Links:
D40369: Extend /usr/bin/service with the possibility to set ENV vars URL: https://reviews.freebsd.org/D40369
D40370: Infrastructure for automatic jailing of rc.d-services URL: https://reviews.freebsd.org/D40370
D40371: automatic service jails: some setup for full functionality of the services in automatic service jails URL: https://reviews.freebsd.org/D40371

Contact: Alexander Leidinger <netchild@FreeBSD.org>

Service jails extend the rc(8) system to allow automatic jailing of rc.d services. A service jail inherits the filesystem of the parent host or jail, but uses all other limits of the jail (process visibility, restricted network access, filesystem mounting permissions, sysvipc, …​) by default. Additional configuration allows inheritance of the IPs of the parent, sysvipc, memory page locking, and use of the bhyve virtual machine monitor (vmm(4)).

If you want to put e.g. local_unbound into a service jail and allow IPv4 and IPv6 access, simply change rc.conf(5) to have:

While this does not have the same security benefits of a manual jail setup with a separate filesystem and IP/VNET, it is much easier to setup, while providing some of the security benefits of a jail like hiding other processes of the same user.

The patches in the links are a rewrite of what I presented in 2019. The main difference is that an ENV variable is used to do more rational tracking and as such, requires a change to service(8).

My intent is to commit D40369 before the branch of stable/14. I will not commit D40370 or D40371 before 14.0 is released and both will benefit from more eyes.