sysjail – a userland virtualisation system


IMPORTANT: Due to handling semantics of user/kernel memory in concurrent environments, the sysjail tools, in inheriting from systrace(4), are vulnerable to exploitation. Details available here. Many thanks to Robert Watson for discovering these issues! Until these problems have been addressed, we do not recommend using sysjail (or any systrace(4) tools, including systrace(1)) for security purposes.

sysjail is a userland virtualisation system for OpenBSD and derivatives. It provides a similar function as FreeBSD's jail(8) utility while being significantly more flexible. The package provides jail(1), a drop-in replacement of FreeBSD's jail(8); sysjail(1), a more featureful version of jail(1); jls(1), a drop-in replacement of FreeBSD's jls(8); sjls(1), a more featureful version of jls(1); and sysjail(3), the function library backing these tools, designed to be droppable into any source tree. There is also a testing mechanism, sjtest(1).

sysjail fully supports Linux and FreeBSD emulation, that is, Linux and FreeBSD binaries (with some exceptions) that run in sysjail(1) or jail(1) will receive the same protection as native binaries. Emulated binaries may either be started as shown below or executed from an existing jailed binary.

The sysjail suite is a Project member.


Sources tested variously on i386, AMD64, alpha, and others. It will only work with OpenBSD 3.9, 4.0, 4.1, 4.2, and 4.3. The most current version is 1.2.35, dated 29 May 2010.


OpenBSD port /dist/sysjail-obsd.tar.gz (md5)
Source archive /dist/sysjail.tar.gz (md5)
Online source cvsweb


Source archive /dist/


These manuals are generated automatically and refer to the current snapshot.

jail(1) imprison a process and its descendents
jls(1) list active jails
mkjail(1) create a full-system prison environment
sjls(1) list active jails
sjtest(1) test sysjail for correctness
sysjail(1) imprison a process and its descendents
sysjail(3) systrace process jailing library


For all issues related to sysjail, contact Kristaps Dzonsons,

You may also subscribe to several mailing lists (these require subscription, which is moderated). An archive is not yet available on-line, although you may request one once subscribed. high-level discussions and version announcements source commit messages


# echo $$ ; jail / ahost /bin/sh
# echo $$
# kill 1975
/bin/sh: kill: 1975: No such process
# exit

Figure: native mode (OpenBSD 4.0): interception of kill(2)

# echo $$ ; jail /emul/linux/ ahost /bin/sh
lappy:/# echo $$
lappy:/# kill 1975
sh: kill: (1975) - No such process
lappy:/# exit

Figure: Linux emulation mode (RedHat) (OpenBSD 4.0): interception of kill(2)


29-05-2010: version 1.2.35

Re-opening the sysjail infrastructure for maintenance. Updated www files and cleaned up manuals to run with mandoc.

Copyright © 2007–2010 Kristaps Dzonsons, $Date: 2010/05/29 11:57:31 $