To make a filesystem work in a jail, you currently have to touch a number of kernel code places: you need to add the allow.jail.foofs jail parameter which is in jail.h and two places in kern_jail.c, and then you need to add the VFCF_JAIL flag to your filesystem, and elsewhere test the prison's PR_ALLOW_MOUNT_FOOFS flag.
This patch puts all the work in the jail and vfs framework, leaving the only per-filesystem work adding the single VFCF_JAIL flag to mark the filesystem as wanting to be mountable with a dynamically added jail parameter.
Of course it's still the programmer's responsibility to know that the filesystem in question is actually a good one to use with jails.
I've given this a run-through, but it touches some parts of the codebase I'm not as familiar with, and I'd like to be sure I'm doing it right. In particular, it has security implications since I'm replacing some permissions tests with others, often in different places.