Kernel: Allow configuring a Jail to not impose PID isolation restriction

This is quite useful for userspace applications that can't cope with the restriction, but it's still useful to impose other non-configurable restrictions by using jails.
2025-07-27 07:57:46 +00:00 · 2023-01-12 22:47:09 +02:00 · 2023-01-12 22:47:09 +02:00 · 8289759f1d
commit 8289759f1d
parent cf8875426d
11 changed files with 62 additions and 23 deletions
--- a/Base/usr/share/man/man1/jail-create.md
+++ b/Base/usr/share/man/man1/jail-create.md
@ -12,9 +12,16 @@ $ jail-create <name>

 `jail-create` creates a new jail, with a specified name

+## Options
+
+* `-p`, `--pid-isolation`: Use PID-isolation (as a custom isolation option)
+
 ## Examples

 ```sh
-# Create jail with the name "test-jail"
+# Create jail with the name "test-jail", with no PID isolation
 $ jail-create test-jail
+
+# Create jail with the name "test-jail", with PID isolation
+$ jail-create -p test-jail
 ```
--- a/Base/usr/share/man/man7/Mitigations.md
+++ b/Base/usr/share/man/man7/Mitigations.md
@ -95,7 +95,7 @@ Kernel: Add a basic implementation of unveil()
 `jails` are mitigation originating from FreeBSD.
 It allows a program to be placed inside a lightweight OS-level virtualization environment.

-Current restrictions on jailed processes:
+Current restrictions on jailed processes (configurable when creating a Jail):
 - Process ID view isolation, being limited (both in `/proc` and `/sys/kernel/processes`) to only processes that share the same jail.

 Special restrictions on filesystem also apply: