Once a process has been put in a prison, it and its descendants cannot escape the prison.
Inside the prison, the concept of "superuser" is very diluted. In general, it can be assumed that nothing can be mangled from inside a prison which does not exist entirely inside that prison. For instance the directory tree below "path" can be manipulated all the ways a root can normally do it, including ""rm -rf /*"" but new device special nodes cannot be created because they reference shared resources (the device drivers in the kernel). The effective "securelevel" for a process is the greater of the global "securelevel" or, if present, the per-jail "securelevel".
All IP activity will be forced to happen to/from the IP number specified, which should be an alias on one of the network interfaces.
It is possible to identify a process as jailed by examining "/proc/<pid>/status": it will show a field near the end of the line, either as a single hyphen for a process at large, or the hostname currently set for the prison for jailed processes.
The jail system call will fail if: