Hi all, The PRISON_ROOT flag is gone now, which could be passed to priv_check_cred() to allow a privilege within a jail (this meant that the root user within a jail was allowed to perform a certain operation). As such, what is allowed within a jail was spread over all calls to priv_check_cred(). This knownledge is now defined purely within prison_priv_check(), which checks whether a given privilege is allowed within a jail or not (this function should not be called directly! it is called by priv_check_cred()). So for example if you want to know whether raw IP sockets are allowed within a jail, simply take a look at prison_priv_check(), where you will see the following code: switch(priv) case PRIV_NETINET_RAW: if (jail_allow_raw_sockets) return (0); else return (EPERM); Then do a search over the whole source tree for PRIV_NETINET_RAW to see where this privilege is requested. Regards, Michael