All Linux kernels provide the chroot system call to confine a process in a subdirectory. However, it still has all usual privileges, specially when run as root. Also, there are several ways to break out if the chroot environment.
The JAIL module provides a new call rsbac_jail, which makes a chroot call (with chdir("/")) and adds further restrictions on the calling process and all subprocesses. Some of these restrictions can be turned off by flags to the syscall or the rsbac_jail command line wrapper, these are marked with an * in the following list. The rsbac_jail system call also takes the allowed IP-Address for binding (may be 0.0.0.0 for any) as parameter.
Processes in a jail may not:
Add or remove kernel modules.
Shutdown or reboot the system.
Mount or umount filesystems.
Create sockets of other types than UNIX and INET (IPv4).
Use other INET (IPv4) addresses than given (optionally, the ANY address 0.0.0.0 can be silently changed to the given address).
Create INET raw sockets.
Access IPC objects outside this jail.
Create device special files (to prevent unwanted device accesses).
Signal, trace or get status from processes outside this jail.
Change Linux file modes to include suid or sgid flags.
Set rlimits.
Modify settings of any non-rlimit SCD or NETDEV target.
Access RSBAC attributes.
Access RSBAC Network Templates.
Switch off Linux DAC.
Switch RSBAC modules, softmode or log settings.
The JAIL module provides a superset of the FreeBSD jail functionality (except individual kernel level hostnames).
All processes in jails are listed in /proc/rsbac-info/jails, if RSBAC proc support has been enabled.
Use this module for simple service encapsulation, where chroot environments are applicable, but insufficient. Please do not forget that objects within the environment must be protected separately, e.g. with FF flag read_only. As usual, the JAIL module only places further restrictions, so all other modules can be used.