Index: sys/kern/capabilities.conf
===================================================================
--- sys/kern/capabilities.conf
+++ sys/kern/capabilities.conf
@@ -336,6 +336,11 @@
 ##
 issetugid
 
+##
+## Allow jail_get(2)
+##
+jail_get
+
 ##
 ## Allow kevent(2), as we will authorize based on capability rights on the
 ## target descriptor.
Index: sys/kern/kern_jail.c
===================================================================
--- sys/kern/kern_jail.c
+++ sys/kern/kern_jail.c
@@ -3719,101 +3719,145 @@
  * CTLFLAG_RDTUN in the following indicates jail parameters that can be set at
  * jail creation time but cannot be changed in an existing jail.
  */
-SYSCTL_JAIL_PARAM(, jid, CTLTYPE_INT | CTLFLAG_RDTUN, "I", "Jail ID");
-SYSCTL_JAIL_PARAM(, parent, CTLTYPE_INT | CTLFLAG_RD, "I", "Jail parent ID");
-SYSCTL_JAIL_PARAM_STRING(, name, CTLFLAG_RW, MAXHOSTNAMELEN, "Jail name");
-SYSCTL_JAIL_PARAM_STRING(, path, CTLFLAG_RDTUN, MAXPATHLEN, "Jail root path");
-SYSCTL_JAIL_PARAM(, securelevel, CTLTYPE_INT | CTLFLAG_RW,
+SYSCTL_JAIL_PARAM(, jid,
+    CTLTYPE_INT | CTLFLAG_RDTUN | CTLFLAG_CAPRD,
+    "I", "Jail ID");
+SYSCTL_JAIL_PARAM(, parent,
+    CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_CAPRD,
+    "I", "Jail parent ID");
+SYSCTL_JAIL_PARAM_STRING(, name,
+    CTLFLAG_RW | CTLFLAG_CAPRD, MAXHOSTNAMELEN,
+    "Jail name");
+SYSCTL_JAIL_PARAM_STRING(, path,
+    CTLFLAG_RDTUN | CTLFLAG_CAPRD, MAXPATHLEN,
+    "Jail root path");
+SYSCTL_JAIL_PARAM(, securelevel,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_CAPRD,
     "I", "Jail secure level");
-SYSCTL_JAIL_PARAM(, osreldate, CTLTYPE_INT | CTLFLAG_RDTUN, "I", 
-    "Jail value for kern.osreldate and uname -K");
-SYSCTL_JAIL_PARAM_STRING(, osrelease, CTLFLAG_RDTUN, OSRELEASELEN, 
+SYSCTL_JAIL_PARAM(, osreldate,
+    CTLTYPE_INT | CTLFLAG_RDTUN | CTLFLAG_CAPRD,
+    "I", "Jail value for kern.osreldate and uname -K");
+SYSCTL_JAIL_PARAM_STRING(, osrelease,
+    CTLFLAG_RDTUN | CTLFLAG_CAPRD, OSRELEASELEN,
     "Jail value for kern.osrelease and uname -r");
-SYSCTL_JAIL_PARAM(, enforce_statfs, CTLTYPE_INT | CTLFLAG_RW,
+SYSCTL_JAIL_PARAM(, enforce_statfs,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_CAPRD,
     "I", "Jail cannot see all mounted file systems");
-SYSCTL_JAIL_PARAM(, devfs_ruleset, CTLTYPE_INT | CTLFLAG_RW,
+SYSCTL_JAIL_PARAM(, devfs_ruleset,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_CAPRD,
     "I", "Ruleset for in-jail devfs mounts");
-SYSCTL_JAIL_PARAM(, persist, CTLTYPE_INT | CTLFLAG_RW,
+SYSCTL_JAIL_PARAM(, persist,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_CAPRD,
     "B", "Jail persistence");
 #ifdef VIMAGE
-SYSCTL_JAIL_PARAM(, vnet, CTLTYPE_INT | CTLFLAG_RDTUN,
+SYSCTL_JAIL_PARAM(, vnet,
+    CTLTYPE_INT | CTLFLAG_RDTUN | CTLFLAG_CAPRD,
     "E,jailsys", "Virtual network stack");
 #endif
-SYSCTL_JAIL_PARAM(, dying, CTLTYPE_INT | CTLFLAG_RD,
+SYSCTL_JAIL_PARAM(, dying,
+    CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_CAPRD,
     "B", "Jail is in the process of shutting down");
 
 SYSCTL_JAIL_PARAM_NODE(children, "Number of child jails");
-SYSCTL_JAIL_PARAM(_children, cur, CTLTYPE_INT | CTLFLAG_RD,
+SYSCTL_JAIL_PARAM(_children, cur,
+    CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_CAPRD,
     "I", "Current number of child jails");
-SYSCTL_JAIL_PARAM(_children, max, CTLTYPE_INT | CTLFLAG_RW,
+SYSCTL_JAIL_PARAM(_children, max,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_CAPRD,
     "I", "Maximum number of child jails");
 
 SYSCTL_JAIL_PARAM_SYS_NODE(host, CTLFLAG_RW, "Jail host info");
-SYSCTL_JAIL_PARAM_STRING(_host, hostname, CTLFLAG_RW, MAXHOSTNAMELEN,
-    "Jail hostname");
-SYSCTL_JAIL_PARAM_STRING(_host, domainname, CTLFLAG_RW, MAXHOSTNAMELEN,
-    "Jail NIS domainname");
-SYSCTL_JAIL_PARAM_STRING(_host, hostuuid, CTLFLAG_RW, HOSTUUIDLEN,
-    "Jail host UUID");
-SYSCTL_JAIL_PARAM(_host, hostid, CTLTYPE_ULONG | CTLFLAG_RW,
+SYSCTL_JAIL_PARAM_STRING(_host, hostname,
+    CTLFLAG_RW |CTLFLAG_CAPRD,
+    MAXHOSTNAMELEN, "Jail hostname");
+SYSCTL_JAIL_PARAM_STRING(_host, domainname,
+    CTLFLAG_RW | CTLFLAG_CAPRD,
+    MAXHOSTNAMELEN, "Jail NIS domainname");
+SYSCTL_JAIL_PARAM_STRING(_host, hostuuid,
+    CTLFLAG_RW | CTLFLAG_CAPRD,
+    HOSTUUIDLEN, "Jail host UUID");
+SYSCTL_JAIL_PARAM(_host, hostid,
+    CTLTYPE_ULONG | CTLFLAG_RW | CTLFLAG_CAPRD,
     "LU", "Jail host ID");
 
 SYSCTL_JAIL_PARAM_NODE(cpuset, "Jail cpuset");
-SYSCTL_JAIL_PARAM(_cpuset, id, CTLTYPE_INT | CTLFLAG_RD, "I", "Jail cpuset ID");
+SYSCTL_JAIL_PARAM(_cpuset, id,
+    CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_CAPRD,
+    "I", "Jail cpuset ID");
 
 #ifdef INET
 SYSCTL_JAIL_PARAM_SYS_NODE(ip4, CTLFLAG_RDTUN,
     "Jail IPv4 address virtualization");
-SYSCTL_JAIL_PARAM_STRUCT(_ip4, addr, CTLFLAG_RW, sizeof(struct in_addr),
-    "S,in_addr,a", "Jail IPv4 addresses");
-SYSCTL_JAIL_PARAM(_ip4, saddrsel, CTLTYPE_INT | CTLFLAG_RW,
+SYSCTL_JAIL_PARAM_STRUCT(_ip4, addr,
+    CTLFLAG_RW | CTLFLAG_CAPRD,
+    sizeof(struct in_addr), "S,in_addr,a", "Jail IPv4 addresses");
+SYSCTL_JAIL_PARAM(_ip4, saddrsel,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_CAPRD,
     "B", "Do (not) use IPv4 source address selection rather than the "
     "primary jail IPv4 address.");
 #endif
 #ifdef INET6
 SYSCTL_JAIL_PARAM_SYS_NODE(ip6, CTLFLAG_RDTUN,
     "Jail IPv6 address virtualization");
-SYSCTL_JAIL_PARAM_STRUCT(_ip6, addr, CTLFLAG_RW, sizeof(struct in6_addr),
-    "S,in6_addr,a", "Jail IPv6 addresses");
-SYSCTL_JAIL_PARAM(_ip6, saddrsel, CTLTYPE_INT | CTLFLAG_RW,
+SYSCTL_JAIL_PARAM_STRUCT(_ip6, addr,
+    CTLFLAG_RW | CTLFLAG_CAPRD,
+    sizeof(struct in6_addr), "S,in6_addr,a", "Jail IPv6 addresses");
+SYSCTL_JAIL_PARAM(_ip6, saddrsel,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_CAPRD,
     "B", "Do (not) use IPv6 source address selection rather than the "
     "primary jail IPv6 address.");
 #endif
 
 SYSCTL_JAIL_PARAM_NODE(allow, "Jail permission flags");
-SYSCTL_JAIL_PARAM(_allow, set_hostname, CTLTYPE_INT | CTLFLAG_RW,
+SYSCTL_JAIL_PARAM(_allow, set_hostname,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_CAPRD,
     "B", "Jail may set hostname");
-SYSCTL_JAIL_PARAM(_allow, sysvipc, CTLTYPE_INT | CTLFLAG_RW,
+SYSCTL_JAIL_PARAM(_allow, sysvipc,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_CAPRD,
     "B", "Jail may use SYSV IPC");
-SYSCTL_JAIL_PARAM(_allow, raw_sockets, CTLTYPE_INT | CTLFLAG_RW,
+SYSCTL_JAIL_PARAM(_allow, raw_sockets,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_CAPRD,
     "B", "Jail may create raw sockets");
-SYSCTL_JAIL_PARAM(_allow, chflags, CTLTYPE_INT | CTLFLAG_RW,
+SYSCTL_JAIL_PARAM(_allow, chflags,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_CAPRD,
     "B", "Jail may alter system file flags");
-SYSCTL_JAIL_PARAM(_allow, quotas, CTLTYPE_INT | CTLFLAG_RW,
+SYSCTL_JAIL_PARAM(_allow, quotas,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_CAPRD,
     "B", "Jail may set file quotas");
-SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW,
+SYSCTL_JAIL_PARAM(_allow, socket_af,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_CAPRD,
     "B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route");
-SYSCTL_JAIL_PARAM(_allow, reserved_ports, CTLTYPE_INT | CTLFLAG_RW,
+SYSCTL_JAIL_PARAM(_allow, reserved_ports,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_CAPRD,
     "B", "Jail may bind sockets to reserved ports");
 
 SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
-SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
+SYSCTL_JAIL_PARAM(_allow_mount, ,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_CAPRD,
     "B", "Jail may mount/unmount jail-friendly file systems in general");
-SYSCTL_JAIL_PARAM(_allow_mount, devfs, CTLTYPE_INT | CTLFLAG_RW,
+SYSCTL_JAIL_PARAM(_allow_mount, devfs,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_CAPRD,
     "B", "Jail may mount the devfs file system");
-SYSCTL_JAIL_PARAM(_allow_mount, fdescfs, CTLTYPE_INT | CTLFLAG_RW,
+SYSCTL_JAIL_PARAM(_allow_mount, fdescfs,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_CAPRD,
     "B", "Jail may mount the fdescfs file system");
-SYSCTL_JAIL_PARAM(_allow_mount, nullfs, CTLTYPE_INT | CTLFLAG_RW,
+SYSCTL_JAIL_PARAM(_allow_mount, nullfs,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_CAPRD,
     "B", "Jail may mount the nullfs file system");
-SYSCTL_JAIL_PARAM(_allow_mount, procfs, CTLTYPE_INT | CTLFLAG_RW,
+SYSCTL_JAIL_PARAM(_allow_mount, procfs,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_CAPRD,
     "B", "Jail may mount the procfs file system");
-SYSCTL_JAIL_PARAM(_allow_mount, linprocfs, CTLTYPE_INT | CTLFLAG_RW,
+SYSCTL_JAIL_PARAM(_allow_mount, linprocfs,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_CAPRD,
     "B", "Jail may mount the linprocfs file system");
-SYSCTL_JAIL_PARAM(_allow_mount, linsysfs, CTLTYPE_INT | CTLFLAG_RW,
+SYSCTL_JAIL_PARAM(_allow_mount, linsysfs,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_CAPRD,
     "B", "Jail may mount the linsysfs file system");
-SYSCTL_JAIL_PARAM(_allow_mount, tmpfs, CTLTYPE_INT | CTLFLAG_RW,
+SYSCTL_JAIL_PARAM(_allow_mount, tmpfs,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_CAPRD,
     "B", "Jail may mount the tmpfs file system");
-SYSCTL_JAIL_PARAM(_allow_mount, zfs, CTLTYPE_INT | CTLFLAG_RW,
+SYSCTL_JAIL_PARAM(_allow_mount, zfs,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_CAPRD,
     "B", "Jail may mount the zfs file system");
 
 #ifdef RACCT
Index: usr.sbin/jls/jls.c
===================================================================
--- usr.sbin/jls/jls.c
+++ usr.sbin/jls/jls.c
@@ -40,6 +40,7 @@
 #include <arpa/inet.h>
 #include <netinet/in.h>
 
+#include <capsicum_helpers.h>
 #include <err.h>
 #include <errno.h>
 #include <jail.h>
@@ -90,6 +91,10 @@
 	char *dot, *ep, *jname, *pname;
 	int c, i, jflags, jid, lastjid, pflags, spc;
 
+	caph_cache_catpages();
+	if (caph_limit_stdio() < 0 || (cap_enter() < 0 && errno != ENOSYS))
+		err(1, "capsicum");
+
 	argc = xo_parse_args(argc, argv);
 	if (argc < 0)
 		exit(1);