib/libc/sys/Makefile.inc b/lib/libc/sys/Makefile.inc
index dd065f196f84..292860dccc93 100644
--- a/lib/libc/sys/Makefile.inc
+++ b/lib/libc/sys/Makefile.inc
@@ -1,5 +1,5 @@
 #	@(#)Makefile.inc	8.3 (Berkeley) 10/24/94
-#	$Id: Makefile.inc,v 1.60 1999/04/05 07:38:07 bde Exp $
+#	$Id: Makefile.inc,v 1.61 1999/04/11 21:14:40 dt Exp $
 
 # sys sources
 .PATH: ${.CURDIR}/../libc/${MACHINE_ARCH}/sys ${.CURDIR}/../libc/sys
@@ -82,7 +82,7 @@ MAN2+=	_exit.2 accept.2 access.2 acct.2 adjtime.2 aio_read.2 \
 	getpeername.2 getpgrp.2 getpid.2 getpriority.2 getrlimit.2 \
 	getrusage.2 getsid.2 getsockname.2 \
 	getsockopt.2 gettimeofday.2 getuid.2 \
-	intro.2 ioctl.2 issetugid.2 kill.2 \
+	intro.2 ioctl.2 issetugid.2 jail.2 kill.2 \
 	kldfind.2 kldfirstmod.2 kldload.2 kldnext.2 kldstat.2 kldunload.2 \
 	ktrace.2 link.2 listen.2 lseek.2 \
 	madvise.2 mincore.2 minherit.2 mkdir.2 mkfifo.2 mknod.2 mlock.2 mmap.2 \
diff --git a/lib/libc/sys/jail.2 b/lib/libc/sys/jail.2
new file mode 100644
index 000000000000..0fe73989c163
--- /dev/null
+++ b/lib/libc/sys/jail.2
@@ -0,0 +1,87 @@
+.\"
+.\"----------------------------------------------------------------------------
+.\""THE BEER-WARE LICENSE" (Revision 42):
+.\"<phk@FreeBSD.ORG> wrote this file.  As long as you retain this notice you
+.\"can do whatever you want with this stuff. If we meet some day, and you think
+.\"this stuff is worth it, you can buy me a beer in return.   Poul-Henning Kamp
+.\"----------------------------------------------------------------------------
+.\"
+.\"$Id: malloc.c,v 1.44 1999/03/28 14:16:05 phk Exp $
+.\"
+.\"
+.Dd April 28, 1999
+.Dt JAIL 2
+.Os FreeBSD 4.0
+.Sh NAME
+.Nm jail
+.Nd Imprison current process and future decendants.
+.Sh SYNOPSIS
+.Fd #include <sys/types.h>
+.Fd #include <sys/jail.h>
+.Ft int
+.Fn jail "struct *jail"
+.Sh DESCRIPTION
+The
+.Nm
+system call sets up a jail and locks the current process in it.
+.Pp
+The argument is a pointer to a structure describing the prison:
+.Bd -literal -offset indent
+struct jail {
+        char *path;
+        char *hostname;
+        u_int32_t ip_number;
+};
+.Ed
+.Pp
+The
+.Dq Li path
+pointer should be set to the directory which is to be the root of the
+prison.
+.Pp
+The
+.Dq Li hostname
+pointer can be set the hostname of the prison.  This can be changed
+from the inside of the prison.
+.Pp
+The
+.Dq Li ip_number
+can be set to the IP number assigned to the prison.
+.Sh PRISON ?
+Once a process has been put in a prison, it and its decendants cannot escape
+the prison.  It is not possible to add a process to a preexisting prison.
+.Pp
+Inside the prison, the concept of "superuser" is very diluted, in general
+it can be assumed that nothing can be mangled from inside a prison, that
+doesn't exist inside that prison (ie: the directory tree below
+.Dq Li path .
+.Pp
+All IP activity will be forced to happen to/from the IP number specified,
+which should be an alias on one of the systems interfaces.
+.Pp
+It is possible to identify a process as jailed by examining
+.Dq Li /proc/<pid>/status :
+it will show a field near the end of the line, either as
+a single hyphen for a process at large, or the hostname currently
+set for the prison for jailed processes.
+.Sh ERRORS
+.Fn Jail
+calls
+.Xr chroot 2
+internally, so the it can fail for all the same reasons.
+Please consult the
+.Xr chroot 2
+manual page for details.
+.Sh SEE ALSO
+.Xr chroot 2
+.Xr chdir 2
+.Sh HISTORY
+The
+.Fn jail
+function call appeared in
+.Fx 4.0 .
+.Pp
+The jail feature was written by Poul-Henning Kamp for
+R&D Associates
+.Dq Li http://www.rndassociates.com/
+who contributed it to FreeBSD.