"Serge Hallyn posted a set of three patches to the lkml that
together implement a subset of the BSD Jail functionality into the
Linux kernel using the Linux Security Modules (LSM) framework.
Serge explains that with the patch, 'a process in a jail lives
under a chroot which is not vulnerable to the well-known
chdir(...)(etc)chroot(.) attack against normal chroots, and may be
locked to one ip address.'
"The third patch in the set contains documentation for the
module, which notes that in addition to the features listed above,
if a process is in a jail it cannot mount or unmount, it cannot
send signals outside of the jail, it cannot ptrace processes
outside of the jail, it cannot create devices, it cannot renice
processes, it cannot load or unload kernel modules, it cannot
change network settings, and it cannot see the contents of /proc/
entries of processes not within the same jail..."