In computer security, a jail is the generic name for a sandbox (security) mechanism which works by imposing additional resource limits on programs.

Jails are more resource-efficient than emulation as sandboxes, because jailed programs still run natively and share the same kernel and system call interface with the rest of the system. However, they are potentially less secure because it is much more difficult to virtualization resources in such an arrangement.

Most jail implementations have a concept of a partition , in which a group of programs are isolated within a different file system root and given a common pool of capped resources like CPU time and disk space. The partition may also impose restrictions on I/O bandwidth and network access.

On Unix systems, jails can be thought of as an extension of the standard Chroot mechanism: a parent process typically makes the jail system call, descends into a specially-prepared directory and then spawns network services within the jail to kickstart a self-contained system.

Jails are popularly used for virtual private servers in web hosting, in which customers rent root or administrator access to a jail preinstalled with web server software.

= Implementations =

= References =